Instance profiles Permissions for your use case Instance identity roles

IAM roles for Amazon EC2

Applications must sign their API requests with AWS credentials. Therefore, if youare an application developer, you need a strategy for managing credentials for yourapplications that run on EC2 instances. For example, you can securely distribute yourAWS credentials to the instances, enabling the applications on those instances to useyour credentials to sign requests, while protecting your credentials from other users.However, it's challenging to securely distribute credentials to each instance,especially those that AWS creates on your behalf, such as Spot Instances or instancesin Auto Scaling groups. You must also be able to update the credentials on each instance whenyou rotate your AWS credentials.

We designed IAM roles so that your applications can securely make API requests fromyour instances, without requiring you to manage the security credentials that theapplications use. Instead of creating and distributing your AWS credentials, you candelegate permission to make API requests using IAM roles as follows:

Create an IAM role.
Define which accounts or AWS services can assume the role.
Define which API actions and resources the application can use after assumingthe role.
Specify the role when you launch your instance, or attach the role to anexisting instance.
Have the application retrieve a set of temporary credentials and usethem.

For example, you can use IAM roles to grant permissions to applications running on yourinstances that need to use a bucket in Amazon S3. You can specify permissions for IAM rolesby creating a policy in JSON format. These are similar to the policies that you createfor users. If you change a role, the change is propagated to all instances.

Note

Amazon EC2 IAM role credentials are not subject to maximum session durations configured in the role. For more information, see Methods to assume a role in theIAM User Guide.

When creating IAM roles, associate least privilege IAM policies thatrestrict access to the specific API calls the application requires. ForWindows-to-Windows communication, use well-defined and well-documented Windows groupsand roles to grant application-level access between Windows instances. Groups and rolesallow customers to define least privilege application and NTFS folder-level permissionsto limit access to application-specific requirements.

You can only attach one IAM role to an instance, but you can attach the same role tomany instances. For more information about creating and using IAM roles, seeRoles in theIAM User Guide.

You can apply resource-level permissions to your IAM policies to control the users'ability to attach, replace, or detach IAM roles for an instance. For more information,seeSupported resource-levelpermissions for Amazon EC2 API actions and the following example:Example: Work with IAM roles.

Instance profiles

Amazon EC2 uses aninstance profile as a container for an IAMrole. When you create an IAM role using the IAM console, the console creates aninstance profile automatically and gives it the same name as the role to which itcorresponds. If you use the Amazon EC2 console to launch an instance with an IAM roleor to attach an IAM role to an instance, you choose the role based on a list ofinstance profile names.

If you use the AWS CLI, API, or an AWS SDK to create a role, you create the roleand instance profile as separate actions, with potentially different names. If youthen use the AWS CLI, API, or an AWS SDK to launch an instance with an IAM role orto attach an IAM role to an instance, specify the instance profile name.

An instance profile can contain only one IAM role. You can include an IAM role in multiple instance profiles.

To update permissions for an instance, replace its instance profile. We do not recommendremoving a role from an instance profile, because there is a delay of up to one hourbefore this change takes effect.

For more information, seeUse instance profiles in theIAM User Guide.

Permissions for your use case

When you first create an IAM role for your applications, you might sometimes grantpermissions beyond what is required. Before launching your application in yourproduction environment, you can generate an IAM policy that is based on theaccess activity for an IAM role. IAM Access Analyzer reviews your AWS CloudTrail logs andgenerates a policy template that contains the permissions that have been used bythe role in your specified date range. You can use the template to create amanaged policy with fine-grained permissions and then attach it to the IAMrole. That way, you grant only the permissions that the role needs to interactwith AWS resources for your specific use case. This helps you adhere to thebest practice ofgranting least privilege. For more information, seeIAM Access Analyzerpolicy generation in theIAM User Guide.

Instance identity roles for Amazon EC2 instances

Each Amazon EC2 instance that you launch has aninstance identityrole that represents its identity. An instance identity role is a type ofIAM role. AWS services and features that are integrated to use the instance identityrole can use it to identify the instance to the service.

The instance identity role credentials are accessible from the Instance Metadata Service(IMDS) at/identity-credentials/ec2/security-credentials/ec2-instance. Thecredentials consist of an AWS temporary access key pair and a session token. They areused to sign AWS Sigv4 requests to the AWS services that use the instance identityrole. The credentials are present in the instance metadata regardless of whether aservice or feature that makes use of instance identity roles is enabled on theinstance.

Instance identity roles are automatically created when an instance is launched, haveno role-trust policy document, and are not subject to any identity or resourcepolicy.

Supported services

The following AWS services use the instance identity role:

Amazon EC2 –EC2 Instance Connect uses the instanceidentity role to update the host keys for a Linux instance.
Amazon GuardDuty –GuardDuty RuntimeMonitoring uses the instance identity role to allow the runtimeagent to send security telemetry to the GuardDuty VPC endpoint.
AWS Security Token Service (AWS STS) – Instanceidentity role credentials can be used with the AWS STSGetCallerIdentity action.
AWS Systems Manager – When usingDefault Host Management Configuration, AWS Systems Manager uses theidentity provided by the instance identity role to register EC2 instances.After identifying your instance, Systems Manager can pass yourAWSSystemsManagerDefaultEC2InstanceManagementRole IAMrole to your instance.

Instance identity roles can’t be used with other AWS services or featuresbecause they do not have an integration with instance identity roles.

Instance identity role ARN

The instance identity role ARN takes the following format:


arn:aws-partition:iam::account-number:assumed-role/aws:ec2-instance/instance-id

For example:


arn:aws:iam::0123456789012:assumed-role/aws:ec2-instance/i-1234567890abcdef0

For more information about ARNs, see Amazon Resource Names(ARNs) in theIAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS managed policies

Retrieve security credentials

Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.