When Ec2 instances assumes an IAM role to create or modify S3 buckets, how it’s different from a user assuming that role? In the demo 6.4, user is able to create a S3 bucket and place files in it while the role is assumed by an EC2 instance.
When a user assumes a role, that user will be granted access. However, when an EC2 assumes a role any application running on that instance or user logged will use that role and be granted access.
The most common use cases for assigning a role to an EC2 instance are for apps or OS services running on the instance to access AWS services without a login session (no users logged in to the instance). This should be used only when needed and not for all apps running on an instance. If you have apps running on an EC2 instance that support service accounts use them to authenticate against AWS services. That’s a more secure method than assigning roles to an instance.