What is the IAM principles and the difference between an Role and an instanceprofile
In the Identity and Access System (IAM); Authentication confirms that users are who they are and Authorization gives those users permission to access a resource. Authentication and Authorization means that :
· Who am I?
· What am I permitted to do?
IAM user is an entity that describes Who Am I. IAM User is described in AWS Document “An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.”
IAM Policies are grant access that What am I permitted to do? IAM Policy described in AWS Document :“You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.“. We can attach policies to users, groups, roles.
IAM Roles are designed to be “assumed” by other principals which do define “who am I”, such as users, Amazon services, and EC2 instances. IAM Roles described in AWS Document : “ An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.”
We use Instance Profile to pass an IAM role to an EC2 instance. On the other hand, IAM user represents a person, an instance profile represents EC2 instances. So the EC2 instance runs under the EC2 instance profile to define “whois” the instance is. It then “assumes” the IAM role, which ultimately gives it any real power.
When you create an IAM Role for EC2 using the AWS Management Console, it creates both an EC2 instance profile as well as an IAM role. However, if you are using the AWS CLI, SDKs, or CloudFormation, you will need to explicitly define Managedpolicies, Roles and Instance profile.