Menu
I have a AWS lambda that is created to access an RDS postgresql instance and an elasticcache cluster. In order to access the RDS instance , I believe both RDS and Elasticache need to open up then inbound ports for the lambda to access. I have also seen policies that allow lambda to access elasticache and RDS. These policies are applied on to role that is assigned to AWS lambda. What is the purpose of role and security group in this scenario?
548
A group is a means of organising users, whereas a role is usually a means of organising rights. This can be useful in a number of ways. For example, a set of permissions grouped into a role could be assigned to a set of groups, or a set of users independently of their group.
As per IAM standards we create groups with permissions and then assign user to that group. Role: you create roles and assign them to AWS resource (AWS resource example can be a customer, supplier, contractor, employee, an EC2 instance, some external application outside AWS) but remember you can't assign role to user.
Security groups are a way to collect user accounts, computer accounts, and other groups into manageable units. In the Windows Server operating system, several built-in accounts and security groups are preconfigured with the appropriate rights and permissions to perform specific tasks.
An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it.
Security groups are more about network controls. You can look at them as a virtual firewall that controls the traffic.
They specify what inbound/outbound traffic to allow/disallow based on following criteria/filters
IAM Roles are more used to determine what the identity can and cannot do in AWS. Basically it is a set of permissions that grant access to actions and resources in AWS.
Example : Security group for Resource X says allow inbound traffic at port 1111 on HTTP protocol
Scenario 1 : Lambda which has an attached role to access Resource X, tries to communicate to Resource X on port 2222 on HTTP protocol, will fail. Because the security group for Resource X allows communication only over port 1111.
Scenario 2 : You do not attach any role to Lambda which to access Resource X. Now if it tries to communicate to Resource X on port 1111 on HTTP protocol, will fail. Because the despite trying to access resource X on correct port and protocol it lacks permissions to do so
195
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
