24. [활용] Create IAM role

 

"Custom Policy 생성

getitem

putitem

updateitem

 

Add - ARN "

 

 

OK in the video let's set up the IAM role and this role will help our PHP application talk to the

dynamodb table because dynamodb is an.

AWS service and for the application to connect to the DynamoDB service and to access the tables and

actions in that service the application needs permissions right.

And the way to grant those permissions to the application is to use the IAM role.

So we create and IAM role first right.

And initially this role will have full access will have full access to the DynamoDB tables

all the tables all the actions and we will attach the role to the EC2 instance we will take one instance

test the set up we will attach the role to this EC2 instance right which means the application

will have full dynamodb access.

And then we will test the dynamodb sessions page.

This one this dyn_session.

dot PHP we will test this page and we will verify that the page is actually working with dynamodb

is able to create the sessions in the table.

All right so so once this works we know that our role works right we are able to attach the role successfully

to the EC2 instance and dynamodb page is working successfully.

Right.

But what we really want to do is not have full access.

We want to follow the principle of least privileges right and have restricted access restricted access

to be to the DynamoDB table.

So what we want to do is we want to create a custom policy the full access is just for initial set

up right but then we want to create a custom policy and here we want to grant access just to the sessions

table.

First of all only to the sessions table and also a few actions only so.

So this needs just get item right it needs to read the session item from the table.

It needs to put item in case its creating a new session's new session.

And sometimes it has to update the item as well.

 

Right.

So.

So these are the three actions and this is the only table that the application needs access to.

Right so we create a custom policy with this kind of these kinds of restrictions and then we attach

the custom policy to the role right to the role and then we will verify the application.

Once again we verify the application once again.

We also take a look at the sessions table just to see whether the application is creating updating items successfully

in the dynamodb table.

Okay.

So let's let's begin and we'll start with creating the role with full dynamodb access.

All right so let's let's go to IAM identity and access management.

And let's see how to set up the IAM role for our PHP for our PHP application.

So this is under security identity and compliance category.

And let's go into IAM.

And let's go right ahead.

And from the roles section the roles section let's create a new role.

Let's create a new role this role is going to be a service role it's going to

be a service role.

And more specifically it's going to be an EC2 service role and we want to allow EC2 instances to

call AWS services specifically dynamodb.

Right.

So.

So we'll choose this one this one.

And and then we set up the permissions.

Right.

And initially the permissions will be full access.

dynamodb full access this way we can we can test the application and make sure most things

are working.

And then in the end we will change the policy we will remove this policy and set up a custom policy.

But for now let's go with dynamodb full access.

And so let's give this role a name let's call it something like this.

All right.

This is our PHP application role and this right now has full dynamodb access.

OK.

So this is our role.

This is our role.

If you just filter by PHP you'll see this is our role.

OK.

And now what we will do is we will attach this role to our EC2 instance.

So we have an EC2 instance with application.

Right.

And on this application if you test the dynamodb session page.

You'll see some sort of an error you'll see an HTTP 500 error.

That's fine.

That's fine because right now the page does not have permissions.

But let's.

attach the role to the instance and we can do that by going to instance settings and here attach

or replace.

IAM role.

OK.

And here we can pick our PHP role pick our PHP app role the one that we just created.

Let's apply this.

All right so that's done.

OK that's done.

And now let's try and refresh this page and see what happens.

OK now you see the error has gone away which means the role has been attached successfully.

Let us also verify that these sessions are being created.

So let's let's go here and let me enter my name and submit and you can now see it does show me the

welcome message which means the session has been created in dynamodb table.

OK.

All right so.

So the first part of our set up is complete we have the role working with the EC2 instance.

Essentially we have a role with full access we have attached that role to the EC2 instance

dynamodb session page which was not working initially is now working right now.

We need to secure this we need to make this better.

And what we want to do is have a Custom Policy with more restrictions.

Right.

And this is we're trying to follow the principle of least privileges.

why have more permissions than required.

Let's make it more restrictive So let's go back to the IAM console right.

And here we go into policies and we create a new policy.

All right.

And here what we want to do is want to grant access to dynamodb and we want to grant access

to.

Very few actions and those are get item.

All right we need get item access and under write we will need put item so that it can create a new

session record.

And also update item.

But that's it that's it doesn't need anything more because it's just interacting with the table it

doesn't need things like create table or delete table.

all right.

All right.

So.

So let's now let's know.

Also we should add the table.

So these are actions we also need to end the specific table so the application cannot read

and write from any other table.

So let's add the ARN the Amazon resource name of the the table and the way you can do this is

you can do it from here.

You can you can say you can provide the region.

So so my table is in in the EU central region Frankfurt.

Right.

And you can say you can give you a 12 digit account number but for now I'll just keep the stock.

Why not just get the start which means.

Which means all my accounts are under on my accounts.

The policy will allow access and then close the session sessions so they like the session statement

that we have created in this region in and will be kept.

So this ideally should be a specific account that's more secure but for now this will not this will

do.

So.

So this is our ARN of these sessions table you can also find

the ARN from dynamodb you know you can go to the table.

in the.

dynamodb service and find the ARN there as well.

All right.

So this is our policy we're essentially restricting access to get put and update item and to a specific session

table.

And let's now create this custom policy.

Let's get this a name

let's say dynamodb access something at this.

Right.

And now let's create this policy OK.

You can search for this policy you can find this policy like this.

And let's take a look at this maybe.

Let's take a look at the JSON especially and you can see that we have put get and update item to a specific

sessions table.

OK.

All right.

Now we need to update this in our in our role.

So this is our role the PHP role that we have and we need to get rid of full access.

Right.

This is not very secure.

So let's get rid of that and in it's place let's attach the custom policy that we just created which

is this one OK.

So now the policy Custom Policy has been attached to our role and we don't need to do anything with

the EC2 instance instance has the role already.

And behind the scenes we have changed the policy from full access to the custom restrictive policy.

So nothing has to be done here but we do need to test our application.

Right.

So the application should be able to connect with the dynamodb table.

Right.

And it looks like it is working.

So when I refresh the page you can see it does recognize the the session OK.

So this way we have verified that the the application works with the role.

And it also works not just with full access but also with a custom policy with restricted access to

the sessions table and also to just three actions OK.

We can also go into the DynamoDB service.

Right.

And we can also see that the application is reading and writing from the dynamodb table.

So let's do that let's go here and here here's our.

Here's our table

right.

And you can see the items here and you can see the items here.

And notice that when you refresh this page you'll find you'll find that the item will change.

So one of these you can you can see the expires item here.

Let me just clean up some of these records and then we can see this better.

So let me delete these.

Right.

And now you can see the number of 680 the last three digits.

And if I refresh this page you can see that the number will change because every time we refresh the

page the expiry date is.

Time is extended right.

So can you can see that the number changes which means the application is working well with the

dynamodb table using the role that we have setup.

All right.

So I hope this is clear but in summary what we have done is created a role with full access initially

attached the role to the instance tested.

Our dynamodb session page.

Made sure that it works at it that it is able to create a session right and then we changed the policy

to remove the full access policy.

And in its place we created a custom policy which has access just to the table a specific table and

access to just a few actions.

Right.

And then we attached the custom policy to the role and then we tested the application once again.

OK.

All right.

So good luck with this task.