ๆƒฏๆ€ง่šๅˆ ้ซ˜ๆ•ˆ่ฟฝ่ธชๅ’Œ้˜…่ฏปไฝ ๆ„Ÿๅ…ด่ถฃ็š„ๅšๅฎขใ€ๆ–ฐ้—ปใ€็ง‘ๆŠ€่ต„่ฎฏ
้˜…่ฏปๅŽŸๆ–‡ ๅœจๆƒฏๆ€ง่šๅˆไธญๆ‰“ๅผ€

ๆŽจ่่ฎข้˜…ๆบ

้…ท ๅฃณ โ€“ CoolShell
้…ท ๅฃณ โ€“ CoolShell
GbyAI
GbyAI
SecWiki News
SecWiki News
Project Zero
Project Zero
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy International News Feed
D
Darknet โ€“ Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
A
Arctic Wolf
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog
Apple Machine Learning Research
Apple Machine Learning Research
T
Tailwind CSS Blog
The Hacker News
The Hacker News
T
Tenable Blog
้›ทๅณฐ็ฝ‘
้›ทๅณฐ็ฝ‘
ๆœ‰่ตžๆŠ€ๆœฏๅ›ข้˜Ÿ
ๆœ‰่ตžๆŠ€ๆœฏๅ›ข้˜Ÿ
V
V2EX
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threat Research - Cisco Blogs
T
Threatpost
AWS News Blog
AWS News Blog
L
LINUX DO - ็ƒญ้—จ่ฏ้ข˜
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
SegmentFault ๆœ€ๆ–ฐ็š„้—ฎ้ข˜
ๆœˆๅ…‰ๅšๅฎข
ๆœˆๅ…‰ๅšๅฎข
Spread Privacy
Spread Privacy
S
Secure Thoughts
ๅฎ็މ็š„ๅˆ†ไบซ
ๅฎ็މ็š„ๅˆ†ไบซ
ๅš
ๅšๅฎขๅ›ญ - ไธ‰็”Ÿ็ŸณไธŠ(FineUIๆŽงไปถ)
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
The Last Watchdog
The Last Watchdog
Y
Y Combinator Blog
I
Intezer
ๅš
ๅšๅฎขๅ›ญ - ใ€ๅฝ“่€็‰นใ€‘
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs
I
InfoQ
ๅš
ๅšๅฎขๅ›ญ - ๅถๅฐ้’—
Cyberwarzone
Cyberwarzone
V2EX - ๆŠ€ๆœฏ
V2EX - ๆŠ€ๆœฏ
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
H
Help Net Security
C
CERT Recently Published Vulnerability Notes

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Donโ€™t Fail โ€” They Drift Spilling beans for how i learn for exam๐Ÿ˜"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" โ€” What Actually Happened Comfy Cloudโ€™s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions โ€” here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components โ€” Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cรณmo construรญ un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 ๐Ÿš€ I Built an Ethical Hacking Scanner Tool โ€“ Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points โ€” Here's What I Found About How Markets Really Move EcoTrack AI โ€” Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead โ€” I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve โ€” no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like Youโ€™re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace โ€” how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025โ€“62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D โ€” A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent โ€” It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly โ€” 2026/04/10โ€“04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI ้€ฑๅ ฑ โ€” 2026/04/10โ€“2026/04/17 ๆจกๅž‹ๅฐ้Ž–ๆฝฎไพ†ไบ†๏ผŒไฝ†ๅทฅๅ…ท้ˆๆ‰ๆ˜ฏ็œŸๆˆฐๅ ด Maybe this is how Open-Source apps are born... ๐Ÿš€ Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge โ€” $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase โ€” Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train โ€” Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extraรงรฃo de Vรญdeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life โ€” Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 โ€” Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows โ€” Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTrackingๅฎ‰่ฃ…ๅ’ŒiPhone้ขๆ•้…็ฝฎๆ•™็จ‹๏ผŒๆœ‰bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
IAM Essentials, Identity & Access Management: Roles, Policies, Groups, EC2 & Service Principals
Tejas Shinkar ยท 2026-06-20 ยท via DEV Community

๐Ÿงญ What This Session Covers

Think of this session as answering one big question:

"Who can do what, on which AWS resource โ€” and how do we control that?"

