2021 Fillmore Street #1128

}

24/7 solutions

Amazon Connect

How to create IAM roles for EC2 access using IAM Groups

In this comprehensive guide, we discuss how to create IAM roles for EC2 access using IAM Groups.

Introduction

 

AWS credentials must be used to sign API requests. As a result, if you’re an application developer, you’ll need a plan for maintaining credentials for your EC2 instances. AWS credentials can be distributed to instances in a safe way that allows the instances to utilize your credentials for signing requests but protects the other users’ credentials from being compromised. This can be a challenge, especially for AWS-created Spot Instances or Auto Scaling groups that are difficult to disseminate credentials for security reasons. You must be able to cycle your AWS credentials and update them on each instance. AWS created IAM roles so that your applications can securely make API requests from your instances without requiring you to handle the security credentials that the applications use. Delegating authority to make API queries via IAM roles is a better alternative to generating and distributing AWS credentials.

 

  • Create an IAM role in the IAM domain.
  • Define which AWS accounts or services can adopt the role.
  • Assume the role of the API and define the actions and resources available to the application.
  • Specify the role when you start your instance or attach the role to an existing one.
  • Have the program retrieve a temporary set of credentials and utilize it.

Create a JSON-formatted policy to establish IAM roles’ access rights and restrictions. These policies are comparable to those you write for IAM users. When you alter a role, the change is transmitted to all instances. When creating IAM roles, associate least privilege IAM policies that restrict access to the API calls required by the application. As long as you don’t have several copies of the same IAM role attached to different instances, you’re good. For instance-level permissions, you can apply resource-level permissions to your IAM policies.

Profiles of Instances

 

IAM roles in Amazon EC2 are packaged in an instance profile. When you create an IAM role in the IAM console, the console automatically generates an instance profile and gives it the same name as the role to which it corresponds. The Amazon EC2 console allows you to start an instance with an IAM role or connect an IAM role to an instance by selecting a role from a list of instance profiles.
AWS CLI, API, or an AWS SDK can be used to create a role and an instance profile as independent actions, each with a different name. IAM roles can then be launched or attached to an instance by using the AWS CLI, API, or AWS SDK if the instance profile name has been specified in this manner.
Only one IAM role can be present in an instance profile at one time. There is no way to exceed this limit.

Instance metadata can be used to retrieve security credentials

 

The role’s security credentials are retrieved via the instance metadata item iam/security credentials/role-name, which an application on the instance retrieves. The job’s security credentials enable the application access to the activities and resources you’ve designated for the role. These login credentials are only valid for a short period of time before being replaced. A minimum of five minutes before the expiration of the old credentials, we make fresh credentials available.

There can be only one IAM role in an instance profile. There is no way to exceed this restriction. The AWS SDKs, AWS CLI, and Tools for Windows PowerShell automatically obtain the temporary security credentials from the EC2 instance metadata service and use them for apps, AWS CLI, and PowerShell commands that run on the instance. The access key, secret key, and session token must be provided in order to make a call outside of the instance using temporary security credentials (for example, to test IAM policies).

Free AWS Services Template

Download list of all AWS Services PDF

Download our free PDF list of all AWS services. In this list, you will get all of the AWS services in a PDF file that contains  descriptions and links on how to get started.

Authorize the transfer of an IAM role to a new instance by an existing IAM user

Permissions for the following API activities must be granted to an IAM user before the user may use them to either start a new instance with an IAM role or replace an existing one with an IAM role:

 

iam:PassRole
ec2:AssociateIamInstanceProfile
ec2:ReplaceIamInstanceProfileAssociation
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::123456789012:role/DevTeam*"
}
]
}

Amazon EC2 console users need access to use the iam:ListInstanceProfiles and iam:PassRole commands in order to launch instances with an IAM role or to attach or replace an IAM role for an existing instance.

Utilize IAM roles in your work

Once an instance has been launched, you can establish an IAM role and attach it to the instance. An instance’s IAM role can be replaced or removed as well. Create a role in IAM for yourself.

To use an IAM role with an instance, you must first create an IAM role and then attach it to an instance.

The IAM console can be used to create an IAM role. At

https://console.aws.amazon.com/iam/,

open the IAM console.

Go to Roles, then create a role in the navigation pane.

Choose EC2 and the EC2 use case on the Select role type page.

Next, click on Permissions.

Make sure to select an AWS-managed policy on the Attach permissions page that gives your instances the resources they need.

