Which statement is true regarding the management of IAM roles?

The statement that IAM roles allow for temporary access to AWS services is true because IAM roles are designed to provide specific permissions for a limited duration. When an entity, such as an AWS service, EC2 instance, or an application, assumes an IAM role, it is granted a set of permissions associated with that role. This process typically involves issuing temporary security credentials that have a limited lifespan, allowing for enhanced security and ease of management.

This temporary access model is particularly beneficial in scenarios such as cross-account access or granting permissions to applications without the need for hardcoding credentials into code. After a predefined period, these credentials expire, which reduces the risk of long-term credential exposure and enhances the overall security posture of the AWS environments.

In contrast to the correct statement, there are specific management and creation capabilities defined in IAM, which means that roles can be managed by users with the necessary permissions, not just root accounts, and roles can indeed be reused across multiple services. Additionally, even if there are no outright restrictions on creating IAM roles, there are best practice recommendations and limits on certain IAM resources to ensure effective governance and security.