Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

EC2 security group vs IAM Group?

What is the relation between IAM Group and Security group for an EC2 machines?

For example, the following ec2 machine has security group zfei_profile, but there no such a thing in the IAM Groups. What "Access Key ID" (and its corresponding Secret Access Key) should be used to access this machine? enter image description here

like image 332
Daniel Avatar asked Aug 23 '15 08:08

Daniel


People also ask

What is an EC2 security group?

A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups.

What is the difference between IAM role and IAM group?

As per IAM standards we create groups with permissions and then assign user to that group. Role: you create roles and assign them to AWS resource (AWS resource example can be a customer, supplier, contractor, employee, an EC2 instance, some external application outside AWS) but remember you can't assign role to user.

What is advantage of IAM role with EC2?

Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.

Can an EC2 have more than one security group?

Amazon EC2 uses this set of rules to determine whether to allow access. You can assign multiple security groups to an instance. Therefore, an instance can have hundreds of rules that apply.


1 Answers

There is no relation between a security group and an IAM group, they have nothing to do with each other.

Security Groups

Security groups are like a firewall for your EC2 instances. They determine:

(a) which computers can connect to your EC2 instance, and (b) on which ports other computers can connect

For example, they say that the world can connect to your http port, or that only your local computer can SSH into the EC2 instance.

The security groups say nothing about which people can connect to your EC2 instance.

IAM Groups

IAM Groups are a way of grouping IAM users and IAM roles. Permissions given to an IAM Group are passed onto their group members (users and roles).

The IAM permissions given to an IAM Group (or IAM user or IAM role) determine which AWS API commands can be executed using the AWS CLI or any of the many AWS SDKs.

In your screenshot, your EC2 instance does not have an IAM Role assigned to it (denoted by the - next to "IAM Role"), so there are no permissions applied to your EC2 instance to be able to execute any AWS commands. If you want to execute AWS commands on your EC2 instance, then you'll have to use an AWS access key ID and AWS secret key to issue those commands (see below).

IAM Groups, users, and roles have nothing to do with accessing your EC2 instance.

Access Keys IDs and Secret Access Keys

These are used with the AWS CLI and the AWS SDKs to issue commands to the AWS APIs. Each Access Key ID belongs to a particular IAM user.

These have nothing to do with accessing your EC2 instance.

Key Pair Name

Now we're going to get to what actually has something to do with accessing your EC2 instance.

Each EC2 instance has a Key Pair Name assigned to it. This Key Pair Name determines which private key you need to use to access your EC2 instance.

When the Key Pair Name was created, you would have downloaded a very important .pem file. That .pem file must be used to access your EC2 instance. You would use that .pem file as authorization when you SSH into your EC2 instance.

If you do not have this file, then you cannot access the EC2 instance.

You cannot get a new copy of the .pem file if it has been lost.

More information about the Key Pair Name can be found here:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

This document also describes a method of accessing your EC2 instance if you have lost your .pem file.

like image 50
Matt Houser Avatar answered Sep 20 '22 02:09

Matt Houser