Topics flow in this order:

  1. Why IAM even exists (AAA Framework)
  2. Root vs IAM User
  3. MFA
  4. Groups, Roles, Service Principals
  5. Policies (Identity-based & Resource-based)
  6. ARN โ€” What it is
  7. IAM Instance Profile โ†’ EC2 accessing S3
  8. Role Switching & Assume Role
  9. EC2 Basics + Key-Pair + AMI
  10. AWS Pricing Calculator

โ“ SECTION 1 โ€” Why IAM? (Your Question Answered)

"I have my computer, my credentials, I'll just log into Root โ€” why bother with IAM?"

Here's the honest answer:

Root has zero restrictions. It can delete your entire AWS account, rack up unlimited bills, create/destroy anything. When you're learning alone, that feels fine โ€” but the moment anything goes wrong (compromised password, accidental command, someone else uses your laptop), the damage is total and irreversible.

IAM exists to answer: "What's the minimum access this person/service actually needs?"

Real-world example: A junior developer on your team should be able to deploy code โ€” not delete production databases or view billing. IAM lets you give them exactly what they need and nothing more.

Also โ€” AWS has a concept called AAA Framework which explains WHY access control systems exist:

A Name Question it answers AWS Tool
A Authentication Who are you? Username + Password + MFA
A Authorization What can you do? IAM Policies & Permissions
A Accounting What did you do? AWS CloudTrail (audit logs)

Without IAM: Every user = admin = massive security risk. One mistake wipes everything.


๐Ÿ‘ค SECTION 2 โ€” Root User vs IAM User

Root User IAM User
Created When you open AWS account By Root or an admin
Access Unrestricted โ€” everything Only what policies allow
Can be restricted? โŒ No โœ… Yes
Use for Initial setup only All daily tasks
MFA Enable immediately Strongly recommended

The rule is simple:

  • Root = lock it away with MFA, use only for billing or account recovery
  • IAM User = what you actually log in with daily

๐Ÿ”‘ SECTION 3 โ€” MFA (Multi-Factor Authentication)

Password alone isn't enough. MFA adds a second check โ€” a time-based OTP from your phone.

Three types:

Type How Security Level
Virtual MFA Google Authenticator / Authy app โœ… Good โ€” use this
Hardware MFA Physical YubiKey token โœ…โœ… Best โ€” for Root
SMS/Voice OTP via text message โš ๏ธ Avoid if possible

Steps to enable:

IAM Console โ†’ Security Credentials
โ†’ Assign MFA Device
โ†’ Choose: Virtual / Hardware / SMS
โ†’ Scan QR code with authenticator app
โ†’ Enter two consecutive 6-digit codes
โ†’ Done


๐Ÿ‘ฅ SECTION 4 โ€” IAM Groups

A Group is a collection of IAM users. Instead of attaching policies to every user individually, you attach to a Group once โ€” all users in that group inherit those permissions.

Group: DevOpsTeam
Policy attached: PowerUserAccess
  โ”œโ”€โ”€ User: tejas    โ†’ gets PowerUserAccess โœ…
  โ”œโ”€โ”€ User: ravi     โ†’ gets PowerUserAccess โœ…
  โ””โ”€โ”€ User: priya    โ†’ gets PowerUserAccess โœ…

Key rules:

  • One user can be in multiple groups
  • Groups cannot contain other groups (no nesting)
  • Default quota: 300 groups/account (can request increase up to 500)

When to use:
Use groups to manage teams โ€” AdminGroup, DevGroup, ReadOnlyGroup. Adding someone to a team = add them to the group. Removing access = remove from group. Simple.


๐ŸŽญ SECTION 5 โ€” IAM Roles (Your Questions Answered)

"What is a Role? What is Assume? What is Trust Relationship? Why switch roles?"

Let's build understanding from scratch.

What is a Role?

A Role is like a temporary identity with permissions โ€” it has no username or password. It's meant to be assumed (picked up and used temporarily) by a user or a service.

Think of it like a visitor badge at an office:

  • The visitor (IAM user or AWS service) picks up the badge
  • The badge gives access to specific areas (S3, EC2, etc.)
  • When done, they return the badge โ€” access is gone
  • No permanent credentials involved

IAM User vs IAM Role

IAM User IAM Role
Has password? โœ… Yes โŒ No
Permanent? โœ… Yes โŒ Temporary (assumed)
For? Humans logging in Services or temporary access
Credentials Long-term Short-term, auto-rotated

What is "Assume Role"?

Assuming a Role = temporarily taking on a role's permissions.

