Adrian Cantrill’s SAA-C02 course, learn.cantrill.io, 60 minutes: ‘
‘Advanced EC2’ Section: ‘EC2 Instance Roles and Profile’, ‘[UPDATE][DEMO] Providing permissions and credentials to EC2 using instance roles’, ‘SSM Parameter Store’, ‘[UPDATE][DEMO] Parameter Store’
Today I continued my journey in learning about advanced EC2. Today I looked Instance Roles and the Instance profile, which is a wrapper around and IAM role which is attached to and EC2 instance as an intermediate piece of architecture. This allows IAM role permissions to get inside the instance, which enables the instance to make full use of the permissions allowed by the IAM role. Of interesting note is the fact that if the instance role is created in the console or in the command line, the instance profile is created along with it. However if CFN is utilized, the instance role and profile must be created separately.
Implementing the demo for this was pretty straightforward, basically involving creating an EC2 instance, opening IAM in a different tab, searching for a specific policy, enabling that policy, and then attaching that policy in the EC2 instance.
The other aspect of advanced EC2 which I studied today was SSM parameter store. In this lesson I looked at how credentials can be delivered via instance metadata through the 169.254repeating instance metadata url, but this is discouraged as it is not secure. Enter SSM parameter store, which enables for creating secure strings that can be paired with KMS for extra security. This involves creating a parameter name and value; the value stores configuration data. Many things can be created and stored in parameter store, including codes, strings (three specific kinds), passwords, and multiple other things.
After this I spent a few minutes researching cloud security gigs as part of homework assigned by my new mentor, who is working with me to have me gainfully employed in cloud security asap. This is exciting as this is helping me pushing things to a pragmatic realm.