aws iam – Automatic EC2 Role Assignment in AWS

amazon-iamamazon-web-servicesauthenticationauthorization

Trying to understand AWS IAM resources/concepts a little better. I know there is a way to configure an EC2 (either possibly via its underlying AMI or a launch template) so that when it launches for the first time it is automatically assigned the right role/permissions for things that instance should have access to. For instance if I know that the software server running on that instance will need S3 read/write access, I should be able to configure things so that I don't need to SSH onto that instance and configure an ~/.aws/credentials file.

My understanding is that Users and Roles are IAM resources that make up authenticatable identities. Meaning you can gives a User/Role a set of credentials and those credentials can then authenticate against AWS and identify themselves. I believe it is the recommended practices to give human beings a User resource and to give software a Role resource. So I would have my own AWS IAM User, and that User would have credentials that I would punch in to the web console or CLI to gain access to AWS. And my server (which would be deployed to AWS) would be given an AWS IAM Role such as (myapp-server-dev) and that Role would have credentials that the server could then present to the AWS API for authentication.

My understanding is that Groups are just collections of Users and/or Roles, used for the purpose of assigning those Users/Roles to specific permission sets.

My understanding is that IAM Policies are those permission sets, and that you attach/bind Policies to Users, Roles and/or Groups so as to give them permission to various AWS services/resources.

My understanding is that IAM Instance Profiles somehow bind an EC2 instance to a Role, but herein lies my main confusion.

Finally, it is my understanding that in order to make it so that:

I create an EC2 instances; and
That EC2 instance automagically has access to the correct AWS services/resources without having to manually install credentials files on the instance via SSH…

…in order to make that happen, I need to:

Create a Role for the EC2 instance and any other instances that will be running homogenous server software on them (that have the same authorization needs)
Create an Instance Profile for the EC2 instance that is bound to this Role
Attach a Policy to that Role (or any Group where the Role is member of) that gives it access to the appropriate services/resources

So first, if anything I've stated above is inaccurate, please begin my providing some course correction/clarification for me! Assuming my understandings are correct, then my question here is: how and where do I associate a given EC2 instance with an IAM Instance Profile, and how/where do I associate that Profile with a Role?

Best Answer

An "IAM Instance Profile" is a Role if you're using the console.

You associate one when you create the instance, in the "Advanced details" section.

Behind the scenes, AWS is creating an instance profile for you. If you're using the command line or API, you can create them separately if you like; see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html for details.

Update

Mike Pope has published a nice article about Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission) on the AWS Security Blog, which explains the subject matter from an AWS point of view.

Initial Answer

Skaperen's answer is partially correct (+1), but slightly imprecise/misleading as follows (the explanation seems a bit too complex for a comment, hence this separate answer):

To launch an EC2 instance with an IAM role requires administrative access to the IAM facility.

This is correct as such and points towards the underlying problem, but the required administrative permissions are rather limited, so the following conclusion ...

Because IAM roles grant permissions, there is clearly a security issue to be addressed. You would not want IAM roles being a means to allow permission escalation.

... is a bit misleading, insofar the potential security issue can be properly addressed. The subject matter is addressed in Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources:

You can use IAM roles to manage credentials for applications that run on Amazon EC2 instances. When you use roles, you don't have to distribute AWS credentials to Amazon EC2 instances. Instead, you can create a role with the permissions that applications will need when they run on Amazon EC2 and make calls to other AWS resources. When developers launch an Amazon EC2 instance, they can specify the role you created to associate with the instance. Applications that run on the instance can then use the role credentials to sign requests.

Now, within the use case at hand the mentioned developers [that] launch an Amazon EC2 instance are in fact EC2 instances themselves, which appears to yield the catch 22 security issue Skaperen outlined. That's not really the case though as illustrated by the sample policy in section Permissions Required for Using Roles with Amazon EC2 :

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:ListInstanceProfiles",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"ec2:*",
      "Resource":"*"
    }]
}

So iam:PassRole is in fact the only IAM permission required, and while technically of administrative nature, this isn't that far reaching - of course, the sample policy above would still allow to escalate permissions by means of listing and in turn passing any available role, but this can be prevented by specifying only those roles that are desired/safe to pass for the use case at hand - this is outlined in section Restricting Which Roles Can Be Passed to Amazon EC2 Instances (Using PassRole):

You can use the PassRole permission to prevent users from passing a role to Amazon EC2 that has more permissions than the user has already been granted, and then running applications under the elevated privileges for that role. In the role policy, allow the PassRole action and specify a resource (such as arn:aws:iam::111122223333:role/ec2Roles/*) to indicate that only a specific role or set of roles can be passed to an Amazon EC2 instance.

The respective sample policy illustrates exactly matches the use case at hand, i.e. grants permission to launch an instance with a role by using the Amazon EC2 API:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect":"Allow",
      "Action":"ec2:RunInstances",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::123456789012:role/Get-pics"
    }]
}

Best Answer

Related Solutions

Which permissions/policies for IAM role to be used with CloudWatch monitoring script

How to Specify an IAM Role for an Amazon EC2 Instance via AWS CLI

Update

Initial Answer

Related Topic