Loading...
 

Use AWS Roles to Safeguard Keys


The Amazon AWS service API is an essential tool for automating the deployment, monitoring, and management of AWS resources. To grant programs the necessary API access, a common technique is to create AWS access keys and store them in configuration files, or even hardcoded into source code. I employed this method in last month's installment, Implementing A Custom AWS Dashboard.

However, using keys in this way adds a security risk. Keys stored in configuration files or source code are at risk for unauthorized disclosure, and these keys grant unrestricted access to all your account's AWS functions, far broader access than is usually necessary for a particular task. AWS Identity and Access Management (IAM) roles offer a solution to both problems.

An IAM role is a defined set of permissions that can be applied to an AWS element such as an EC2 instance. The specific set of permissions afforded to the role is specified in the role policy. A policy can be specified as a JSON structure like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:ListInstanceProfiles",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
    }
  ]
}


Don't be intimidated by all those quote marks and curly braces; using the AWS Management Console you can create roles and policies with click-and-go ease.

Let's create a role to use for the CloudWatch dashboard:

  1. Go to the IAM service console page
  2. Select "Roles" from the left menu bar
  3. Click the "Create New Role" button
  4. Enter a name for your new role, for example, "cw-read" for CloudWatch read-only access
  5. Select the Service Role "Amazon EC2"
  6. Select the Policy Template "CloudWatch Read Only Access"
  7. The console will display the Policy Document to be created for the role. Click "Continue"
  8. The console will display a final review of the role to be created. Click "Create Role"


The new role should now appear in the list of roles in the AWS console.

Now go to the EC2 console page, and click on "Launch Instance"

In step 3, you will see the pull-down menu for selecting the IAM role to associate with the new instance.



Because the keys used in the role are stored in the EC2 metadata, the role can be associated only at the time of creation.

Now you can create a new EC2 instance having the new role, and run through the dashboard build process on the new instance. Omit the step of creating AWS access keys and storing them in the /etc/boto.cfg file. When no keys are found, the boto library will automatically use the role keys from the instance's metadata to perform the needed CloudWatch API functions.

AWS IAM roles have many other potential uses. For more information, see the
Amazon documentation on working with roles:
http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html