AWS Security Group and IAM Role

Question

To connect my ec2-instance to S3 or RDS, I usually need to give ec2 instance a role with appropriate permissions, correct?

If I have my ec2-instance in one SecurityGroup and s3/RD3 in another security group, won't just giving a S3/RDS role and permission to ec2 suffice?

Trying to understand when should I use role vs security groups to allow various AWS resources to talk to each other.

Answer 1

• IAM roles are for restricting AWS user/account/role access to the AWS API.
• Security groups are for restricting network access to resources that exist inside your VPC.

Note how EC2 and RDS (and Redshift and Elasticache...) are servers that exist in your VPC, and you interact with those resources by making direct network connections to those servers. So you secure network access to these with Security Groups.

Note how you have no visibility into the what servers your S3 (or DynamoDB or SQS or SNS...) resources are on, those resources are not running inside your VPC, and you interact with those resources exclusively via the AWS API. So you secure AWS API access to these via AWS Identity and Access Management (IAM).