Normal: IAM User (tejas) โ†’ has EC2FullAccess via direct policy

Assumes S3Role:
IAM User (tejas) โ†’ temporarily becomes S3Role โ†’ can now access S3
                 โ†’ EC2 access is SUSPENDED during this time
                 โ†’ Role session ends โ†’ back to original EC2 permissions

This is exactly what you observed: "when you switched to S3 role, you couldn't access EC2 anymore" โ€” correct! Role switching is temporary and replaces your current permissions for that session.


What is a Trust Relationship?

A Trust Relationship is the permission for an identity to assume a role.

It's a JSON document attached to the role that says: "Who is allowed to pick up this badge?"

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::123456789:user/tejas"
    },
    "Action": "sts:AssumeRole"
  }]
}

This says: "Only the IAM user 'tejas' can assume this role."

Full flow of what you did in class:

1. Created a Role (e.g., S3AccessRole) with S3FullAccess permission
2. Edited the Trust Relationship JSON โ†’ added ARN of IAM user tejas
3. Tejas logs in as IAM user
4. Tejas switches to S3AccessRole (assumes the role)
5. Tejas can now access S3 โ€” but EC2 access is gone (role replaced permissions)
6. Session ends or tejas switches back โ†’ original permissions restored


What is a Service Principal?

A Service Principal is the identity of an AWS service โ€” used in trust relationships to let services assume roles.

Examples:

ec2.amazonaws.com      โ†’ EC2 service identity
lambda.amazonaws.com   โ†’ Lambda service identity
s3.amazonaws.com       โ†’ S3 service identity

When you want EC2 to access S3 automatically (without hardcoding credentials), you create a role with:

  • Trust policy: ec2.amazonaws.com can assume this role
  • Permission policy: S3FullAccess (or specific S3 access)

Then attach that role to EC2 โ†’ EC2 can now talk to S3. No passwords, no keys.


๐Ÿ“‹ SECTION 6 โ€” IAM Permissions & Policies

What is a Policy?

A Policy is a JSON document that defines what actions are allowed or denied on which resources.

When a new IAM user is created, they have zero permissions โ€” they can log in but can't access any service. Policies are how you grant access.

Basic policy structure:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject", "s3:PutObject"],
    "Resource": "arn:aws:s3:::my-bucket/*"
  }]
}

Element What it means
Effect Allow or Deny
Action What API operation (e.g. s3:GetObject, ec2:*)
Resource Which specific resource (ARN)
Condition Optional โ€” e.g. "only if MFA is enabled"
Principal Who this applies to (used in resource-based policies)

Critical rule:

Explicit Deny > No Policy (implicit deny) > Explicit Allow

If a Deny exists anywhere, it always wins โ€” even if an Allow exists too.


AmazonEC2FullAccess โ€” What's Inside?

The policy you explored in class. It allows:

  • ec2:* โ€” all EC2 actions (Describe, Start, Stop, Terminate, Launch, etc.)
  • Describe actions for related services (Auto Scaling, ELB, etc.)

ec2:* means every EC2 API action โ€” that's why it's "Full Access". More restricted policies might only allow ec2:DescribeInstances (view only) or ec2:StartInstances + ec2:StopInstances (start/stop but not delete).


Two Types of Policies

Identity-Based Policy

  • Attached to a user, group, or role
  • Says: "This identity can do X"
  • Example: Attaching AmazonEC2FullAccess to user tejas

Resource-Based Policy

  • Attached to a resource (like an S3 bucket)
  • Says: "These identities can access me"
  • Example: S3 bucket policy allowing specific IAM user to read from it
  • Has a Principal field (who can access)

How You Can Assign Permissions (3 Ways)

Method 1 โ€” Direct to User:
  IAM User โ†’ Attach Policy directly
  โœ… Quick | โŒ Hard to manage at scale

Method 2 โ€” Via Group:
  IAM Group โ†’ Attach Policy โ†’ Add User to Group
  โœ… Best for teams | โœ… Easy to manage

Method 3 โ€” Via Role (Assume):
  Create Role โ†’ User assumes Role โ†’ Gets temp permissions
  โœ… Best for temporary/cross-service access


๐Ÿ”– SECTION 7 โ€” What is an ARN?

ARN = Amazon Resource Name

Every single resource in AWS has a unique ID called an ARN. It's like a URL but for AWS resources.

