AWS EC2 setup: IAM roles - lmmx/devnotes GitHub Wiki

Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting them from other users. However, it's challenging to securely distribute credentials to each instance, especially those that AWS creates on your behalf, such as Spot instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.

We designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles as follows:

1. Create an IAM role.
2. Define which accounts or AWS services can assume the role.
3. Define which API actions and resources the application can use after assuming the role.
4. Specify the role when you launch your instances.
5. Have the application retrieve a set of temporary credentials and use them.

— Docs: IAM Roles for Amazon EC2

---

AWS IAM roles are for the management of access to other AWS resources by an EC2 instance. Some resources are listed below, then notes on setting up for the first time (to be updated as I find out more on proper usage)

---

Docs:

• IAM Roles (IAM user guide)
• IAM Roles for Amazon EC2 (EC2 user guide)
• Examples of Policies for Delegating Access
• Creating IAM roles
  • Creating a Role to Delegate Permissions to an AWS Service
  • Creating a Role to Delegate Permissions to an IAM User

Other Sources:

• Monsanto Engineering - Demystifying IAM Roles

---

At the beginning, after learning that IAM roles are a security practice, it can seem overwhelming to have to plan out a role-per-bucket, when you don't have a clear idea of the AWS server's data structure.

For my use, which I think is typical to a new starter, probably not looking to manage access between accounts but both a private and public store is needed. Note that EC2 is not to be used for storage.

You may have:

• a public S3 bucket

• a private S3 bucket

• an EC2 compute instance

• For best security, an IAM user would be created for each task to be done, and only assigned permissions for that task (in event of compromise, the intrusion/error/malicious user would be safely contained)

• EC2 creates "instance profiles" as containers for IAM roles, with the same name as the role.

• Policy: "Multiple service principals" means multiple services per role.

---

Open tabs:

• Screen 1 http://www.one-tab.com/page/8EeQSHv9SJWxA6NQXyPMwQ
• Screen 2 http://www.one-tab.com/page/cTmMUCvjQa-K7d2qwbAL2g