First lab in my 100 Days in Cloud Challenge. Counting down to the last day of 2021.

Using AWS CLI Create and assign IAM ROles and policies, create EC2 Instances

Services Covered

  • EC2 EC2

Lab description

This lab exercises folowing concepts with use of AWS CLI commands:

  • Practice usage of AWS Identity and Access Management roles for Amazon Elastic Compute Cloud (EC2)
  • Create and assign IAM roles
  • Create and attach IAM policy
  • Attaching Roles to Instances
  • Getting access to S3 Buckets
  • Practise on AWS CLI usage

Lab diagram

lab_diagram_Lab_-_Using_EC2_Roles_and_Instance_Profiles 001

Lab files

  • AWS_CLI_commands.txt – contains used commands to perform project
  • IAM_trust_policy_for_EC2.json – trust policy for EC2
  • dev_s3_read_access.json – IAM policy granting acces to S3 Get and List actions

Lab date


Lab source

This lab is part of A Cloud Guru catalog

Lab steps

Taken from lab source

Create a Trust Policy and Role Using the AWS CLI
Obtain the labreferences.txt file from an S3 bucket provisioned with the lab.
Log in to the bastion host and set the AWS CLI region and output type.
Create an IAM trust policy for an EC2 role.
Create an IAM role called ‘DEVROLE’.
Create an IAM policy DevS3ReadAccess defining read-only access permissions to an S3 bucket.

Create Instance Profile and Attach Role to an EC2 Instance
Attach DevS3ReadAccess policy to the DEV role.
Create the instance profile ‘DEVPROFILE’ and add the ‘DEVROLE’ to it via the AWS CLI.
Attach the ‘DEVPROFILE’ role to an instance.

Test S3 Permissions via the AWS CLI
Verify the instance is assuming the DEVROLE role.
List the buckets in the account.
Attempt to view the files in the s3bucketdev bucket.

Create an IAM Policy and Role Using the AWS Management Console
Navigate to IAM > Policies.
Create an IAM policy ProdS3ReadAccess
Create a ‘PRODROLE’ role.

Attach IAM Role to an EC2 Instance Using the AWS Management Console
Navigate to EC2 > Instances.
Attach the role to the Web Server instance.
In the terminal, as ‘PRODROLE’, list the buckets.
Attempt to view the files in the s3bucketprod bucket.
Attempt to view the files in the s3bucketsecret bucket.