AWS IAM ROLE to access multiple services

2
votes

If EC2 instance required to have access to multiple AWS services(Like S3, SNS, SQS , CloudWatch etc), what is the best practice for granting access to EC2 instance,

  • Should One ROLE has all the required permission
  • OR
  • Create multiple ROLE (You can only attach one ROLE to EC2 instance. Using config file you can use multiple role. Extra coding required depending upon which language you are using) - One for each service

As per AWS documentation you should always create ROLE for EC2 and assign policy to ROLE according to your requirement.

Is there any security concern with granting multiple service access to one ROLE? Why I am asking is because Using EC2 metadata you can get the accesskey info assigned to the EC2 instance using that ROLE at that point. Keys are getting refreshed frequently by EC2.

Any feedback or input.

4
amazon-web-servicesamazon-iam

4 Answers

1
votes

AFAIK, whats best worked for me so far is [ec2 --> one role -> many policies] and the role trust relation ship is assigned to the ec2 instance service.

Not sure why to be concerned about the security aspect as to get the metadata you are already authenticated and have access to the ec2 instance.

Hope this helps, may be more detailed use case might help to answer more precisely.

0
votes

You certainly can, and should, assign multiple permissions to the one IAM Role, and then assign that IAM Role to the Amazon EC2 instance.

This is correct practice.

0
votes

It depends on your services or EC2 usage.

If your services are deployed on different EC2 instances and do different things, i.e. each of your services interact with different resources, I would suggest to create a role for each use case (for each EC2 instance). This will protect you in the case one of your EC2 becomes compromised. A hacker could potentially have access to all those resources.

If all your services interact with the same resources or were deployed to the same EC2 instance, then I would just create one role, and use that for all my EC2 instances.

0
votes

The best way is to use a single role with multiple policies attaches to it with granular access also, use /service role will also be a better option

Example :

YourServerEc2Profile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: '/'
      Roles:
      - Ref: YourServerEc2Role
YourServerEc2Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
      -
        PolicyName: audit
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            -
              Action:
                - "ssm:*"
                - "ec2:DescribeImages"
                - "cloudwatch:PutMetricData"
                - "ec2:DescribeInstances"
                - "lambda:InvokeFunction"
                - "ec2:DescribeTags"
                - "ec2:DescribeVpcs"
                - "cloudwatch:GetMetricStatistics"
                - "ec2:DescribeSubnets"
                - "ec2:DescribeKeyPairs"
                - "cloudwatch:ListMetrics"
                - "ec2:DescribeSecurityGroups"
              Resource: "*"
              Effect: "Allow"

      ManagedPolicyArns:
        - !Ref YourServerCrossAccount
        - arn:aws:iam::aws:policy/ReadOnlyAccess
  YourServerCrossAccount:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - sts:AssumeRole
          Resource:
          - arn:aws:iam::AccountID:role/AWS_CrossAccount ```