What is the relation between IAM Group and Security group for an EC2 machines?
For example, the following ec2 machine has security group zfei_profile
, but there no such a thing in the IAM Groups. What "Access Key ID" (and its corresponding Secret Access Key) should be used to access this machine?
A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups.
As per IAM standards we create groups with permissions and then assign user to that group. Role: you create roles and assign them to AWS resource (AWS resource example can be a customer, supplier, contractor, employee, an EC2 instance, some external application outside AWS) but remember you can't assign role to user.
Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.
Amazon EC2 uses this set of rules to determine whether to allow access. You can assign multiple security groups to an instance. Therefore, an instance can have hundreds of rules that apply.
There is no relation between a security group and an IAM group, they have nothing to do with each other.
Security groups are like a firewall for your EC2 instances. They determine:
(a) which computers can connect to your EC2 instance, and (b) on which ports other computers can connect
For example, they say that the world can connect to your http port, or that only your local computer can SSH into the EC2 instance.
The security groups say nothing about which people can connect to your EC2 instance.
IAM Groups are a way of grouping IAM users and IAM roles. Permissions given to an IAM Group are passed onto their group members (users and roles).
The IAM permissions given to an IAM Group (or IAM user or IAM role) determine which AWS API commands can be executed using the AWS CLI or any of the many AWS SDKs.
In your screenshot, your EC2 instance does not have an IAM Role assigned to it (denoted by the - next to "IAM Role"), so there are no permissions applied to your EC2 instance to be able to execute any AWS commands. If you want to execute AWS commands on your EC2 instance, then you'll have to use an AWS access key ID and AWS secret key to issue those commands (see below).
IAM Groups, users, and roles have nothing to do with accessing your EC2 instance.
These are used with the AWS CLI and the AWS SDKs to issue commands to the AWS APIs. Each Access Key ID belongs to a particular IAM user.
These have nothing to do with accessing your EC2 instance.
Now we're going to get to what actually has something to do with accessing your EC2 instance.
Each EC2 instance has a Key Pair Name assigned to it. This Key Pair Name determines which private key you need to use to access your EC2 instance.
When the Key Pair Name was created, you would have downloaded a very important .pem file. That .pem file must be used to access your EC2 instance. You would use that .pem file as authorization when you SSH into your EC2 instance.
If you do not have this file, then you cannot access the EC2 instance.
You cannot get a new copy of the .pem file if it has been lost.
More information about the Key Pair Name can be found here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
This document also describes a method of accessing your EC2 instance if you have lost your .pem file.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With