Which entity typically assumes IAM roles in AWS?

IAM roles in AWS are designed to be assumed by trusted entities, which can include users, services, or applications that have been granted the necessary permissions to use the role. This allows for a more flexible and secure way to provide temporary credentials to entities that need to perform actions on AWS resources.

When an entity assumes a role, it receives a set of temporary security credentials that provide access to the resources associated with that role. This process is particularly beneficial for applications running on AWS services, as it eliminates the need to hard-code credentials within the application's code. Instead, the application can obtain the necessary permissions through the role, reducing security risks.

Service-managed identities typically refer to specific services that manage their own identities, allowing them to interact with other AWS services without assuming IAM roles directly. Virtual Private Clouds (VPCs) are networking constructs and do not directly assume roles. API Gateway endpoints function as interfaces to invoke backend services and also do not assume roles themselves.

Thus, the correct answer highlights the role of trusted entities, underscoring IAM's design to grant permissions to various AWS resources according to the principle of least privilege while maintaining security and flexibility in access management.