Other Articles

Support > AWS > Security & IAM

March 27, 2026

Overview

This article explains how to use IAM roles for AWS resources such as EC2 instances instead of storing long-lived access keys. Instance (host) roles provide secure, temporary credentials that eliminate the need to manage sensitive keys manually.

This approach improves security, simplifies credential management, and aligns with AWS best practices for secure cloud architecture.

What is an Instance (Host) Role?

An instance role is an IAM role that is attached to an EC2 instance (or other AWS service) to grant it permissions to access AWS resources.

Instead of storing access keys inside the instance, AWS automatically provides temporary credentials via the Instance Metadata Service (IMDS).

Why Not Use Access Keys?

• Keys can be exposed in code or repositories
• Manual rotation is required
• Hard to track and audit usage
• Long-lived credentials increase attack surface

Benefits of Using Instance Roles

• Temporary credentials (auto-rotated)
• No need to store secrets in code
• Better security and reduced risk
• Seamless integration with AWS services
• Full auditability via CloudTrail

How Instance Roles Work

• Create an IAM role with required permissions
• Attach the role to an EC2 instance
• AWS automatically generates temporary credentials
• Applications fetch credentials securely via IMDS

Common Use Cases

• EC2 accessing S3 buckets
• Applications writing logs to CloudWatch
• Pulling Docker images from ECR
• Accessing databases securely

Example Scenario

• EC2 instance needs to read from S3
• Create IAM role with S3 read permissions
• Attach role to EC2
• Application accesses S3 without storing keys

Best Practices

• Follow least privilege principle
• Avoid wildcard (*) permissions
• Use separate roles for different services
• Monitor usage with CloudTrail

Common Mistakes to Avoid

• Using access keys instead of roles
• Granting excessive permissions
• Reusing the same role across multiple services