EC2 Roles and Instance Profiles

Using EC2 Roles and Instance Profiles in AWS

Overview

AWS Identity and Access Management (IAM) roles for Amazon Elastic Compute Cloud (EC2) provide the ability to grant instances temporary credentials. These temporary credentials can then be used by hosted applications to access permissions configured within the role. IAM roles eliminate the need for managing credentials, help mitigate long-term security risks, and simplify permissions management. Prerequisites for this lab include understanding how to log in to and use the AWS Management Console, EC2 basics (including how to launch an instance), IAM basics (including users, policies, and roles), and how to use the AWS CLI.

Create a Trust Policy and Role Using the AWS CLI

Log in to Bastion Host and Set the AWS CLI Region and Output Type

1. Navigate to EC2 > Instances.

2. Copy the public IP of the Bastion Host instance.

3. Open a terminal, and log in to the bastion host via SSH:

   ssh cloud_user@<BASTION_HOST_PUBLIC_IP>

4. Enter the password provided for it on the lab page.

5. Run the following command:

   [cloud_user@bastion]$ aws configure

6. Press Enter twice to leave the AWS Access Key ID and AWS Secret Access Key blank.

7. Enter us-east-1 as the default region name.

8. Enter json as the default output format.

Create IAM Trust Policy for an EC2 Role

1. Create a file called trust_policy_ec2.json:

   [cloud_user@bastion]$ vim trust_policy_ec2.json

2. Paste in the following content:

3. Save the file

Create the DEV_ROLE IAM Role

1. Run the following AWS CLI command:

Create an IAM Policy Defining Read-Only Access Permissions to an S3 Bucket

1. Create a file called dev_s3_read_access.json:

   [cloud_user@bastion]$ vim dev_s3_read_access.json

2. Enter the following content, replacing <DEV_S3_BUCKET_NAME> with the bucket name:

3. Create the managed policy called DevS3ReadAccess:

4. Copy the policy ARN from the output

Create Instance Profile and Attach Role to an EC2 Instance

Attach Managed Policy to Role

1. Attach the managed policy to the role, replacing <DevS3ReadAccess_POLICY_ARN> with the ARN you just copied:

2. Verify the managed policy was attached:

Create the Instance Profile and Add the DEV_ROLE via the AWS CLI

1. Create instance profile named DEV_PROFILE:

2. Add role to the DEV_PROFILE called DEV_ROLE:

3. Verify the configuration:

Attach the DEV_PROFILE Role to an Instance

1. In the AWS console, navigate to EC2 > Instances.

2. Copy the instance ID of the instance named Web Server instance — we'll need it in a second.

3. In the terminal, attach the DEV_PROFILE to an EC2 instance, replacing <LAB_WEB_SERVER_INSTANCE_ID> with the Web Server instance ID you just copied:

4. Verify the configuration (be sure to replace <LAB_WEB_SERVER_INSTANCE_ID> with the Web Server instance ID again):

   This command's output should show this instance is using DEV_PROFILE as an IamInstanceProfile. Verify this by locating the IamInstanceProfile section in the output, and look below to make sure the "Arn" ends in /DEV_PROFILE.

Test S3 Permissions via the AWS CLI

1. In the AWS console, copy the public IP of the Web Server instance.

2. Open a new terminal.

3. Log in to the web server instance via SSH:

4. Use the same password for the bastion host provided on the lab page.

5. Verify the instance is assuming the DEV_ROLE role:

   We should see DEV_ROLE in the Arn.

6. List the buckets in the account:

   Copy the entire name (starting with cfst) of the bucket with s3bucketdev in its name.

7. Attempt to view the files in the s3bucketdev- bucket, replacing <s3bucketdev-123> with the bucket name you just copied:

   We should see a list of files.

Create an IAM Policy and Role Using the AWS Management Console

Create Policy

1. In the AWS console, navigate to IAM > Policies.

2. Click Create policy.

3. Click the JSON tab.

4. Paste the following text as the policy, replacing <PROD_S3_BUCKET_NAME> with the bucket name:

5. Click Next: Tags.

6. Click Next: Review.

7. Enter ProdS3ReadAccess as the policy name.

8. Click Create policy.

Create Role

1. Click Roles in the left-hand menu.

2. Click Create role.

3. Under Choose a use case, select EC2.

4. Click Next: Permissions.

5. In the Filter policies search box, enter ProdS3ReadAccess.

6. Click the checkbox to select ProdS3ReadAccess.

7. Click Next: Tags.

8. Click Next: Review.

9. Give it a Role name of PROD_ROLE.

10. Click Create role.

Attach IAM Role to an EC2 Instance Using the AWS Management Console

1. Navigate to EC2 > Instances.

2. Select the Web Server instance.

3. Click Actions > Security > Modify IAM role.

4. In the IAM role dropdown, select PROD_ROLE.

5. Click Save.

Test the Configuration

1. Open the existing terminal connected to the Web Server instance. (You may need to reconnect if you've been disconnected.)

2. Determine the identity currently being used:

   This time, we should see PROD_ROLE in the Arn.

3. List the buckets:

4. Copy the entire name (starting with cfst) of the bucket with s3bucketprod in its name.

5. Attempt to view the files in the s3bucketprod- bucket, replacing <s3bucketprod-123> with the bucket name you just copied:

   It should list the files.

6. In the aws s3 ls command output, copy the entire name (starting with cfst) of the bucket with s3bucketsecret in its name.

7. Attempt to view the files in the <s3bucketsecret-123> bucket, replacing <s3bucketsecret-123> with the bucket name you just copied:

   This time, our access will be denied — which means our configuration is properly set up.