Using Instance Profile to assign role vs. adding EC2 instance to trust relationship

1
votes

We are newbies and learning AWS. So, please excuse our ignorance. We are creating a test environment to check how to allow least privilege access to, say, DynamoDB from EC2.

AWS documentation (https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/) suggests a couple of options without highlighting which ones allow least privilege access:

Step 1: Create a role with specific policy to allow access to DynamoDB.

Step 2: We are not sure whether we should:

  1. create an instance profile to assign this role to EC2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html]

OR

  1. Add EC2 to trust relationship policy to allow it to assume the role.

Can someone please guide us on which of the above two options allows least privilege access for security purpose? We even checked security best practice @ https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html, and couldn't get a clear answer.

1
amazon-web-servicesamazon-ec2amazon-dynamodbamazon-iam

1 Answers

1
votes

If you create the instance role using IAM console, the instance profile is automatically created for you. You don't have to do anything. What's more, trust relationship will also be setup correctly.

Therefore, the only thing you have to do are to add permissions that you require for DynamoDB to the role, and later to add the role/instance profile to your instance when you create it, or later on after its been created.