AWS Identity and Access Management (IAM) roles for Amazon Elastic Compute Cloud (EC2) provide the ability to grant instances temporary credentials. These temporary credentials can then be used by hosted applications to access permissions configured within the role. IAM roles eliminate the need for managing credentials, help mitigate long-term security risks, and simplify permissions management. Prerequisites for this lab include understanding how to log in to and use the AWS Management Console, EC2 basics (including how to launch an instance), IAM basics (including users, policies, and roles), and how to use the AWS CLI.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create a Trust Policy and Role Using the AWS CLI
- From the AWS Management Console, open the provisioned S3 bucket with s3bucketlookupfiles in its name and obtain the
labreferences.txt
file. This file serves as a reference containing the S3 bucket names used throughout the lab. - Open a new terminal session.
- Log in to the EC2 Bastion Host instance using the provided lab credentials and set the AWS CLI region and output type.
- Create an IAM trust policy for an EC2 role.
- Create an IAM role named
DEV_ROLE
. - Create an IAM policy named
DevS3ReadAccess
and define read-only access permissions for the provisioned S3 bucket with s3bucketdev in its name .
- From the AWS Management Console, open the provisioned S3 bucket with s3bucketlookupfiles in its name and obtain the
- Create Instance Profile and Attach Role to an EC2 Instance
- Attach the
DevS3ReadAccess
policy to theDEV
role. - Create the instance profile
DEV_PROFILE
and add theDEV_ROLE
to it via the AWS CLI. - Attach the
DEV_PROFILE
role to the EC2 Web Server instance.
- Attach the
- Test S3 Permissions via the AWS CLI
- Log in to the EC2 Web Server instance using the provided lab credentials.
- Verify that the Web Server instance is assuming the
DEV_ROLE
role. - List the buckets in the account.
- Attempt to view the files in the
s3bucketdev
bucket.
- Create an IAM Policy and Role Using the AWS Management Console
- From the AWS Management Console, navigate to IAM > Policies.
- Create an IAM policy named
ProdS3ReadAccess
and define read-only access permissions for the provisioned S3 bucket with s3bucketprod in its name . - Create a
PROD_ROLE
role and attach it to theProdS3ReadAccess
policy.
- Attach IAM Role to an EC2 Instance Using the AWS Management Console
- Navigate to EC2 > Instances.
- Attach the
PROD_ROLE
role to the Web Server instance. - Open a terminal session and log in to the EC2 Web Server instance using the provided lab credentials.
- Verify that the Web Server instance is assuming the
PROD_ROLE
. - List the buckets.
- Attempt to view the files in the
s3bucketprod
bucket. - Attempt to view the files in the
s3bucketsecret
bucket.