Welcome to Day 6! We are still discussing the basics of AWS. The current question is addressing one of the most significant security aspects in AWS: the problem of providing appropriate permissions to services.
The Question
An application running on an EC2 instance needs to access an S3 bucket to read and write files. For maximum security, you should avoid storing long-term credentials (like access keys) on the instance.
Which IAM entity would you apply to the EC2 instance to provide it with the required permissions in a safe manner?
The Correct Answer
The right solution and security best practice is (C) An IAM Role.
Why It is A Good Idea: The Strength of Temporary Permissions.
IAM Role is an identity that has permission policies on what identity can or cannot do in AWS. Though, a role, unlike a user, does not possess its own long term credentials (such as a password or access keys).
When you give an instance of the EC2 a role, it gives the applications in the instance temporary security credentials. These temporary credentials may be then used by the application to gain entry to other AWS services such as S3.
Imagine it is a car valet key. You do not leave your access keys to the trunk and glove box with the valet. You provide them with a special key (role) with temporary, limit permissions (they can only start the car and lock/unlock the car doors). That is the main idea of doing the services with IAM Roles.
Discussion of the Fallacies of Choice.
(A) IAM User and access key: This is one of the biggest security threats. Having the permanent access key and secret key of a user stored on an EC2 instance implies that in case the instance becomes compromised the attacker can access those long-term credentials and utilize them over the network. This is a usual reason behind breaches of security.
(B) An IAM Group: An IAM Group is simply a group of IAM Users. You cannot use a group with an AWS service such as an EC2 instance. It is meant to simplify the management of permissions of a group of users other than granting permissions to resources.
(D) An IAM Policy: An IAM Policy, a document of type JSON, is the explicit listing of permissions (e.g., Allow, s3:GetObject). This is not a policy. It is the identities (User, Group, or Role) to which policies are attached in order to provide them with permissions. So a Role has a policy but that policy is not what you put on the EC2 instance.
Quick Comparison
User: User identity is an identity of a person or an application that has permanent credentials.
Group Group: A group of Users to make the management of permissions easier.
Role: A role is a user, application, or service with temporary credentials.
Keywords:
- AWS IAM
- IAM Role
- IAM User
- IAM Group
- Cloud Security
- Identity and Access Management
- IAM Policy
- Temporary Credentials
- AWS Security Best Practices
- EC2 Instance Profile
- S3 Bucket Access
- Principle of Least Privilege
- AWS Credentials
- "difference between iam user and role"
- "how to give ec2 instance access to s3"
- "securely manage aws access keys"
- "what is an iam role used for"
- "iam role vs user for ec2"
.png)
.png)
.png)
0 Comments