Enhancing Security and Efficiency: Providing IAM Role-Based CLI Access to Instances Without Creating IAM Users or Access Keys
Introduction:
Access keys are like a master key for your house. Would you ever hand it out casually?
Working with AWS, it’s tempting to generate Access keys for IAM Users. After all, it seems straightforward and convenient. Yet, this method holds a significant security loophole, especially in UAT or Production environments.
I just wanted to tell you a secret. Role-based access using IAM Roles is the unsung hero of AWS security.
IAM Roles are designed to provide temporary security credentials that applications can use to make API requests. No long-term credentials. No security risks. It’s like giving a guest key that expires after a while.
⚡️ Why AWS IAM Role-Based Access is Crucial? ⚡️
Firstly, IAM Roles eliminate the need to share or store long-term AWS security credentials. Unlike Access keys that remain valid until manually revoked, IAM Roles provide temporary access, reducing the risk of unintended exposure.
Secondly, with IAM Roles, you can assign granular permissions. You can control who can assume the role and what actions they can perform, bringing a whole new level of security control to your AWS environment.
Before proceeding, ensure you’ve covered the essential pre-launch AWS EC2 checklist highlighted in my recent blog, “Production-Ready in Minutes: The Ultimate Real-Time Pre-Launch AWS EC2 Checklist for CloudOps Engineers” link here: to fortify your EC2 instance’s security.
📋 Prerequisites
- 📌 AWS Root Account (In case you do not have one, To create one follow this blog: AWS Account signup Free Tier Account
- 📌 One Running EC2 Instance.
💡 Plan of Execution
- 1️⃣ Create a Policy
- 2️⃣ Create an IAM Role and attach the Policy
- 3️⃣ Attach the IAM Role to the EC2 Instance
- 4️⃣ Login to the EC2 Instance
- 5️⃣ Verify the Access Keys
1️⃣ Create a Policy
🔹 Go to “IAM” Service and click on “Policy”
🔹 Click on “Create Policy”
🔹 Click on “JSON”
🔹Clear/Delete the default policy which was highlighted in red color below.
🔹 It should look like this now:
🔹 Now, Add the below Policy to the “Policy Editor”
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ExecuteCommand",
"ecs:DescribeTasks",
"ecs:UpdateService",
"iam:PassRole"
],
"Resource": "*"
}
]
}🔹 It should look like the below and click on “Next”.
🔹 Provide the Policy Name “AWS-Allow-User-To-Execute-ECS-Commands-From-EC2-Instance” and Description “ This Policy is used to run the ECS related tasks from an EC2 Instance“.
🔹 Click on “Create policy”.
🔹 We can see a successful notification.
2️⃣ Create an IAM Role and attach the Policy
🔹 Access the IAM console, Select “Roles” Under “Access Management”
🔹 Click on “Create Role”.
🔹 Choose “AWS Service”.
🔹 Select the service as “EC2” from the drop-down, and click on the radio button of “EC2” under the use case. Click on the “Next” Button.
🔹 Choose the policy “AWS-Allow-User-To-Execute-ECS-Commands-From-EC2-Instance” which we created in the first step. Click on the “Next” Button.
🔹Provide a Role Name “AWS-Allow-EC2-CLI-Access”.
🔹 Scroll down and click on “Next” Button.
🔹 We will see the successful notification of the role being created.
3️⃣ Attach the IAM Role to the EC2 Instance
🔹 Go to the EC2 Dashboard and Choose the EC2 instance, where you want to attach the created role.
🔹 Click on “Actions”, then choose “Security” and select “Modify IAM Role”.
🔹 Choose the “IAM Role” which we created on the 2nd Step.
🔹 Click on the “Update IAM role” button.
🔹 A successful notification will be displayed and under the “Details” Section, we can see that the IAM Role is being updated.
4️⃣Login to the EC2 Instance
🔹 Login with the hostname: your Public IP, user: ec2-user, port: 22 and add your PPK key for the instance to login.
🔹 Post successful Login to the EC2 Instance.
5️⃣ Validate ECS commands
🔹Verify if Access keys have been configured.
aws configure list
🔐 Best Practices: Opt for IAM roles to maintain a robust security posture, ensuring a seamless and compliant AWS environment. By eliminating access keys, you’re proactively fortifying your cloud infrastructure against potential vulnerabilities and reinforcing a stringent security shield.
Don’t choose convenience over security. Embrace Role-Based Access. Let’s make our cloud environment not just powerful, but safe!
If you found this information valuable, let’s boost the conversation around AWS security. Share your thoughts or experiences below. Let’s learn together, and make the world of AWS a safer place.
