IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM roles for Amazon EC2

Applications must sign their API requests with Amazon credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your Amazon credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance, especially those that Amazon creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your Amazon credentials.

We designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Instead of creating and distributing your Amazon credentials, you can delegate permission to make API requests using IAM roles as follows:

  1. Create an IAM role.

  2. Define which accounts or Amazon services can assume the role.

  3. Define which API actions and resources the application can use after assuming the role.

  4. Specify the role when you launch your instance, or attach the role to an existing instance.

  5. Have the application retrieve a set of temporary credentials and use them.

For example, you can use IAM roles to grant permissions to applications running on your instances that need to use a bucket in Amazon S3. You can specify permissions for IAM roles by creating a policy in JSON format. These are similar to the policies that you create for users. If you change a role, the change is propagated to all instances.

Note

Amazon EC2 IAM role credentials are not subject to maximum session durations configured in the role. For more information, see Using IAM roles in the IAM User Guide.

When creating IAM roles, associate least privilege IAM policies that restrict access to the specific API calls the application requires. For Windows-to-Windows communication, use well-defined and well-documented Windows groups and roles to grant application-level access between Windows instances. Groups and roles allow customers to define least privilege application and NTFS folder-level permissions to limit access to application-specific requirements.

You can only attach one IAM role to an instance, but you can attach the same role to many instances. For more information about creating and using IAM roles, see Roles in the IAM User Guide.

You can apply resource-level permissions to your IAM policies to control the users' ability to attach, replace, or detach IAM roles for an instance. For more information, see Supported resource-level permissions for Amazon EC2 API actions and the following example: Example: Work with IAM roles.

Instance profiles

Amazon EC2 uses an instance profile as a container for an IAM role. When you create an IAM role using the IAM console, the console creates an instance profile automatically and gives it the same name as the role to which it corresponds. If you use the Amazon EC2 console to launch an instance with an IAM role or to attach an IAM role to an instance, you choose the role based on a list of instance profile names.

If you use the Amazon CLI, API, or an Amazon SDK to create a role, you create the role and instance profile as separate actions, with potentially different names. If you then use the Amazon CLI, API, or an Amazon SDK to launch an instance with an IAM role or to attach an IAM role to an instance, specify the instance profile name.

An instance profile can contain only one IAM role. This limit cannot be increased.

For more information, see Instance Profiles in the IAM User Guide.

Permissions for your use case

When you first create an IAM role for your applications, you might sometimes grant permissions beyond what is required. Before launching your application in your production environment, you can generate an IAM policy that is based on the access activity for an IAM role. IAM Access Analyzer reviews your Amazon CloudTrail logs and generates a policy template that contains the permissions that have been used by the role in your specified date range. You can use the template to create a managed policy with fine-grained permissions and then attach it to the IAM role. That way, you grant only the permissions that the role needs to interact with Amazon resources for your specific use case. This helps you adhere to the best practice of granting least privilege. For more information, see IAM Access Analyzer policy generation in the IAM User Guide.

Instance identity roles for Amazon EC2 instances

Each Amazon EC2 instance that you launch has an instance identity role that represents its identity. An instance identity role is a type of IAM role. Amazon services and features that are integrated to use the instance identity role can use it to identify the instance to the service.

The instance identity role credentials are accessible from the Instance Metadata Service (IMDS) at /identity-credentials/ec2/security-credentials/ec2-instance. The credentials consist of an Amazon temporary access key pair and a session token. They are used to sign Amazon Sigv4 requests to the Amazon services that use the instance identity role. The credentials are present in the instance metadata regardless of whether a service or feature that makes use of instance identity roles is enabled on the instance.

Instance identity roles are automatically created when an instance is launched, have no role-trust policy document, and are not subject to any identity or resource policy.

Supported services

The following Amazon services use the instance identity role:

  • Amazon EC2EC2 Instance Connect uses the instance identity role to update the host keys for a Linux instance.

  • Amazon GuardDutyRuntime Monitoring uses the instance identity role to allow the runtime agent to send security telemetry to the GuardDuty VPC endpoint.

  • Amazon Security Token Service (Amazon STS) – Instance identity role credentials can be used with the Amazon STS GetCallerIdentity action.

  • Amazon Systems Manager – When using Default Host Management Configuration, Amazon Systems Manager uses the identity provided by the instance identity role to register EC2 instances. After identifying your instance, Systems Manager can pass your AWSSystemsManagerDefaultEC2InstanceManagementRole IAM role to your instance.

Instance identity roles can’t be used with other Amazon services or features because they do not have an integration with instance identity roles.

Instance identity role ARN

The instance identity role ARN takes the following format:

arn:aws-partition:iam::account-number:assumed-role/aws:ec2-instance/instance-id

For example:

arn:aws:iam::0123456789012:assumed-role/aws:ec2-instance/i-0123456789example

For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide.