Amazon AWS SDK Uživatelský manuál stáhnout pdf (Strana 12)

Using IAM Roles for Amazon EC2

Instances with the AWS SDK for

Ruby

Note

For in-depth information about using IAM roles for EC2 instances, see Roles in Using IAM.

Securely managing authentication credentials is one of the first challenges that developers will face when

writing software that accesses Amazon Web Services (AWS). All requests to AWS must be

cryptographically signed using credentials issued by AWS. For software that runs on Amazon Elastic

Compute Cloud (Amazon EC2) instances, developers must store these credentials in a way that keeps

them secure but also makes them accessible to the software, which needs them in order to make requests.

Using IAM roles for EC2 instances provides an effective way to manage credentials for AWS software

running on EC2 instances. Other common strategies for managing credentials on EC2 instances are:

• First launch an Amazon EC2 instance, and then securely transfer the credentials to the instance using

a utility such as SCP (secure copy).This strategy doesn't scale well to large numbers of instances. It

also doesn't work well for instances that are created by AWS on behalf of the customer, such as Spot

Instances or instances in autoscaling groups.

• Embed the credentials as literal strings in the software itself.This means that anyone who comes into

possession of the software can scan through the code and retrieve the credentials.

• Create a custom AMI (Amazon Machine Image) with the credentials, perhaps stored in a file on the

AMI.With this approach, anyone with access to the AMI automatically has access to the

credentials—which again creates an unnecessary security risk.

With each of the preceding strategies, it is cumbersome to rotate (update) the credentials. New credentials

either have to be re-copied to the EC2 instance, compiled into a new build of the software, or incorporated

into the creation of a new AMI.

Using IAM roles for EC2 instances is the recommended solution for securely accessing AWS services

with an EC2 instance.With IAM roles, a developer can develop software and deploy it to an EC2 instance

without having to otherwise manage the credentials that the software is using.

Topics

• Using IAM Roles for EC2 Instances to Manage Your Credentials (p.10)

Version v1.0.0

AWS SDK for Ruby Developer Guide

1 2 ... 7 8 9 10 11 12 13 14 15 16 17 ... 25 26

Žádné komentáře

Amazon AWS SDK Uživatelský manuál Strana 12