Format:

arn:aws:SERVICE:REGION:ACCOUNT-ID:RESOURCE

Examples:

arn:aws:iam::123456789012:user/tejas          โ†’ IAM User
arn:aws:iam::123456789012:role/S3AccessRole   โ†’ IAM Role
arn:aws:s3:::my-bucket                         โ†’ S3 Bucket
arn:aws:ec2:ap-south-1:123456789:instance/i-abc123  โ†’ EC2 Instance

ARNs are used in:

  • Trust relationship JSON (to say which user can assume a role)
  • Resource-based policies (to target specific resources)
  • CloudTrail logs (to identify what was accessed)

๐Ÿ–ฅ๏ธ SECTION 8 โ€” IAM Instance Profile (EC2 โ†’ S3 Access)

"EC2 instance with EC2FullAccess wants to access S3 โ€” how?"

The Problem with Hardcoding Credentials

Bad approach:

# hardcoded in your code โ€” NEVER do this
s3 = boto3.client('s3',
    aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
    aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
)

If this code goes to GitHub, your keys are exposed. Anyone can use them.

The Right Way โ€” IAM Instance Profile

An Instance Profile is a container that holds one IAM Role and attaches it to an EC2 instance. The EC2 instance then automatically gets temporary credentials โ€” no hardcoding needed.

IAM Role (S3AccessRole)
   โ†“  wrapped in
Instance Profile
   โ†“  attached to
EC2 Instance
   โ†“  app code calls
AWS Metadata Service (169.254.169.254)
   โ†“  returns
Temporary credentials (auto-rotated every hour)
   โ†“  used to
Access S3 Bucket โœ…

How to Set It Up

Step 1: Create IAM Role
  IAM Console โ†’ Roles โ†’ Create Role
  Trusted entity: EC2 (ec2.amazonaws.com as service principal)
  Attach policy: AmazonS3FullAccess (or specific S3 policy)
  Name: EC2-S3-AccessRole

Step 2: Attach to EC2 Instance
  EC2 Console โ†’ Select Instance โ†’ Actions
  โ†’ Security โ†’ Modify IAM Role
  โ†’ Select: EC2-S3-AccessRole โ†’ Update
  (Or set during launch: Advanced Settings โ†’ IAM Instance Profile)

Step 3: Test from EC2
  SSH into EC2 โ†’ run: aws s3 ls
  โ†’ Lists your S3 buckets โœ… (no credentials configured!)

The Instance Profile is created automatically when you create a role for EC2 via the Console โ€” you don't create it separately. One profile holds exactly one role.


โš™๏ธ SECTION 9 โ€” EC2 Basics (What You Need to Know)

What is EC2?

EC2 = Elastic Compute Cloud โ€” it's a virtual machine (server) running on AWS hardware. When you launch an EC2 instance, you're renting a slice of a physical server in an AWS data center.

Key EC2 Terms

AMI (Amazon Machine Image)

  • A pre-built template/snapshot that contains the OS + software for your EC2 instance
  • Like a blueprint โ€” choose it once and EC2 launches with that OS ready
  • Examples: Amazon Linux 2, Ubuntu 22.04, Windows Server 2022
  • Free tier eligible: Amazon Linux 2 AMI or Ubuntu

Key Pair

  • Used to SSH into your EC2 instance securely
  • AWS generates a public-private key pair
  • AWS keeps the public key, you download the private key (.pem file)
  • You use the .pem file to connect: ssh -i key.pem ec2-user@<ip>
  • Download once โ€” never available again. If you lose it, you lose SSH access.

Instance Type

  • Defines the CPU, RAM, and network capacity of your EC2
  • Free tier: t2.micro (1 vCPU, 1 GB RAM) or t3.micro
  • Naming: t3.medium โ†’ t=family, 3=generation, medium=size

User Data (Startup Script)

  • A script that runs once when EC2 first boots
  • Used to auto-install software, configure servers
  • Example: install Apache web server automatically on launch
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello from EC2!</h1>" > /var/www/html/index.html

Lab: Launch EC2 as Web Server

Step 1: EC2 Console โ†’ Launch Instance
Step 2: Choose AMI: Amazon Linux 2
Step 3: Instance type: t2.micro (free tier)
Step 4: Key pair: Create new โ†’ Download .pem file
Step 5: Security Group: Allow HTTP (port 80) + SSH (port 22)
Step 6: Advanced โ†’ User data โ†’ paste startup script above
Step 7: Launch

Access: http://<EC2-Public-IP>  โ†’ "Hello from EC2!" โœ…


๐Ÿ’ฐ SECTION 10 โ€” AWS Pricing Calculator

Before launching anything in AWS โ€” estimate the cost first.

