Open In App

How to Create IAM roles for Amazon EC2?

Last Updated : 15 Jan, 2024
Like Article

In this article, we will cover how we can easily create an IAM role use it with an EC2 instance, and provide the required permissions with the S3 policies. These IAM Roles are the identities that we are creating in our account so that we can provide specific permissions to the users. So these Roles provide us the temporary credentials of security for our session.Consider the Scenario in which we want to grant access to our account to third parties that can perform operations such as audits of our resources or consider another scenario in which we want to access users who have identities prior outside the Aws like in our corporate Directory. So we can use the roles for access to users’ services or applications that don’t have access to AWS resources.

Why the IAM Roles Rule for EC2 and Beyond (vs. Root Users)?

IAM((Identity and Access Management) helps us to improve the security of the AWS(Amazon Web Services). IAM will help you to restrict the permissions of the users like which type of service they can access and what tasks they can perform instead of relying on the super-user (Root-user) for everything you can use the IAM user.

  • You can grant the least privileges to the IAM using the IAM roles.
  • IAM roles are used mainly to grant the minimum set of permissions required for a particular task.
  • IAM roles can grant temporary and dynamic permission to the users. Which adds an extra layer to the security of AWS(Amazon Web Services).
  • IAM role can be integrated with the other services that are present in the AWS(Amazon Web Services) they can be used to control the resource level permission in the Amazon Web Services.
  • IAM user Provides detailed logging and monitoring capabilities where you can track every task performed by the IAM user and AWS Services.

Pre-built Policies for Web Servers, Databases, and More

AWS provides some pre-built IAM roles for the specific resources that are available in AWS such as Web Servers, Databases, and more as mentioned follows.

1. Web Servers

  • AmazonEC2ReadOnlyAccess: If this is role is attached to any of the users or to the resource then user or the resource will have the Access to just read the EC2 instance rather than that they can’t perform any operation on EC2 mostly used for monitoring Purposes.
  • AmazonEC2FullAccess: The user or the resource with this role can perform administrator-level operations on EC2 instances like read,write, and delete. Mostly used for the administrator-level actions.

2. Database

  • AmazonRDSReadOnlyAccess: If this is role is attached to any of the user or to the resource then user or the resource will have the Access to just read the RDS Instance rather than that they can’t perform any operation on RDS instance mostly used for the monitoring Purposes.
  • AmazonRDSFullAccess: The user or the resource with this role can perform administrator level operation on RDS instance like read,write and delete. Mostly used for the admistator level actions.

Creating IAM Entityalreadyexists

EntityAlreadyExists it is an error you may encounters this while your are trying to create an IAM entity such as user,group or role. following are the steps that are useful to resolve the error.

Step 1: Check for Existing Entity.

Use the following command in the AWS CLI whether the entity with the same name aleray exists.

aws iam list-users
aws iam list-groups
aws iam list-roles
  • Choose a Unique Name
  • Delete or Rename Existing Entity
  • Check for Deletion in Progress
  • Retry the Creation
  • Review AWS Service Limits.

Crafting Custom IAM Roles for Your Unique AWS Needs

The following are the methods for using Roles:

  1. AWS Management Console 
  2. Assume-Role CLI
  3. Assume-role-with-web-identity
  4. Console URL Construct with AssumeRoleWithSAML

Steps to Create an IAM role for the EC2 Instance

Step 1. First, we need to go to the IAM table Dashboard, and then we will go to the roles option and click on Create roles.

IAM Roles dashboard


Step 2. Next under trusted entity type we will select AWS services and under Use case, we will select EC2 and click on next.

Roles dashboard


Step 3. Next under permission policies, we will search for S3 policies and will select S3readonly policy, and click on next.

Adding Permissions


Step 4. Next we will give our role a name and review all the changes and will click on next.

Adding Rolename and its details


Now we need to add Permission 

adding policy name to provide readaccess


Step 5. Now our IAM roles are created and if we click on the role that we just created we will be welcomed to this screen. Here we can see the details of our role. We can see that our myS3Role has been created.

Details of AccessRole


Step 6. Next, we will go to the EC2 dashboard and create an EC2 instance:

Selecting EC2 dashboard


We need to create a new instance 




Step 7. While creating the EC2 instance under configure instance we will select the IAM role that we just created and we will proceed with our EC2 instance creation:

Note: we have to select IAM role we created earlier inside Iam role tab

select IAM role we created earlier


while creating EC2 in Add storage add 8 GB(GIB) and volume type General purpose SSD

Storage selection


During launching the instance download the key pair RSA file and launch the instance

Review your  instance



Step 8. Next, we will connect to the EC2 instance that we just created

Secure Shell also known as SSH is a cryptographic network protocol that helps secure network services over an unsecured network.  It securely helps users to log in to a server with SSH than using a password alone. SSH keys are nearly impossible to decipher by brute force alone unlike passwords

Connect EC2 instance


Step 9. Now we will use the command “aws s3 ls” which will then let us see all the S3 buckets we created because we have set the policies of the IAM role to S3readonly through this we can just read our S3 buckets:

Step 10. Now in order to avoid any charges we will delete our ec2 instance and our s3 bucket.

