In this exercise we will use AWS IAM Roles to avoid the usage of AWS IAM access keys that may be required by the Amazon ELastic Compute Cloud (EC2) instance to access AWS resources. We will create a Role and assigned it to EC2 instance, instead of hard coding the access keys within the EC2 instance.
Note: For this lab, it is assumed that EC2 instance is already created with default settings. For instructions to create EC2 Instance please follow the link.
From the drop-down list, click on My Security Credentials.
Scroll down the page and under the ‘Access keys for CLI, SDK, & API access’ section and note the staus of any active Access key ID. Anyone with access to these long-lived keys can use them to perform actions with the configured permissions. Instead of Access Keys, we will create a role because they provide short term access.
To avoid the access key usage we first need to create an IAM role. Click on Roles on the menu on the left side of the console under Access Management.
Click on Create role.
Click Next: Permission.
In the Search field type the policy that you want to attach to your EC2 instance and select from the list below i.e., AmazonRekognitionReadOnlyAccess policy.
Click Next: Tags.
Provide the optional Key and value to the tag.
Click Next: Review
Provide a meaningful name for the Role and optional description. Click Create role.
You will notice the newly created role is now appearing in the list of roles.
Go to services, click EC2.
On the dashboard, click on Instances (running). We will create a Role and assign it to the EC2 instance, instead of hard coding the access keys within the EC2 instance.
Select your EC2 instance that you want to assigned the role. Click Actions -> Security -> Modify IAM role.
From the drop-down list of IAM roles, select the role that you have created in the previous steps.
Click Save. Your EC2 instance can now access the required AWS service with minimum privilege.
We will now disable the Access Key as it is no longer required.
From the AWS console, on the top right corner, click on the drop-down list where your IAM user and Account is mentioned and click on My Security Credentials.
Scroll down the page and under the ‘Access keys for CLI, SDK, & API access’ section click on Make Inactive under the Actions column of the mentioned Access Key.
Click on Deactivate on the confirmation dialogue box.
You will notice the message about deactivation of your IAM user Access key.
For more information please read the AWS User Guide: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html