

IAM roles for EC2 instances – Secure Access to AWS APIs from EC2 - jedberg
http://aws.typepad.com/aws/2012/06/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service-apis-from-ec2.html

======
jedberg
This is super exciting for most AWS users, who had to solve this problem in
some sort of "hacky" way.

~~~
flyt
No more bullshit "drop your globally usable AWS keys directly into config
files and application code"

yes please!

------
ww520
This is really useful. Great thing. Setting the AWS key/secret for app
securely has been a constant headache. This would reduce so much painful
points and be more secured.

------
kennu
This is a good feature, but it seems now the temporary AWS access keys of the
IAM role will be accessible to any application running on the EC2 instance,
not just the one with the config files like before. I wonder if this will
create any unexpected security issues? New kinds of trojans?

Also, I hope Boto (the Python AWS API) will support this soon.

~~~
tszming
Another concern is the EC2 Instance Metadata Service does not support SSL.

~~~
jeffbarr
This is true, but I'm not sure if I understand how SSL support for this would
increase security since the request and the response go no further than our
internal network.

------
taligent
There is no doubt that IAM is the best thing to happen to Amazon AWS in a long
time. The ability to have read-only and more importantly write-only access to
SQS/S3/SimpleDB is brilliant. What is still needed though is a way to securely
manage the keys/certificates on the actual server. Maybe Amazon could build a
key store that only unlocks from certain processes at certain times and logs
access attempts.

~~~
flyt
Real logging of IAM access and key/role usage would be much appreciated for
auditing. Tough now to figure out who is doing what, from where, and with what
permissions.

Restricting AWS API access from sources outside the AWS network would also be
pretty useful.

