01 Create the trust relationship policy for the required IAM role. To create the trust relationship policy for the new role, paste the following information into a new policy document named cc-iam-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
02 Run create-role command (OSX/Linux/UNIX) to create the necessary Amazon IAM role using the trust relationship policy defined at the previous step:
aws iam create-role
--role-name cc-app-tier-role
--assume-role-policy-document file://cc-iam-role-trust-policy.json
03 The command output should return the new IAM role metadata:
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"RoleId": "ABCDABCDABCDABCDABCD",
"CreateDate": "2019-03-11T11:32:12.252Z",
"RoleName": "cc-app-tier-role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/cc-app-tier-role"
}
}
04 To define the IAM role permissions, based on the policy type used by the role, perform one of the following set of commands:
- To attach managed IAM policies:
- Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified IAM managed policy to the newly created IAM role (the command does not produce an output):
aws iam attach-role-policy
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
--role-name cc-app-tier-role
- For define and attach inline IAM policies:
- To define the inline policy for the IAM role, paste your own custom policy into a new JSON-based policy document named "cc-iam-role-inline-access-policy.json". The following example, provides full access to AWS EC2 resources (ver. 4):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
}
}
]
}
- Run put-role-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the new IAM role (the command does not return an output):
aws iam put-role-policy
--role-name cc-app-tier-role
--policy-name iam-role-inline-policy
--policy-document file://cc-iam-role-custom-access-policy.json
05 Create the required IAM instance profile. An instance profile is a container for the IAM role that is attached to the EC2 instance during the launch process. Run create-instance-profile command (OSX/Linux/UNIX) to create the new AWS IAM instance profile:
aws iam create-instance-profile
--region us-east-1
--instance-profile-name cc-app-tier-instance-profile
06 The command output should return the newly created instance profile metadata:
{
"InstanceProfile": {
"InstanceProfileId": "ABCDABCDABCDABCDABCD",
"Roles": [],
"CreateDate": "2018-03-11T19:34:14.600Z",
"InstanceProfileName": "cc-app-tier-instance-profile",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:instance-profile/cc-app-tier-instance-profile"
}
}
07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the IAM instance profile created at step no. 5 (the command does not produce an output):
aws iam add-role-to-instance-profile
--role-name cc-app-tier-role
--instance-profile-name cc-app-tier-instance-profile
08 Now that the app-tier IAM role is ready for use, run create-image command (OSX/Linux/UNIX) to create an AMI from the source app-tier instance (see Audit section part II to identify the right EC2 resource). Include --no-reboot command parameter to guarantee the file system integrity for your new image:
aws ec2 create-image
--region us-east-1
--instance-id i-01234567890aabbcc
--name "AMI for app-tier instance without IAM role(s) attached"
--description "App Stack AMI"
--no-reboot
09 The command output should return the ID of the new AWS AMI:
{
"ImageId": "ami-1234abcd"
}
10 Execute run-instances command (OSX/Linux/UNIX) to launch a new app-tier EC2 instance from the image created at the previous steps. The following command example re-creates an app-tier instance using an AMI with the ID ami-1234abcd and the IAM instance profile that integrates the app-tier IAM role created earlier:
aws ec2 run-instances
--region us-east-1
--iam-instance-profile Name=cc-app-tier-instance-profile
--image-id ami-abcd1234
--count 1
--instance-type m4.xlarge
--key-name cc-auth-key
--security-groups cc-app-stack-sg
11 The command output should return the new app-tier instance configuration metadata:
{
{
"OwnerId": "123456789012",
"Instances": [
...
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"IamInstanceProfile": {
"Id": "ABCDABCDABCDABCDABCD",
"Arn": "arn:aws:iam::123456789012:instance-profile/cc-app-tier-instance-profile"
},
"RootDeviceName": "/dev/xvda",
"VirtualizationType": "hvm",
...
"AmiLaunchIndex": 0
}
]
}
]
}
12 Transfer the Elastic IP from the source EC2 instance to the new app-tier instance in order to reference the new EC2 resource. To transfer the Elastic IP, perform the following commands:
- Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the source EC2 instance:
aws ec2 disassociate-address
--association-id eipassoc-abcd1234
- Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new app-tier instance:
aws ec2 associate-address
--instance-id i-01234567890bbaacc
--allocation-id eipalloc-abcd1234
13 Once you have finished testing your new app-tier EC2 instance, you can safely terminate the source instance to stop incurring charges for it. To shut down the source EC2 instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:
aws ec2 terminate-instances
--instance-ids i-01234567890aabbcc
14 The command output should return the shutdown request metadata:
{
"TerminatingInstances": [
{
"InstanceId": "i-01234567890aabbcc",
"CurrentState": {
"Code": 32,
"Name": "shutting-down"
},
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
15 Repeat steps no. 5 – 14 to assign IAM roles to other app-tier EC2 instances available in the selected region.
16 Change the AWS region by updating the --region command parameter value and repeat steps no. 5 – 15 for other regions.