Tool: calculator.aws

How to use:

1. Go to calculator.aws โ†’ Create estimate
2. Search for a service (e.g., EC2)
3. Choose Region (ap-south-1 for India)
4. Select instance type, OS, hours/month
5. Add storage, data transfer if needed
6. View monthly + annual estimate
7. Share or export the estimate

Why it matters for DevOps:
Before proposing any infrastructure to a client or manager, you run a cost estimate. "This architecture will cost โ‚น8,000/month" is far more useful than "I think it'll be cheap."


โšก QUICK REVISION

WHY IAM
  Root = total power = total risk
  IAM = controlled, audited, least privilege access
  AAA = Authentication + Authorization + Accounting

KEY CONCEPTS
  Group     โ†’ Collection of users, attach policy once
  Role      โ†’ Temporary identity, no password, assumed by user/service
  Policy    โ†’ JSON doc defining Allow/Deny on which resource
  ARN       โ†’ Unique ID for every AWS resource
  Trust Rel โ†’ JSON saying who can assume a role
  Principal โ†’ Service identity (ec2.amazonaws.com)

POLICY RULE
  Explicit Deny > No Policy > Explicit Allow

INSTANCE PROFILE
  IAM Role โ†’ Instance Profile โ†’ EC2 โ†’ accesses S3
  No hardcoded credentials. Auto-rotated temp creds.

EC2 BASICS
  AMI        = OS template/blueprint
  Key Pair   = SSH access (.pem file โ€” save it!)
  User Data  = startup script (runs once at boot)
  t2.micro   = free tier instance type

ROLE SWITCHING
  Assume Role = temporarily take on role's permissions
  Your original permissions are SUSPENDED during that session
  Session ends = back to original


๐Ÿ’ผ INTERVIEW QUESTIONS

Q1: What is the difference between an IAM User and an IAM Role?

A: An IAM User has permanent credentials (username + password). An IAM Role has no password โ€” it provides temporary credentials and is assumed by users or services. Roles are the best practice for giving AWS services access to other AWS services.

Q2: An EC2 instance needs to read files from S3. How do you set this up securely?

A: Create an IAM Role with S3 read permissions and ec2.amazonaws.com as the trusted service principal. Attach this role to the EC2 instance via an Instance Profile. The EC2 instance automatically gets temporary, rotating credentials โ€” no hardcoded access keys needed.

Q3: What is a Trust Relationship in IAM?

A: A Trust Relationship is a JSON policy on an IAM Role that defines who is allowed to assume that role โ€” whether it's a specific IAM user (via ARN) or an AWS service (like ec2.amazonaws.com).

Q4: What happens if a Deny and an Allow both exist in IAM policies for the same action?

A: Deny always wins. The evaluation order is: Explicit Deny > No Policy (implicit deny) > Explicit Allow.

Q5: What is an Instance Profile?

A: An Instance Profile is a container that wraps an IAM Role and attaches it to an EC2 instance. It allows EC2 to call AWS services using temporary credentials from the metadata service โ€” no hardcoded keys.

Q6: What's the difference between Identity-based and Resource-based policies?

A: Identity-based policies are attached to a user, group, or role and say "this identity can do X." Resource-based policies are attached to a resource (like S3) and say "these identities can access me." Resource-based policies have a Principal field; identity-based ones don't.


๐Ÿ”ฌ PRACTICE TASKS

  1. Create an IAM Group called DevOpsTeam, attach PowerUserAccess, create a user and add to the group. Log in as that user and verify access.
  2. Create an IAM Role for EC2 with AmazonS3ReadOnlyAccess. Launch an EC2 instance, attach this role, SSH in, and run aws s3 ls โ€” confirm it works without any credentials configured.
  3. Open the AmazonEC2FullAccess policy JSON in IAM Console. Identify what ec2:* means and find 3 specific actions it covers.
  4. Create a Role, edit its Trust Relationship to allow your IAM user to assume it. Use "Switch Role" in the Console โ€” observe what changes.
  5. Use the AWS Pricing Calculator to estimate monthly cost of: 1 x t3.micro EC2 (Linux, ap-south-1, running 24/7) + 20 GB EBS storage.