AWS实例配置文件与IAM用户角色

Question

In terms of security, which option is better for handling permissions on a Jenkins EC2 instance, an instance profile or a IAM user with a role?

An instance profile allows anyone who has access to the box to run the specified aws cli commands. With an IAM jenkins user, one could limit who is able to run the aws cli commands by locking down credential files on the instance. Is there any benefit to using an instance profile?

Answer 1

I think in your case both methods are comparable - please think what will happen when you have leakage of your IAM jenkins user access key (please note that security fixes comes to Jenkins quite often): intruder can access AWS API from his PC even without direct access to your infrastructure. So to avoid that problem you need probably to set proper policy as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html but it means that you need to hardcode there your instance IP what can hit you in the future.

On the other hand instance profile is more elastic but as you mentioned - when intruder has direct access to machine he can send request to AWS API. So I think you need to consider what level of security you need and how much time you want to spend on maintenance of that solution.

Answer 2

The IAM role can't be directly attached to the Jenkins instance , so create a profile and ref IAM role in it and then attach that profile to you instance. Passing credential file to instance is not among best practices. If i join your company and get access to the key , then even after leaving the company i will have access to those keys which i can use in future provided you don't remove those keys and generally on instances people keep the keys stagnant because of it's use by multiple applications.