This lab walks you through the steps to create an AWS S3 bucket and demonstrates how to access the bucket using AWS CLI commands from EC2 instance and IAM roles.
Duration: 30 minutes
AWS Region: US East (N. Virginia) us-east-1
An IAM (Identity and access management) policy is an entity in AWS, that enables you to manage access to AWS services and resources in a secure fashion.
Policies are stored on AWS in JSON format and are attached to resources as identity-based policies.
You can attach an IAM policy to different entities such as an IAM group, user, or role.
IAM policies gives us the power of restricting users or groups to only use the specific services that they need.
Identity-based policies are policies that you can attach to an AWS identity (such as a user, group of users, or role).
These policies control what actions an entity can perform, which resources they can use, and the conditions in which they can use said resources.
Identity-based policies are further classified as:
AWS Managed Policies
Custom Managed Policies
AWS Managed policies are those policies that are created and managed by AWS itself.
If you are new to IAM policies, you can start with AWS managed policies before managing your own.
Custom managed policies are policies that are created and managed by you in your AWS account.
Customer managed policies provide us with more precise control than AWS managed policies.
You can create and edit an IAM policy in the visual editor or by creating the JSON policy document directly.
You can create your own IAM policy using the following link: https://awspolicygen.s3.amazonaws.com/policygen.html
Resource-based policies are policies that we attach to a resource such as an Amazon S3 bucket.
Resource-based policies grant the specified permission to perform specific actions on particular resources and define under what conditions these policies apply to them.
Resource-based policies are in line with other policies.
There are currently no AWS-managed resource-based policies.
There is only one type of resource-based policy called a trust policy, which is attached to an IAM role.
An IAM role is both an identity and a resource that supports resource-based policies.
An IAM role is an AWS IAM identity (that we can create in our AWS account) that has specific permissions.
It is similar to an IAM user, which determines what the identity can and cannot do in AWS.
Instead of attaching a role to a particular user or group, it can be attached to anyone who needs it.
The advantage of having a role is that we do not have standard long-term credentials such as a password or access keys associated with it.
When resources assume a particular role, it provides us with temporary security credentials for our role session.
We can use roles to access users, applications, or services that don't have access to our AWS resources.
We can attach one or more policies with roles, depending on our requirements.
For example, we can create a role with s3 full access and attach it to an EC2 instance to access S3 buckets.
Amazon S3 is a simple storage service that we can use to store and retrieve any amount of data, at any time, from anywhere on the web.
It gives developers and users access to highly scalable, reliable, fast, inexpensive data storage infrastructure.
S3 guarantees 99.9% availability at any point in time.
S3 has been designed to store up to 5 TB of data.
S3 is global, meaning you can create a bucket in any region and access it from anywhere. Due to this, the name of the bucket should be a unique one.
The S3 bucket objects, as well as the bucket, can be deleted at any time by the user.
We can limit access to our bucket by granting different permissions for different users.
S3 also comes with additional features such as versioning, static website hosting, server access logging and life cycle policy for storing objects, eand many others.
Create an IAM role with S3 full access.
Create an EC2 instance and attach the S3 role created in the first step.
Create an S3 bucket and upload some files to the bucket.
Access the bucket using AWS CLI via our EC2 instance.
List the objects in the S3 bucket using the AWS CLI from the EC2 instance.