Question-7: You are setting up credentials for various AWS services. In which of the following situation you should prefer to use IAM Role rather than direct access to service using individual account?
- Your organization already have in-house directory of users with their access permissions are already setup.
- In your AWS account to allow another AWS account permissions to access your account resources.
- One AWS service in your account can access another AWS service.
- If you have created an application which is running on EC2 instance. Application need to access AWS resources programmatically.
Ans: A, B, C, D
Detailed Explanation: IAM Roles are useful in following situation.
- Federated User Access
- If your organization is already using solution like LDAP or Microsoft active Directory, or any other identity provider for users access management. Then this users are known as federated users.
- This federated users can use Identity Provider.
- Cross Account access
- You can use an IAM Role in your AWS account to allow another AWS account permissions to access your account resources.
- AWS Service access
- If you want one service in your account can access another service. Then you can use IAM Role for that. Suppose you have to load data from S3 to Redshift cluster. Rather than using your account credentials, you will be using an IAM Role which allows Redshift to access S3 bucket on your behalf. So that it can load data from S3 bucket to Redshift cluster.
- Applications running on EC2 instances
- If you have created an application which is running on EC2 instance. Application need to access AWS resources programmatically. It is not a good idea to store your access keys on EC2 instance.
- You should assign an IAM Role to an EC2 instance.
- To assign a Role to an EC2 instance, you will be creating an instance profile and then attach this profile to an EC2 instance while launching it.
An instance profile contain the role and enables application running on EC2 instance to get temporary access keys.