Choose to Create a role from the Review page after giving the role a name.

To create an IAM role, you can also utilize the AWS CLI. An IAM role with a policy that permits the role to access an Amazon S3 bucket is created in the following example.

Create and save the trust policy as ec2-role-trust-policy.json in a text file

 

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: { “Service”: “ec2.amazonaws.com”},
“Action”: “sts:AssumeRole”
}
]
}

S3 Access Role: Create the role and specify the trust policy that you created by using the create-role command

aws iam create-role \
–role-name s3access \
–assume-role-policy-document file://ec2-role-trust-policy.json

Create a file called ec2-role-access-policy.json with the name ec2-role-access policy and save it. This policy, for example, provides the instance’s applications administrative access to Amazon S3.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [“s3:*”],
“Resource”: [“*”]
}
]
}

When creating a role, use the put-role-policy command to attach an access policy to the position.

aws iam put-role-policy \
–role-name s3access \
–policy-name S3-Permissions \
–policy-document file://ec2-role-access-policy.json

Use the create-instance-profile command to build an instance profile with the name s3access-profile.

aws iam create-instance-profile –instance-profile-name s3access-profile

Use IAM roles to start an instance

 

  • As soon as you’ve created an IAM role and associated it with an instance, you can launch it.
  • Using an IAM role to start an instance (console) At https://console.aws.amazon.com/ec2 open the Amazon EC2 console.
  • Launch an instance from the dashboard.
  • Configure Instance Details after selecting an AMI and instance type.
  • Select the IAM role you created on the Configure Instance Details page.
  • Follow the on-screen prompts to complete the procedure or select Review and Launch to accept the default settings and proceed directly to the Review Instance Launch page.
  • To start your instance, select Launch after reviewing your settings and selecting a key pair.
  • AWS security credentials made available on the instance can be used to sign requests when using Amazon’s E2 API activities in your app. The AWS SDK does this for you

Using an IAM role to start an instance (AWS CLI)

 

  1. The run-instances command can be used to start an instance with the specified profile. The following example demonstrates how to start an instance using the instance profile.

aws ec2 run-instances \

    –image-id ami-11aa22bb \

    –iam-instance-profile Name=”s3access-profile” \

    –key-name my-key-pair \

    –security-groups my-security-group \

    –subnet-id subnet-1a2b3c4d

The New-EC2Instance Tools for Windows PowerShell command can also be used in place of the previous method.

 

AWS security credentials made available on the instance can be used to sign requests when using Amazon’s E2 API activities. You don’t have to do this yourself.

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name

An IAM role can be attached to an instance.

A stopped or running instance can have an IAM role attached to it, even if it does not currently have one.
How to give an instance of an IAM role
At https://console.aws.amazon.com/ec2/, open the Amazon EC2 console.
Select Instances from the drop-down menu in the navigation pane.
Go to Security > Modify IAM role > Select the instance.
Choose Save after selecting the IAM role you want to apply to your instance.

Adding a role to an instance of an IAM service (AWS CLI)

If necessary, provide a description of your instances to obtain the instance ID to which the role should be attached.
aws ec2 describe-instances
IAM roles can be associated with instances using the associate-iam-instance-profile command. You can either use the instance profile’s Amazon Resource Name (ARN) or its name.
aws ec2 associate-iam-instance-profile \
–instance-id i-1234567890abcdef0 \
–iam-instance-profile Name=”TestRole-1″

Replacing an IAM role

There must be a running instance in order to replace an IAM role on a running IAM role. It’s possible to accomplish this without first removing the existing IAM role from an instance if you want to switch between them. As an example, you can use this to ensure that the API actions of apps executing on the instance are not stopped.

Replace a role with an instance of IAM

At https://console.aws.amazon.com/ec2/, open the Amazon EC2 console.

Select Instances from the drop-down menu in the navigation pane.

Go to Security > Modify IAM role > Select the instance.

Choose Save after selecting the IAM role you want to apply to your instance.

Replace a role in the IAM system for an instance (AWS CLI)

 

To retrieve the association ID for the IAM instance profile to replace, define your IAM instance profile associations if necessary.

aws ec2 describe-iam-instance-profile-associations

The replace-iam-instance-profile-association command lets you swap out an existing IAM instance profile with a new one by providing the association ID for the old profile and the ARN or name of the new profile to be used in its place.

aws ec2 replace-iam-instance-profile-association \
–association-id iip-assoc-0044d817db6c0a4ba \
–iam-instance-profile Name=”TestRole-2″

IAM roles can be removed from a user

Instances that are operating or stopped can be disconnected from an IAM role.

