Use Case Description Applications running on Amazon EC2 instances that need to access AWS resources Applications that run on an Amazon EC2 instance and that need access to AWS resources such as Amazon S3 buckets or an Amazon DynamoDB table must have security credentials in order to make programmatic requests to AWS. Developers might distribute their credentials to each instance and applications can then use those credentials to access resources, but distributing long-term credentials to each instance is challenging to manage and a potential security risk. Cross account access To manage access to resources, you might have multiple AWS accounts — for example, to isolate a development environment from a production environment. However, users from one account might need to access resources in the other account, such as promoting an update from the development environment to the production environment. Although users who work in both accounts could have a separate identity in each account, managing credentials for multiple accounts makes identity management difficult.
Amazon Web Services – AWS Security Best Practices August 2016 Page 20 of 74 Use Case Description Identity federation Users might already have identities outside of AWS, such as in your corporate directory. However, those users might need to work with AWS resources (or work with applications that access those resources). If so, these users also need AWS security credentials in order to make requests to AWS. Table 6: Common Delegation Use Cases IAM roles and temporary security credentials address these use cases. An IAM role lets you define a set of permissions to access the resources that a user or service needs, but the permissions are not attached to a specific IAM user or group. Instead, IAM users, mobile and EC2-based applications, or AWS services (like Amazon EC2) can programmatically assume a role. Assuming the role returns temporary security credentials that the user or application can use to make for programmatic requests to AWS. These temporary security credentials have a configurable expiration and are automatically rotated. Using IAM roles and temporary security credentials means you don't always have to manage long- term credentials and IAM users for each entity that requires access to a resource. IAM Roles for Amazon EC2 IAM Roles for Amazon EC2 is a specific implementation of IAM roles that addresses the first use case in Table 6. In the following figure, a developer is running an application on an Amazon EC2 instance that requires access to the Amazon S3 bucket named photos . An administrator creates the Get-pics role. The role includes policies that grant read permissions for the bucket and that allow the developer to launch the role with an Amazon EC2 instance. When the application runs on the instance, it can access the photos bucket by using the role's temporary credentials. The administrator doesn't have to grant the developer permission to access the photos bucket, and the developer never has to share credentials.
You've reached the end of your free preview.
Want to read all 79 pages?
- Spring '17
- Amazon Web Services, AWS, Amazon Elastic Compute Cloud, AWS Security Best