IAM roles for EC2 instances – A secure way to access AWS service APIs

EC2-Instance-IAM-Role_Cloud Security

Due to dynamic service infrastructure, complex configurations and various inter-dependencies of resources in cloud, it becomes quite important to put your security engine in place. That said, AWS EC2 is the elastic compute service that requires certain IAM roles with a specific set of permissions to securely access AWS service APIs.

What are AWS EC2 roles?

IAM roles allow applications running in your EC2 instances to act on your behalf. You can use the Access Policy Language to specify permissions just like an IAM user. On the other hand, unlike a user, a role cannot be used to directly call AWS service APIs. A role must be assumed by an entity – an EC2 instance in this case.

Having IAM roles for your EC2 instances helps in ensures secure access

When you launch an EC2 instance with an IAM role, temporary AWS security credentials with specified permissions to the instance are securely provisioned and are made available to your application. The Metadata Service makes new temporary security credentials prior to the expiration of the current active credentials. This way, the valid credentials are always available on the instance.

We recommend you to create and use IAM roles for your EC2 instances to facilitate secure access and permissions. Centilytics also provides a dedicated insight for this and specifies whether an EC2 role is present in IAM in your account or not.

Insight descriptions:

There can be 2 possible scenarios:

Severity Description
Critical This indication will be displayed when your corresponding EC2 instance has no role in IAM.
OK This indication will be displayed when your corresponding EC2 instance has a role in IAM.

 

Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user’s account.AWS EC2 1
  2. Account Name: This column shows the Account Id of the user’s accountAWS EC2 3
  3. Region: This column shows the region in which the resources exist.AWS EC2 4
  4. Identifier: This column shows the unique instance id of your EC2 instance.AWS EC2 2
  5. Role name: This column shows the role name associated with your EC2 instance.AWS EC2 5

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying the region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and OK severity types
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment:production). Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

 

Know more about IAM roles for EC2 instances.

LEAVE A REPLY

Please enter your comment!
Please enter your name here