Managing and Rotating Roles for Dynamic Environments

The security need of the organization will variey from time to time so it is curicial to maintain the permission as the needs for doing it manually it will takes lots of efforts and time to overcome that we can use the dynamic IAM in AWS environment.

  • Naming convention plays major role in dynamic IAM because it will consists of numerous roles. If the naming convention is maintained properly then it easier to identify the purpose and associated resources of each role
  • Regular inspection is required to ensure that the roles are having the necessary permissions and not having excessive permissions which are not required.
  • To organize the IAM roles requires proper tags maintenance which can be further used for tracing the permissions and to which they have been attached.
  • You should rotate the credentials of IAM roles with the help of AWS Security Token Service (STS) to generate temporary credentials. This will reduce the risks like unauthorized access.
  • Try to make sure that roles are having least privileges for that you should review regularly review and update regularly.

Frequently Asked Questions On IAM Roles-FAQs

How To Create IAM Role for AWS Lambda?

Following is the sample command which you can create AWS IAM role for AWS lambda using AWS CLI.

aws iam create-role --role-name GFGROLE --assume-role-policy-document file://trust-policy.json

Replace the GFGROLE with the desired role you want and create JSON file with a trust policy.

Creating IAM Role to Access S3 Bucket

Here’s an example AWS CLI command to create an IAM role for S3 access:

aws iam create-role --role-name S3RoleName --assume-role-policy-document file://trust-policy.json

Create trust policy with JSON file.

Create IAM Role for EKS Node Group

Here’s an example AWS CLI command to create an IAM role for an EKS node group:

aws iam create-role --role-name EKSNodeGroupRole --assume-role-policy-document file://trust-policy.json

Create trust policy with JSON file.

Similar Reads

Amazon Web Services - Denying Access using IAM policy for EC2 and EBS Instance
In this article, we will look into how to use AWS identity and access management policy conditions to create an IAM policy that denies access to create amazon elastic compute cloud instances and amazon elastic block store volumes when the required tags are not passed along with the creation request. We will also look into how you can use the IAM po
4 min read
How To Create AWS IAM Roles Using Terraform?
Terraform is an IAAC tool which is used provision infrastructure . Here in this guide i will first discuss what is terraform . Then i will discuss what is IAM Role and in which scenarios we should use IAM Role . Then i will walk you through the different steps to create an IAM Role for an EC2 service having CloudWatch and SNS full access policy . W
5 min read
Create an EC2 Instance With EC2 User Data Script To Launch Website
Amazon EC2 is one of the most popular AWS offerings. It stands for Elastic Compute Cloud. This is the way to do Infrastructure as a Service on AWS. EC2 is not just one service. It's composed of many things at a high level. You can rent virtual machines on EC2, they're called EC2 instances.You can store data on virtual drives or EBS volumes.You can
9 min read
How To Create An AWS EC2 Instance and Attach EBS to EC2 With Terraform?
Terraform is an IaaC tool, used to provision infrastructure on cloud platforms. In this guide, I will first discuss what is Terraform. Then I will discuss about AWS EC2 service. After this, I will walk you through the different steps to create an AWS EC2 Instance and attach an EBS volume to EC2 Instance using Terraform and then connect the EC2 Inst
6 min read
Securing AWS Lambda Functions With IAM Roles And Policies
AWS Lambda is a serverless computing service that helps in executing code without any management of servers while AWS IAM is an essential security component that allows authorized individuals or services to have access of other AWS resources. These two AWS services are very important on the AWS cloud platform. Here in this guide, I have first discu
5 min read
How To Get An AWS EC2 Instance ID From Within That EC2 Instance?
Amazon EC2 is an important service of AWS that provides users a scalable and virtual computing resources in the cloud. Each EC2 instance is assigned a unique identifier called Instance ID. Instance ID is an alphanumeric code(which means a combination of alphabets and numbers) that is used for various operational tasks including starting, stopping,
4 min read
Identity and Access Management (IAM) in Amazon Web Services (AWS)
Pre-requisite: AWS Identity and Access Management (IAM) manages Amazon Web Services (AWS) users and their access to AWS accounts and services. It controls the level of access a user can have over an AWS account & set users, grant permission, and allows a user to use different features of an AWS account. Identity and access management is mainly
5 min read
Amazon Web Services - Limit Privileges of IAM user in RDS instance
Amazon RDS or Amazon Relational Database System is a highly scalable, secure, compact, and cost-efficient relational database in the cloud offered by AWS. In this article, we are going to look into how to limit access of AWS IAM users to an Amazon RDS(Relational Database Service) instance. Then we will explore how to give the least privileges requi
2 min read
Amazon DynamoDB - Identity and Access Management(IAM)
Security in the cloud remains one of the main barriers to cloud adoption. For security operations and development teams to follow security best practices ensuring a smooth transition. AWS IAM (Identity and Access Management) is one of the most widely used security platforms for data protection. It follows an incredibly granular approach in providin
7 min read
Amazon Web Service (AWS) IAM Role VS Group
Amazon IAM Service is one of the most crucial components in the AWS security architecture. Here in this guide, i will first cover what is IAM service. Then i will discuss what is IAM Role and also guide you through the steps to create an AWS IAM Role. After this, I will discuss about IAM group and also the steps to create an IAM group. Then finally
5 min read
Article Tags :