AWS, Programming, System Administration

AWS IAM Roles

Leave a comment

As I have been developing and testing on Amazon Web Services (AWS) hosting I have made much use of the Identity and Access Management (IAM) feature. In particular, I have found the IAM Roles to be extremely helpful. I can assign a role to a specific instance or even a launch group of instances. When those instances are launched they have all the permissions of the role that I have specified for them. This means that if an instance needs to access files that are on S3, I just add that permission to the role and the instance is able to access S3 files. This is extremely useful for system admin scripts as well as other programming tasks.

I have found that after assigning a new permission to a role, there may be some latency. Although usually it is very minimal.

In a role you can organize permissions in groups called “Policies”.

Following is a a list of policies that I have in a standard testing role that I use. The permissions listed will most certainly vary for your own needs. I am publishing them here more as a guideline to help you get started as well as to remind me of them in the future. Note that the policy names are arbitrary.

I hope you find these helpful.

Allow-EC2-ConnectToRegion

{
  "Statement": [
    {
      "Action": [
        "ec2:DescribeRegions"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

Allow-EC2-Manage-Volumes

{
  "Statement": [
    {
      "Action": [
        "ec2:AttachVolume",
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteVolume",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeSnapshotAttribute",
        "ec2:DescribeSnapshots",
        "ec2:DescribeVolumeAttribute",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes",
        "ec2:DetachVolume",
        "ec2:ModifyInstanceAttribute"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

Allow-EC2-RegisterImage

{
  "Statement": [
    {
      "Action": [
        "ec2:RegisterImage"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

Allow-S3-Access

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

Allow-Self-Termination

{
  "Statement": [
    {
      "Action": [
        "autoscaling:TerminateInstanceInAutoScalingGroup"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

Leave a Reply

Your email address will not be published. Required fields are marked *