EC2 Instance Roles

What is the EC2 Instance Role?

EC2 instance roles are a specific use case of AWS Identity and Access Management (IAM) roles, targeted at Amazon Elastic Compute Cloud (EC2) instances. They enable applications running on the EC2 instance to call AWS services securely.

Characteristics of EC2 Instance Role:

  1. Applications running on an EC2 instance might need to interact with other AWS services, such as Amazon S3 or Amazon DynamoDB. Instead of hardcoding AWS access keys in the application, you can delegate the required permissions to the EC2 instance by associating an IAM role with it.

  2. You create an IAM role with the desired permissions and specify that it can be assumed by the EC2 service. This IAM role, often referred to as a service role for EC2 or simply an EC2 instance role, can be attached to one or more instances.

  3. When creating the role, you define a trust policy that allows the EC2 service to assume the role. This ensures that only EC2 instances can use this role.

  4. When launching an EC2 instance, you can specify the IAM role to associate with it. Existing instances can also have roles attached or changed using the AWS Management Console, CLI, or SDKs.

  5. Once the role is associated with an EC2 instance, the EC2 service retrieves temporary security credentials and provides them to the instance. These credentials are automatically rotated, minimizing the risk associated with long-lived credentials.

  6. Applications running on the EC2 instance can use the AWS SDK or CLI to make requests to AWS services. They don't need to handle credentials; the SDK or CLI automatically retrieves the temporary security credentials provided by the role.

  7. Following the principle of least privilege is vital. Only grant the permissions required for the application running on the instance to function.

    Be mindful of the fact that any user or application with access to the EC2 instance can use the role's permissions, so controlling access to the instance itself is also crucial.

  8. Common Use Cases:

    • Reading from and writing to S3 buckets.

    • Managing database entries in DynamoDB.

    • Accessing monitoring data or other services for application insights.

Hands-on Lab Overview

In this hands-on lab, with the help of AWS Management Console, we are going to attach an existing IAM role to the EC2 instance, replace the IAM role on an instance that already has an attached IAM role, and detach an IAM role from the EC2 instance.

Hands-on Lab

Attach an IAM role to the EC2 instance

To attach an IAM role to an instance that has no role, the instance can be in the stopped or running state.

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Select the instance, choose Actions, Security, Modify IAM role.

  4. Select the IAM role to attach to your instance, and choose Save.

Replace an IAM role on the EC2 instance

To replace the IAM role on an instance that already has an attached IAM role, the instance must be in the running state. You can do this to ensure that API actions performed by applications running on the instance are not interrupted.

Detach an IAM role from the EC2 instance

To detach an IAM role from a running or stopped instance:

  1. Select the instance, choose Actions -> Security -> Modify IAM role.

  2. For IAM role, choose No IAM Role -> Save.

  3. In the confirmation dialog box, enter Detach, and then choose Detach.

References

  1. IAM roles for Amazon EC2