Using EC2 Roles and Instance Profiles in AWS

1.5 hours
  • 5 Learning Objectives

About this Hands-on Lab

AWS Identity and Access Management (IAM) roles for Amazon Elastic Compute Cloud (EC2) provide the ability to grant instances temporary credentials. These temporary credentials can then be used by hosted applications to access permissions configured within the role. IAM roles eliminate the need for managing credentials, help mitigate long-term security risks, and simplify permissions management. Prerequisites for this lab include understanding how to log in to and use the AWS Management Console, EC2 basics (including how to launch an instance), IAM basics (including users, policies, and roles), and how to use the AWS CLI.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Trust Policy and Role Using the AWS CLI
  1. Obtain the labreferences.txt file from an S3 bucket provisioned with the lab.
  2. Log in to the bastion host and set the AWS CLI region and output type.
  3. Create an IAM trust policy for an EC2 role.
  4. Create an IAM role called DEV_ROLE.
  5. Create an IAM policy DevS3ReadAccess defining read-only access permissions to an S3 bucket.
Create Instance Profile and Attach Role to an EC2 Instance
  1. Attach DevS3ReadAccess policy to the DEV role.
  2. Create the instance profile DEV_PROFILE and add the DEV_ROLE to it via the AWS CLI.
  3. Attach the DEV_PROFILE role to an instance.
Test S3 Permissions via the AWS CLI
  1. Verify the instance is assuming the DEV_ROLE role.
  2. List the buckets in the account.
  3. Attempt to view the files in the s3bucketdev bucket.
Create an IAM Policy and Role Using the AWS Management Console
  1. Navigate to IAM > Policies.
  2. Create an IAM policy ProdS3ReadAccess
  3. Create a PROD_ROLE role.
Attach IAM Role to an EC2 Instance Using the AWS Management Console
  1. Navigate to EC2 > Instances.
  2. Attach the role to the Web Server instance.
  3. In the terminal, as PROD_ROLE, list the buckets.
  4. Attempt to view the files in the s3bucketprod bucket.
  5. Attempt to view the files in the s3bucketsecret bucket.

Additional Resources


You are responsible for ensuring your applications hosted in Amazon EC2 are able to securely access other AWS services. Credentials need to be rotated regularly to minimize the adverse impact of a security breach. You want to minimize the time it takes to manage these credentials. AWS IAM roles provide the ability to automatically grant instances temporary credentials without the need for manual management. IAM instance profiles provide the mechanism to attach IAM roles to EC2 instances.

Logging In

Please log in to the AWS console using the cloud_user credentials provided. Once inside the AWS account, make sure you are using us-east-1 (N. Virginia) as the selected region.

Note: When connecting to the bastion host and the web server, do so independently of each other. The bastion host is used for interacting with AWS services via the CLI.

Important Notes

IMPORTANT: Your first task is to download and open the labreferences.txt file. Keep this file open throughout the entirety of the lab, as it contains the names of S3 buckets you will need to include in multiple commands and scripts throughout the entire lab.

WINDOWS USERS: The Instant Terminal is recommended for this lab.

Useful References

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?