IAM Roles
- IAM Roles is permission given to AWS service/resource to access other AWS Resources
Lab Setup
- Create an ec2 instance with Amazon Linux.

- Create a IAM Policy which allows users to do any operations on s3 and ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}
- Create one more ec2 instance

- Create one s3 bucket

Activity 1
- Lets give permissions to amazon linux instance to do anything with ec2 and s3.
- For this we have created a policy already
- Since we need to give permssion to an ec2 to access other ec2 instances and s3 buckets, let create a role





- Once the role is created, lets attach this role to the amazon linux


-
Note: in Amazon linux aws cli is preinstalled.
-
Using this role we can programattic access
- AWS CLI
- Code using AWS SDK
- Majorly for automation purposes, roles are assigned to
Activity 2
- Give permission to Lambda function to access s3 and ec2
- Create a roles for lambda
IAM Programatic Access For Users
- Create 3 users with only programattic access
- developer
- admin
- tester

- Dont give any permissions
- Once we create the users we get Access Key ID and Secret Access Key ID

- We need to keep the Secret Access Keys Secret.
- As an admin/operations we are suppose to rotate Credentials.
- Access Key ID can be viewed any time, but secret access key can be viewed only during creation

- Once we are done using, its a better idea to deactivate these credentials
Like this:
Like Loading...