2.3 Ensure an IAM Role for Amazon EC2 is created for Web Tier


An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Also, a role does not have any credentials (password or access keys) associated with it. Instead, if a user is assigned to a role, access keys are created dynamically and provided to the user.

You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances.

IAM Roles for EC2 allow application running within an EC2 instance assume the role applied to the instance.
Provides dynamic authentication credentials to which can be used with Web-Tier EC Instances once launched with the IAM Role for EC2


Using the Amazon unified command line interface:

* If doesn't exist, create an instance profile for Web tier instances:

aws iam create-instance-profile --instance-profile-name _<web_tier_instance_profile>_

* If doesn't exist, create an IAM role for the instance profile:

* Create a trust relationship policy document and save it locally as /tmp/TrustPolicy.json:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
"Action": "sts:AssumeRole"

* Create the IAM role using the above trust policy:

aws iam create-role --role-name <_web_tier_iam_role_> --assume-role-policy-document file:///tmp/TrustPolicy.json

* Add the IAM role created to the Instance profile:

aws iam add-role-to-instance-profile --role-name <_web_tier_iam_role_> --instance-profile-name _<web_tier_instance_profile>_

See Also