IAM & Full Infrastructure
๐ฅ Vibe Prompt
"Define IAM roles for EC2, ECS, and CI/CD. Apply least privilege and resource-based policies."
IAM Roles
# EC2 role - minimal permissions
resource "aws_iam_role" "ec2" {
name = "ec2-app-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
}
resource "aws_iam_role_policy" "ec2_s3" {
name = "ec2-s3-read"
role = aws_iam_role.ec2.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ["s3:GetObject", "s3:ListBucket"]
Resource = [
aws_s3_bucket.assets.arn,
"${aws_s3_bucket.assets.arn}/*"
]
}]
})
}
# CI/CD role
resource "aws_iam_role" "cicd" {
name = "github-actions-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRoleWithWebIdentity"
Effect = "Allow"
Principal = {
Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
}
Condition = {
StringEquals = { "token.actions.githubusercontent.com:sub": "repo:myorg/myapp:ref:refs/heads/main" }
}
}]
})
}
Full Infrastructure Diagram
CloudFront (CDN + WAF)
โ
ALB (HTTPS termination)
โ
ECS Fargate (3 containers)
โ
RDS Postgres (Multi-AZ) + ElastiCache Redis
โ
S3 (assets, logs) + ECR (images)
CI/CD Pipeline
GitHub Push โ Build Docker โ Push ECR โ Update ECS โ Smoke Test
โ
IAM Role (OIDC)
Cloud AWS Course Complete! ๐
- โ VPC & EC2
- โ RDS & S3
- โ ECS & EKS
- โ CloudFront & WAF
- โ IAM & Full Infra
Chapter Summary
- Understand core concepts and principles
- Master implementation methods and techniques
- Familiar with common issues and solutions
- Able to apply in real projects
Further Reading
- Official documentation and API references
- Open source examples on GitHub
- Technical books and online courses
- Community discussions and tech blogs
IAM Policies
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
}]
}
IAM Best Practices
| Practice | Why | |----------|-----| | Least privilege | Grant only needed permissions | | Use roles for EC2 | Never put AWS keys on instances | | Enable MFA | Required for privileged users | | Rotate keys | 90-day rotation is standard | | Use conditions | Restrict by IP, time, VPC | | Audit regularly | Find unused permissions with Access Analyzer |
Summary
IAM controls access to AWS resources. Follow least privilege, use roles for EC2, enable MFA, and audit regularly.
Key takeaways:
- User = person or service |
- Group = collection of users |
- Role = assumed by services |
- Policy = JSON permissions document |
- Least privilege = minimum permissions |
- EC2 roles = no access keys on instances |
- MFA = required for privileged access |
What's Next: Course Wrap-Up
This concludes the DevOps Cloud AWS course.
IAM Roles vs Policies
| | Policy | Role | |---------|--------|------| | What | Set of permissions | Identity that assumes a policy | | Attached to | User, group, or role | Service or trusted account | | Use case | Grant permissions to users | Grant EC2 access to S3 | | Temporary | No | Yes (via STS, temporary credentials) |
Full Infrastructure with CDK
from aws_cdk import (
Stack,
aws_ec2 as ec2,
aws_s3 as s3,
aws_iam as iam,
App, Duration
)
class FullInfraStack(Stack):
def __init__(self, scope, id, **kwargs):
super().__init__(scope, id, **kwargs)
# VPC
vpc = ec2.Vpc(self, "MainVPC", max_azs=2, nat_gateways=1)
# S3
bucket = s3.Bucket(self, "AppBucket", versioned=True,
encryption=s3.BucketEncryption.S3_MANAGED)
# IAM role for EC2
role = iam.Role(self, "EC2Role",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
bucket.grant_read(role)
# EC2 instance
ec2.Instance(self, "AppServer", vpc=vpc,
instance_type=ec2.InstanceType("t3.micro"),
machine_image=ec2.AmazonLinuxImage(),
role=role)
Summary
IAM is the foundation of AWS security. Use users, groups, roles, and policies to control access. Always follow least privilege, use roles for EC2, enable MFA, and audit permissions regularly.
Key takeaways:
- User = identity for a person or service |
- Group = collection of users with shared permissions |
- Role = identity for AWS services with temporary credentials |
- Policy = JSON document defining allowed/denied actions |
- Least privilege = grant only what is needed |
- EC2 roles = secure alternative to access keys |
- MFA = multi-factor authentication for privileged users |
- CDK = define infrastructure and IAM together in code |
- Access Analyzer = find unused or overly permissive policies |
What's Next: Course Wrap-Up
This concludes the DevOps Cloud AWS course โ from VPC and EC2 through RDS, S3, CloudFront, WAF, ECS, EKS, and IAM.