Detach an IAM role from an instance using this method.

  • Open the Amazon EC2 console at https://console.aws.amazon.com/ec2.
  • Navigate to the Instances section of the navigation pane.
  • Go to Security > Modify IAM role and pick the instance you’d like to change the IAM role for.
  • You can select “No IAM Role” as the IAM role. Select the option to save.
  • Enter Detach in the confirmation dialogue box and then select Detach.

Detaching an IAM role from an instance (AWS CLI)

The association ID for the IAM instance profile to be detached can be obtained by using describe-IAM-instance-profile-associations.

aws ec2 describe-iam-instance-profile-associations

IAM instance profiles can be disconnected from each other via an association ID by using the dissociate iam instance profile command.

aws ec2 disassociate-iam-instance-profile –association-id iip-assoc-0044d817db6c0a4ba

Based on your IAM role’s access activity, you can create a policy for your IAM role.

When you first create an IAM role for your applications, you may offer permissions that go above and beyond what is necessary. You can create an IAM policy based on the access activity for an IAM role before launching your application in your production environment. After looking through your CloudTrail logs, IAM Access Analyzer produces a policy template containing the permissions utilized by the role throughout the selected time period. Using the template, you can design a managed policy with fine-grained permissions and then link it to the IAM role. In this manner, you only grant the roles the rights they require to interact with AWS resources in your unique use case. This aids you in adhering to the great practice of offering the least amount of power possible to your users.

10 AWS Security Tools to Implement in Your Environment

10 AWS Security Tools to Implement in Your Environment

Amazon Web Services (AWS) scale very easily and securely with your application of choice. That’s not to say it is completely safe against intrusions. At least 70 percent of IT enterprise leaders are concerned about how secure the cloud is according to this report. As time progresses, there will be no end to those looking to exploit whatever loophole they can find in your security.

Making More with Less on AWS

Making More with Less on AWS

Is operational efficiency the biggest undermining factor for your AWS environment?  Do you need a helping hand to ensure that each cent spent goes towards maximizing production?  Here at AllCode, our expertise with AWS can help you see increased savings month over month.  In just the first month of use alone, you can expect to see as much as 10% saved on your AWS bill.

Making More with Less on AWS

How to Reduce Your AWS Bill

The extensive range of services and pricing options provided by AWS gives you the freedom to successfully control your costs while still maintaining the performance and capacity necessary for your organization. In this blog post, I will take a more tactical approach to reduce costs with changes in user demand. While the fundamental process of cost optimization on AWS remains the same – monitoring your AWS costs and usage, analyzing the data to find savings, and taking action to realize the savings is crucial in saving you money.

Creating A New AWS EC2 Key For A 3rd Party Developer

Creating A New AWS EC2 Key For A 3rd Party Developer

When you create a new EC2 instance you automatically download a ppk (or pem) key for that instance. This only happens once and generating a new one can be complicated so please take care to put it somewhere secure. As such you might want to give your developer team another key which you can delete if the need arises without risking access to your services.

Centro Community Partners

Centro Community Partners

Centro Community Partners (Centro) is a nonprofit organization that provides programs and resources to help underserved entrepreneurs start, develop and grow their small businesses. Centro also offers technology and curriculum to other organizations and trainers through their Entrepreneurship Suite.

Vezt

Vezt

Blockchain technology has the potential to be a windfall for musicians, filmmakers, and video game developers. With the advent of new technology, the way we consume entertainment is changing. Vezt assists artists in distributing their tracks on digital channels and in promoting their work.

How to Reduce Your AWS Bill

How to Reduce Your AWS Bill

The extensive range of services and pricing options provided by AWS gives you the freedom to successfully control your costs while still maintaining the performance and capacity necessary for your organization. In this blog post, I will take a more tactical approach to reduce costs with changes in user demand. While the fundamental process of cost optimization on AWS remains the same – monitoring your AWS costs and usage, analyzing the data to find savings, and taking action to realize the savings is crucial in saving you money.

read more
Download our 10-Step Cloud Migration ChecklistYou'll get direct access to our full-length guide on Google Docs. From here, you will be able to make a copy, download the content, and share it with your team.