IAM & Full Infrastructure

๐Ÿ”ฅ Vibe Prompt

"Define IAM roles for EC2, ECS, and CI/CD. Apply least privilege and resource-based policies."

IAM Roles

# EC2 role - minimal permissions
resource "aws_iam_role" "ec2" {
  name = "ec2-app-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "ec2.amazonaws.com" }
    }]
  })
}

resource "aws_iam_role_policy" "ec2_s3" {
  name = "ec2-s3-read"
  role = aws_iam_role.ec2.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Action = ["s3:GetObject", "s3:ListBucket"]
      Resource = [
        aws_s3_bucket.assets.arn,
        "${aws_s3_bucket.assets.arn}/*"
      ]
    }]
  })
}

# CI/CD role
resource "aws_iam_role" "cicd" {
  name = "github-actions-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRoleWithWebIdentity"
      Effect = "Allow"
      Principal = {
        Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
      }
      Condition = {
        StringEquals = { "token.actions.githubusercontent.com:sub": "repo:myorg/myapp:ref:refs/heads/main" }
      }
    }]
  })
}

Full Infrastructure Diagram

CloudFront (CDN + WAF)
    โ†“
ALB (HTTPS termination)
    โ†“
ECS Fargate (3 containers)
    โ†“
RDS Postgres (Multi-AZ) + ElastiCache Redis
    โ†“
S3 (assets, logs) + ECR (images)

CI/CD Pipeline

GitHub Push โ†’ Build Docker โ†’ Push ECR โ†’ Update ECS โ†’ Smoke Test
     โ†“
  IAM Role (OIDC)

Cloud AWS Course Complete! ๐ŸŽ‰

  • โœ… VPC & EC2
  • โœ… RDS & S3
  • โœ… ECS & EKS
  • โœ… CloudFront & WAF
  • โœ… IAM & Full Infra

Chapter Summary

  • Understand core concepts and principles
  • Master implementation methods and techniques
  • Familiar with common issues and solutions
  • Able to apply in real projects

Further Reading

  • Official documentation and API references
  • Open source examples on GitHub
  • Technical books and online courses
  • Community discussions and tech blogs

IAM Policies

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject", "s3:ListBucket"],
    "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
  }]
}

IAM Best Practices

| Practice | Why | |----------|-----| | Least privilege | Grant only needed permissions | | Use roles for EC2 | Never put AWS keys on instances | | Enable MFA | Required for privileged users | | Rotate keys | 90-day rotation is standard | | Use conditions | Restrict by IP, time, VPC | | Audit regularly | Find unused permissions with Access Analyzer |

Summary

IAM controls access to AWS resources. Follow least privilege, use roles for EC2, enable MFA, and audit regularly.

Key takeaways:

  • User = person or service |
  • Group = collection of users |
  • Role = assumed by services |
  • Policy = JSON permissions document |
  • Least privilege = minimum permissions |
  • EC2 roles = no access keys on instances |
  • MFA = required for privileged access |

What's Next: Course Wrap-Up

This concludes the DevOps Cloud AWS course.

IAM Roles vs Policies

| | Policy | Role | |---------|--------|------| | What | Set of permissions | Identity that assumes a policy | | Attached to | User, group, or role | Service or trusted account | | Use case | Grant permissions to users | Grant EC2 access to S3 | | Temporary | No | Yes (via STS, temporary credentials) |

Full Infrastructure with CDK

from aws_cdk import (
    Stack,
    aws_ec2 as ec2,
    aws_s3 as s3,
    aws_iam as iam,
    App, Duration
)

class FullInfraStack(Stack):
    def __init__(self, scope, id, **kwargs):
        super().__init__(scope, id, **kwargs)

        # VPC
        vpc = ec2.Vpc(self, "MainVPC", max_azs=2, nat_gateways=1)

        # S3
        bucket = s3.Bucket(self, "AppBucket", versioned=True,
            encryption=s3.BucketEncryption.S3_MANAGED)

        # IAM role for EC2
        role = iam.Role(self, "EC2Role",
            assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
        bucket.grant_read(role)

        # EC2 instance
        ec2.Instance(self, "AppServer", vpc=vpc,
            instance_type=ec2.InstanceType("t3.micro"),
            machine_image=ec2.AmazonLinuxImage(),
            role=role)

Summary

IAM is the foundation of AWS security. Use users, groups, roles, and policies to control access. Always follow least privilege, use roles for EC2, enable MFA, and audit permissions regularly.

Key takeaways:

  • User = identity for a person or service |
  • Group = collection of users with shared permissions |
  • Role = identity for AWS services with temporary credentials |
  • Policy = JSON document defining allowed/denied actions |
  • Least privilege = grant only what is needed |
  • EC2 roles = secure alternative to access keys |
  • MFA = multi-factor authentication for privileged users |
  • CDK = define infrastructure and IAM together in code |
  • Access Analyzer = find unused or overly permissive policies |

What's Next: Course Wrap-Up

This concludes the DevOps Cloud AWS course โ€” from VPC and EC2 through RDS, S3, CloudFront, WAF, ECS, EKS, and IAM.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!