Using Parameter Store and IAM Roles in AWS

Hands-On Lab

 

Photo of Mark Richman

Mark Richman

AWS Training Architect II in Content

Length

01:00:00

Difficulty

Advanced

In this hands-on learning activity, you will work with SSM Parameter Store and an ECS task IAM role. You will create an IAM policy and attach that policy to an ECS task IAM role. This policy will grant specific access to various application secrets in SSM Parameter Store, as well as to the KMS keys that encrypt them. You can then view the effects of policy changes on the container's permissions. Sample IAM policy: https://github.com/linuxacademy/ecs-deep-dive-2018/blob/master/parameter-store/app1-secret-access.json

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using Parameter Store and IAM Roles in AWS

Introduction

In this hands-on lab, we will work with SSM Parameter Store and an ECS task IAM role. We will create an IAM policy and attach that policy to an ECS task IAM role.

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Use the IAM policy here as a template for the IAM role.

Create and Attach an IAM Policy to the ECS Task IAM Role

  1. In the AWS console, navigate to IAM.
  2. Click Encryption keys in the left-hand menu.
  3. Click to open prod-app1.
  4. In the ARN:
    • Copy the account ID (the series of numbers between us-east-1: and :key) and paste it into a text file.
    • Also, copy its key ID (everything after key/) and paste it in a text file as well.
  5. Click Policies in the left-hand menu, and click Create policy.
  6. In the JSON tab, replace the code in the box with the template on GitHub.
    • Replace <account-id> with the AWS account ID you copied.
    • Replace <key-id-for-prod-app1-key> with the key ID you copied.
  7. Click Review policy.
  8. On the Review policy page, give it a name of "prod-app1".
  9. Click Create policy.
  10. Click Roles in the left-hand menu.
  11. Search for "task" to find the IAM role we need.
  12. Click to open the task IAM role.
  13. In the Permissions tab, click Attach policies.
  14. Search for "prod" to find the one we just created.
  15. Select it, and click Attach policy.

Run the ECS Task

  1. Navigate to ECS.
  2. Click Task Definitions in the left-hand menu.
  3. Click to open access-test.
  4. Click Actions and select Run Task.
  5. Set a Launch type of EC2.
  6. Leave the rest of the defaults, and click Run Task.
  7. Once it enters the RUNNING state, click to view its details.
  8. You can use CloudWatch Logs to view all the container startup logs.

Verify Access

  1. Once the task is running, check the public IP of the container instance and navigate to the following page: http://<CONTAINER INSTANCE PUBLIC IP>/ecs.html
  2. Review the test output. You should see the results of several different access tests from the container.
    • The commands with access to both the parameters and the keys should work. All others will fail with an AccessDeniedException.

Conclusion

Congratulations on completing this hands-on lab!