01 Create the necessary trust relationship (Trusted Entities) policy for the required IAM role. To create the trust relationship policy for the new role, paste the following information into a new policy document named cc-iam-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
02 Run create-role command (OSX/Linux/UNIX) to create the AWS IAM role using the trust relationship policy defined at the previous step:
aws iam create-role
--role-name cc-web-tier-role
--assume-role-policy-document file://cc-iam-role-trust-policy.json
03 The command output should return the new IAM role metadata:
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"RoleId": "AAAABBBBCCCCDDDDEEEE",
"CreateDate": "2019-03-10T16:31:22.252Z",
"RoleName": "cc-web-tier-role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/cc-web-tier-role"
}
}
04 To define the IAM role permissions, based on the policy type used by the role, perform one of the following set of commands (take into account the principle of least privilege when you define or attach an access policy):
- To attach managed IAM policies:
- Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified IAM managed policy to the newly created role (the command does not produce an output):
aws iam attach-role-policy
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
--role-name cc-web-tier-role
- For define and attach inline IAM policies:
- To define the inline policy for the IAM role, paste your own custom policy into a new JSON-based policy document named "cc-iam-role-inline-access-policy.json". The following example, provides full access to Amazon EC2 resources (ver. 1):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
}
- Run put-role-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the new IAM role (the command does not produce an output):
aws iam put-role-policy
--role-name cc-web-tier-role
--policy-name iam-role-custom-policy
--policy-document file://cc-iam-role-inline-access-policy.json
05 Create the required IAM instance profile. An instance profile is a container for the IAM role that is attached to the EC2 instance during the launch process. Run create-instance-profile command (OSX/Linux/UNIX) to create the new AWS IAM instance profile:
aws iam create-instance-profile
--region us-east-1
--instance-profile-name cc-web-tier-instance-profile
06 The command output should return the newly created instance profile metadata:
{
"InstanceProfile": {
"InstanceProfileId": "AAAABBBBCCCCDDDDEEEE",
"Roles": [],
"CreateDate": "2018-03-10T15:45:54.600Z",
"InstanceProfileName": "cc-web-tier-instance-profile",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:instance-profile/cc-web-tier-instance-profile"
}
}
07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the IAM instance profile created at step no. 5 (the command does not return an output):
aws iam add-role-to-instance-profile
--role-name cc-web-tier-role
--instance-profile-name cc-web-tier-instance-profile
08 Now that the web-tier IAM role is ready for use, run create-image command (OSX/Linux/UNIX) to create an image from the source web-tier EC2 instance (see Audit section part II to identify the right resource). Include --no-reboot command parameter to guarantee the file system integrity for your new AMI:
aws ec2 create-image
--region us-east-1
--instance-id i-01234567890abcabc
--name "AMI for web-tier instance without IAM role(s) attached"
--description "Web Stack AMI ver. 2.1"
--no-reboot
09 The command output should return the ID of the new Amazon Machine Image (AMI):
{
"ImageId": "ami-abcd1234"
}
10 Execute run-instances command (OSX/Linux/UNIX) to launch a new web-tier EC2 instance from the image created at the previous steps. The following command example re-creates a web-tier instance using an AWS AMI with the ID ami-abcd1234 and the IAM instance profile that contains the web-tier IAM role created earlier:
aws ec2 run-instances
--region us-east-1
--iam-instance-profile Name=cc-web-tier-instance-profile
--image-id ami-abcd1234
--count 1
--instance-type m3.large
--key-name cc-ssh-key
--security-groups cc-web-stack-sg
11 The command output should return the new web-tier instance configuration metadata:
{
{
"OwnerId": "123456789012",
"Instances": [
...
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"IamInstanceProfile": {
"Id": "AAAABBBBCCCCDDDDEEEE",
"Arn": "arn:aws:iam::123456789012:instance-profile/cc-web-tier-instance-profile"
},
"RootDeviceName": "/dev/xvda",
"VirtualizationType": "hvm",
...
"AmiLaunchIndex": 0
}
]
}
]
}
12 Create the required IAM instance profile. An instance profile is a container for the IAM role that is attached to the EC2 instance during the launch process. Run create-instance-profile command (OSX/Linux/UNIX) to create the new AWS IAM instance profile:
aws iam create-instance-profile
--region us-east-1
--instance-profile-name cc-web-tier-instance-profile
13 Transfer the Elastic IP from the source EC2 instance to the new web-tier instance in order to reference the new resource. To transfer the Elastic IP, perform the following commands:
- Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the source EC2 instance:
aws ec2 disassociate-address
--association-id eipassoc-1234abcd
- Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new web-tier instance:
aws ec2 associate-address
--instance-id i-01234567890aaabbb
--allocation-id eipalloc-1234abcd
14 Once you have verified that your new web-tier EC2 instance is working as expected, you can safely terminate the source instance to stop incurring charges for it. To shut down the source EC2 instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:
aws ec2 terminate-instances
--instance-ids i-01234567890abcabc
15 The command output should return the shutdown request metadata:
{
"TerminatingInstances": [
{
"InstanceId": "i-01234567890abcabc",
"CurrentState": {
"Code": 32,
"Name": "shutting-down"
},
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
16 Repeat steps no. 5 – 15 to assign IAM roles to other web-tier EC2 instances provisioned in the selected region.
17 Change the AWS region by updating the --region command parameter value and repeat steps no. 5 – 15 for other regions.