EC2 - Using Roles for a Service

Using Roles for a Service


So as we mentioned before, Role is important part of IAM since it supports security of service indirectly. Let's imagine the scenario we want EC2 instance to access our S3 bucket (object storage) and receive some files from it. Since we have to do it programmatically, need to use cli for that. But cli is not enough, we need some kind of credentials to authenticate ourselves into the service. We can use access credentials and Roles for that.  

  1. Let's list S3 buckets using the command below, but it will display and error. It couldn't find the credentials that will help it to authenticate. 







  3. Search IAM and navigate to the users page.





  4. Click to the "create access key" button.




  5. Choose "Command line interface" option.






  6. Copy the credentials and paste into the cli.






  7. Use aws-cli utility tool to add credentials.




  8. And then you will be able to list all the available buckets.





  9. The issue with this approach is that it is not recommended and secure way to store access credentials like that. Because if attacker has access to our instance this mean it will able to use this credential for further exploitation.





  10. Let me show you better approach. Let's create a role first.




  11. Since we will use this role for EC2 service. We must choose AWS service option and EC2 service.





  12. Don't forget to add permission to this role too, otherwise you will face with the error message.




  13. Let's attach this role to our EC2 instance.




  14. Select the role we want to attach.




  15. That is it, we now successfully attached our role to this instance.

Comments

Post a Comment

Popular posts from this blog

Identity Access Management - How to create user in IAM ?!

Image
Introduction IAM stands for Identity and Access Management. IAM is essential component of AWS allows you to create and manage access of user, role, application and control authentication/authorization. There are 4 essential components of IAM :  Users - are individuals or applications want to access to your AWS resources. Groups - are collection of users. By this you can assign permissions to group instead individual users. Roles - are special access type in IAM that allows user/resource to access another resource via temporary credentials. For example EC2 instance can access to DynamoDB or S3 bucket resources without using permanent credentials. This is possible only via Role which is great security point of view. Policies - are JSON documents that define permissions. In policies we define what actions are allowed or should be denied. This can be attached to users, groups, roles. Hands on IAM exercises :  Login to your AWS account and search for IAM :  After clicking IAM icon, you wil
Read more

AWS pricing fundamentals

Image
When using Amazon Web Services (AWS), there are three primary factors that determine your costs: Compute : This includes the amount of resources such as CPU and RAM you use, as well as the duration for which you use them. Data Storage : The quantity of data stored or allocated. Outbound Data Transfer : The amount of data transferred out from all services. It's important to be cautious and monitor your usage to avoid unexpected costs. AWS Pricing Models On Demand (Pay as you Go) The On Demand model allows you to: Easily adapt to changing business needs. Adjust based on your requirements. Reduce the risk of paying for unused capacity. Reserved Instance (Save When You Reserve) By investing in reserved capacity, such as with EC2 or RDS, you can: Ensure you have resources available for unexpected scenarios like web traffic spikes. Reserve resources for 1-3 years, which can lead to significant discounts. Save up to 75% compared to the Pay-as-you-Go model. The more you pay upfront, the gr
Read more

IAM - Roles

Image
IAM Roles Roles in AWS has special meaning. With this functionality you can define different variety of roles and assign it users or your application/service can use them. Roles are specifically important for AWS security. Because roles use temporary credentials with services. So that we don't need to use own permanent credentials to do some operations. If somehow hackers got access to AWS infrastructure they won't able to access our cached permanent  credentials. Here are some of advantages of using roles : Reduced Risk of Credential Exposure Least Privilege Principle Cross-Account Access  Let's create a role and assign it to the user  Click to "IAM" , "Roles" and then "Create role" button.  We need ARN (we talked about this in the previous post) of the user. Copy 12 digit unique ID. During role creation select "AWS account" since we are planning to add this role to user. Enter the ID we got from previous step. This ID defines our us
Read more