When associating an EC2 instance with a IAM role via "aws ec2 associate-iam-instance-profile" it seems that all Linux users on the instance can make API calls via those credentials. Is there a way to leverage the IAM instance profile but restrict access to specific users within the OS?
No, this is not possible.
The EC2 instance metadata is available to anyone who can access the URL, which typically means any user and any app on the computer.
It sounds like you will need to store credentials against each application, by using a credentials file.
Related
I'm just getting in touch with EC2 and came across the IAM Role concept. This question is to clear my doubt about the concept on restriction level.
Lets say I have an EC2 instance with attached IAM Role Role A which posses one policy AmazonS3ReadOnlyAccess, correct me if i'm wrong but it means this particular instance only allow to perform S3 Read only operation.
Now says I created a User with Programmatic access and AmazonS3FullAccess policy.
If this user SSH into the EC2 instance, can he write file to s3 ?
I still unable to try it out by myself as I don't have a linux machine and still figuring on how to connect to Ec2 using putty
Lets say I have an EC2 instance with attached IAM Role Role A which
posses one policy AmazonS3ReadOnlyAccess, correct me if i'm wrong but
it means this particular instance only allow to perform S3 Read only
operation.
Yes
Now says I created a User with Programmatic access and
AmazonS3FullAccess policy. If this user SSH into the EC2 instance, can
he write file to s3 ?
IAM users cannot SSH to EC2 instances using IAM user credentials. After provisioning a EC2 instance, you need to use regular Operating System User constructs, to SSH to the Server (Default user keys created by AWS).
In addition if a user SSH to EC2 instance and use a Programatic Access Credentials of a EC2 User through AWS CLI, REST API or SDKs (Doesn't have to be a EC2 instance, it also can be your on-premise server) then if the IAM User has a S3 write policy, the CLI commands or API calls or the code using SDK is able to write files to S3.
So in a summary
Use IAM roles if you are running a EC2 instance, for your CLI commands, Code with SDK, or REST API calls to access AWS Resources.
If you are using a server on-premise or outside AWS, use IAM User's Programatic Access keys to do the same.
Insight on how IAM roles work internally with EC2
When you attach a IAM role to a EC2 instance, AWS periodically updates the EC2 instance with temporal Access Credentials to that EC2 instance (Which is a good security practice).
These credentials are accessible through the Metadata URLs for the CLI, REST API and Code using SDKs inside EC2 instance.
Note: When using Roles, its much secure since it uses Temporal access credentials vs IAM Users Programatic Access uses Long lived access credentials.
I need to create Java REST API(not with SDK) to launch a AWS EC2 instance.
First of all I need to Authenticate with the AWS API server by using Signature and Accesskey. I tried using the AWS documentations but I am facing the below error.
<Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message>
Could someone suggest me the steps to implement authentication with API and launching the instance in AWS. Also share if any existing GitHub code for the above requirement.
You have to use,
http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/ec2/AmazonEC2Client.html
There are ways you can gain access.
Create Access Key and Secret with IAM and pass them to java client.
Or you can create a role for an EC2 instance and assign the role to your Ec2 instance. Any code run from that EC2 instance will have access to the role mentioned.
Either with IAM Access Key or EC2 Instance Role, you need to have EC2 Policy with EC2FullAccess to access the API.
There are many users in my Amazon IAM. All of them added to admin group. May I deny used Amazon CLI for all and allow only one don't change group memberly?
Thank you.
It sounds like your situation is:
Your users are authorized to have access to an Amazon EC2 instance via their EC2 Key Pairs
The EC2 instance was launched with a Role that has been given certain permissions
Any user who logs into the EC2 instance can therefore run AWS Command-Line Interface (CLI) commands that take advantage of permissions assigned to the Role
You do not want all users to have such permissions
If you do not want all users to have such permissions, then you should not assigned a Role to the EC2 instance. Instead, provide IAM credentials separately to each application on the server (although that can be a lot of effort in itself).
Another option is to allow users to use the applications (eg via an exposed port, such as a web server) but do not allow them to login to the instance.
I have outsourced the development of some services to another company, and now I need the other company to be able to create an ec2 instance on my behalf.
I have other instances which I don't want the company to view and be able to change.
I know how to create an IAM-user but I don't know how to create the right policy to give that user access to ec2 and to create and manage instances, he/she has created, without having access to other instances.
Is it possible and if yes, how does that policy look like ?
thanks
Thomas
This is not a simple answer. Creating an instance requires permission to call the RunInstances command, but would also need permission to use the associated Security Group and AMI. The other company would also likely want the ability to view details of the instance(s) they have launched, and the ability to Start/Stop it.
In fact, the EC2 Management Console doesn't work well if you deny permission to view existing EC2 instances.
Resource-specific permissions can be granted, which allow only calls that affect a particular instance (or VPC, AMI, etc). So, a RunInstances command could be limited to a specific AMI, keypair, snapshot, subnet, etc. The StopInstances command could then be limited to the instance they created (but you'd need the ID, so you can only grant that once the instance is launched).
Also, please note that launching an instance requires permissions in Identity and Access Management (IAM), which is separate to permissions to login to an instance.
Recommendation: It might be safest if you were to launch the instance for them, then provide them with access to login to the instance to perform their work. If they require more access to your AWS Account, it could become quite involved determining to which resources they should/shouldn't have access.
See:
Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances
Supported Resource-Level Permissions for Amazon EC2 API Actions
I am exploring amazon IAM Roles. I want to know how can we apply IAM roles to an ec2 instance to access an application.
Any lead is highly appreciated.
Thanks
You can attach a Role to an Instance to provide this instance with specific permissions to use AWS API.
For example : You deploy a Java application on Tomcat and you want your application to use DynamoDB or S3 ... you need an ACCESS KEY and SECRET KEY with proper permission. How would your application get these ? A configuration file ? Burned into the AMI ? Stored in a database ? ... none of these are secure and manageable at large scale.
This is where Role kicks in.
you define a role in IAM and attach a couple of permission to it.
when you create the instance, you attach the role (you can not do that at a later time !)
from the instance, a private web service will give access to temporary ACCESS KEY and SECRET KEY, limited to the permissions specified in the role.
The best part is that AWS SDK are knowing about that and can dynamically and automatically get the keys for you.
Check out the doc for more details : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html