AWS Access means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. An application that runs on an EC2 instance must include AWS credentials in its AWS API requests. EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests. IAM role is designed to securely make API requests from instances for applications.
AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to.
It also provides security credentials to an application. The application is granted the permissions for the actions and resources that you’ve defined for the role through the security credentials associated with the role. These security credentials are temporary.
Passing role information to an EC2 instance at launch, you can limit the risk of access key exposure and help prevent a malicious user from compromising the instance. IAM role to manage temporary credentials for the application that runs on an EC2 instance. When you use a role, you do not have to distribute long-term credentials(such as a user name and password or access keys) to an EC2 instance.
Role credentials are temporary and rotated automatically, so you don’t have to manage credentials and you don’t have to worry about long-term security risks.
IAM roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources.
Perform the following to ensure the role is configured and it is associated or not:
Via AWS Console
- Log in to AWS Console with Admin access and go to EC2 dashboard at https://console.aws.amazon.com/ec2/.
- Under the Instances, section click on Instance in the left navigation pane
- Select the EC2 instance which you want to audit.
- Select the Description tab from the dashboard bottom panel
Check the IAM role attribute value. If the attribute has no value assigned, the selected instance has no IAM roles associated. When your applications are used API requests then we strongly recommend you to use the IAM role.
- Perform steps 3 and 4 to check other EC2 instance
- Change the AWS region from the navigation bar repeat the audit process for other regions.
Step 1: Run the below command to check all existing EC2 instances currently available in the selected region
aws ec2 describe-instances --region <region> --output table --query ‘Reservation[*].Instances[*].InstanceId’
Step 2: Use the below to check the details of your particular instances you perform for all instance to view the details
aws ec2 describe-instances --region <region> --instance-ids <instance_id> --query ‘Reservation[*].Instances[*].IamInstanceProfile’
Step 3: For Auditing, perform the above commands for other regions.
To Create the role perform the following steps
Step 1: Open the IAM console at https://console.aws.amazon.com/iam/.
Step 2: Click on Roles in the left navigation pane.
Steps 3: Create a new role and select use case as per your requirement and click on the Next: Permission button
Step 4: Select the policy as per your requirement and click on the Next: Tags button
Step 5: Enter the role name in the Role name box and click on Create role button
Steps 6: Launch a new instance with identical settings to the existing instance and ensure that the newly created role is selected.
Steps 7: Stop both the existing instance and the new instance.
Steps 8: Detach volumes from both instances
Step 9: Attach the old instance’s volume to the new instance.
Steps 10: Boot the new instance and you should have the same machine, but with the associated role.
Via CLI Command:
Step 1: Open the AWS CLI and call the create-role command to create the IAM role, YourNewRole, based on the trust policy, YourNewRole-Trust-Policy.json.
aws iam create-role --role-name <new_role> --assume-role-policy-document file://new_role-Trust-Policy.json
Step 2: Call the attach-role-policy command to grant this IAM role permission to access resources in your account
aws iam attach-role-policy --role-name <new_role> --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Step 3:Call the create-instance-profile command, followed by the add-role-to-instance-profile command to create the IAM instance profile, YourNewRole-Instance-Profile. The instance profile allows EC2 to pass the IAM role, YourNewRole, to an EC2 instance. To learn more, see Using Instance Profiles.
aws iam create-instance-profile --instance-profile-name NewRole-Instance-Profile aws iam add-role-to-instance-profile --role-name <new_role> --instance-profile-name NewRole-Instance-Profile
Now attach the IAM role to an existing EC2 instance
Step 4: Call the associate-iam-instance-profile command to attach the instance profile, YourNewRole-Instance-Profile, for the newly created IAM role, YourNewRole, to your EC2 instance, YourInstanceId.
aws ec2 associate-iam-instance-profile --instance-id <instance_id> --iam-instance-profile Name=NewRole-Instance-Profile
Step 5: You can verify that the IAM role is now attached to the instance by calling the describe-iam-instance-profile-association command.
aws ec2 describe-iam-instance-profile-associations
Now, you can update your application to use the IAM role to access AWS resources and delete the long-term keys from your instance.