IAM Role Creation and Management in AWS

AWS provides some pre-built IAM roles for the specific resources that are available in AWS such as Web Servers, Databases, and more as mentioned follows.

1. Web Servers

• AmazonEC2ReadOnlyAccess: If this is role is attached to any of the users or to the resource then user or the resource will have the Access to just read the EC2 instance rather than that they can't perform any operation on EC2 mostly used for monitoring Purposes.
• AmazonEC2FullAccess: The user or the resource with this role can perform administrator-level operations on EC2 instances like read,write, and delete. Mostly used for the administrator-level actions.

2. Database

• AmazonRDSReadOnlyAccess: If this is role is attached to any of the user or to the resource then user or the resource will have the Access to just read the RDS Instance rather than that they can't perform any operation on RDS instance mostly used for the monitoring Purposes.
• AmazonRDSFullAccess: The user or the resource with this role can perform administrator level operation on RDS instance like read, write and delete. Mostly used for the administrative level actions.

Creating IAM EntityAlreadyExists

EntityAlreadyExists it is an error you may encounters this while your are trying to create an IAM entity such as user, group or role. Following are the steps that are useful to resolve the error.

Step 1: Check for Existing Entity.

Use the following command in the AWS CLI whether the entity with the same name already exists.

aws iam list-users
aws iam list-groups
aws iam list-roles

• Choose a Unique Name
• Delete or Rename Existing Entity
• Check for Deletion in Progress
• Retry the Creation
• Review AWS Service Limits.

Crafting Custom IAM Roles for Your Unique AWS Needs

The following are the methods for using Roles:

1. AWS Management Console 
2. Assume-Role CLI
3. Assume-role-with-web-identity
4. Console URL Construct with AssumeRoleWithSAML

Steps to Create an IAM role for the EC2 Instance

Step 1. First, we need to go to the IAM table Dashboard, and then we will go to the roles option and click on Create roles.

Step 2. Next under trusted entity type we will select AWS services and under Use case, we will select EC2 and click on next.

Step 3. Next under permission policies, we will search for S3 policies and will select S3readonly policy, and click on next.

Step 4. Next we will give our role a name and review all the changes and will click on next.

Now we need to add Permission 

Step 5. Now our IAM roles are created and if we click on the role that we just created we will be welcomed to this screen. Here we can see the details of our role. We can see that our myS3Role has been created.

Step 6. Next, we will go to the EC2 dashboard and create an EC2 instance:

We need to create a new instance 

Step 7. While creating the EC2 instance under configure instance we will select the IAM role that we just created and we will proceed with our EC2 instance creation:

Note: we have to select IAM role we created earlier inside Iam role tab

while creating EC2 in Add storage add 8 GB(GIB) and volume type General purpose SSD

During launching the instance download the key pair RSA file and launch the instance

Step 8. Next, we will connect to the EC2 instance that we just created

Secure Shell also known as SSH is a cryptographic network protocol that helps secure network services over an unsecured network.  It securely helps users to log in to a server with SSH than using a password alone. SSH keys are nearly impossible to decipher by brute force alone unlike passwords

Step 9. Now we will use the command “aws s3 ls” which will then let us see all the S3 buckets we created because we have set the policies of the IAM role to S3readonly through this we can just read our S3 buckets:

Step 10. Now in order to avoid any charges we will delete our ec2 instance and our s3 bucket.

Managing and Rotating IAM Roles for Dynamic Environments

The security need of the organization will variety from time to time so it is crucial to maintain the permission as the needs for doing it manually it will takes lots of efforts and time to overcome that we can use the dynamic IAM in AWS environment.

• Naming convention plays major role in dynamic IAM because it will consists of numerous roles. If the naming convention is maintained properly then it easier to identify the purpose and associated resources of each role
• Regular inspection is required to ensure that the roles are having the necessary permissions and not having excessive permissions which are not required.
• To organize the IAM roles requires proper tags maintenance which can be further used for tracing the permissions and to which they have been attached.
• You should rotate the credentials of IAM roles with the help of AWS Security Token Service (STS) to generate temporary credentials. This will reduce the risks like unauthorized access.
• Try to make sure that roles are having least privileges for that you should review regularly review and update regularly.