Wednesday, November 9, 2016

What's the difference between AWS IAM Roles and Security Groups?

What do they have in common? They're both access control methods.

IAM Roles

IAM roles can be assumed by any AWS resource or service on AWS and the policies attached to the roles determine their level of access to various other resources and services. Each role can have many policies. You can either use built in roles with default policies or create ones yourself.

For example, if you configure an ECS service to use a load balancer, the service can use a built in role called ecsServiceRole which has the policy AmazonEC2ContainerServiceRole attached which allows it to makes calls to the Elastic Load Balancer API. You can also create your own role with that policy. What grants the access is not the role, but rather the policies associated with that role. EC2 instances used for running docker containers require a role with the policy AmazonEC2ContainerServiceforEC2Role to make calls to the ECS API. Likewise, there's a default one with the policy you need called ecsInstanceRole but you can also create a new role called myRole and attach the same policy.

Security Groups

Security Groups controls network traffic to EC2 instances. An EC2 instance can have multiple security groups, and each group can have a number of rules specifying what inbound and outbound network traffic are allowed. For example, you can restrict access to port 80 for your instance to requests coming from a particular IP address range.

When you're using AWS, you're almost always using both of these access control methods. Any cloud stack you create will require you to think about the flow of traffic that you should allow to your compute instances (Security Groups) and what other AWS resources and API's those instances need to be able to talk to (IAM roles).



No comments:

Post a Comment