Cretate IAM Role
Overview
Problem: We have 2 EC2 instances in public and private subnets that can access the internet. Can we use the aws s3 ls to list S3 bucket?
The answer is no. As you observed when entering the command in the EC2 terminal in the public subnet or private subnet. Even though there is a public S3 endpoint, we don’t have the permission to see the data in S3 buckets as it poses a security risk, potentially compromising data security.
It’s similar to walking down a street and seeing a beautiful house. However, you don’t have the right to enter the house, see how many rooms there are, or what belongings are inside.
This can be explained here
So the question is, what can we do to enable EC2 instances to access and view data within S3 buckets?
We have two options:
- Option 1: Assign access/secret key to the EC2 instance’s terminal using the
aws configurecommand. This method is straightforward but highly discouraged. It should be avoided. - Option 2: Use IAM Role. We can assign access permissions to S3, such as ReadOnly or FullAccess, to the desired EC2 instances.
In this lab, we will practice creating a IAM Role and assigning it to the EC2 instance in the private subnet.
Create IAM Role
- Access the AWS Management Console interface:
- Locate and click on IAM
- Choose IAM
- Within the IAM interface:
- Click on Roles
- Then choose Create role
- In the Create role interface:
- About Trusted entity type, choose AWS service
- About Service or use case, choose EC2
- Choose a use case for the specified service, choose EC2
- Then choose Next
- On the search bar:
- Type S3
- Then find AmazonS3FullAccess and select it
- Check and choose Next
- Enter
EC2FullAccessS3as Role name.
- Check and choose Create role.
- Finished.
- Now, we will create an endpoint to enable private connectivity for resources inside the VPC to securely access the S3 bucket.