Posted On: Mar 6, 2023

You can now use Credential Control Properties to more easily restrict the usage of your IAM Roles for EC2.

IAM Roles for EC2 allow your applications to securely make API requests without requiring you to directly manage the security credentials. Temporary and rotating IAM credentials are automatically provisioned to your instances' metadata service with permissions you've defined for the role. Your applications, usually through the AWS SDKs or CLI, then retrieve and use those temporary credentials. 

Previously, if you wanted to restrict the network location where these credentials could be used, you would need to hard-code the VPC IDs and/or IP addresses of the roles in the role policy or VPC Endpoint policy. This required administrative overhead and potentially many different policies for different roles, VPCs, etc. 

Each role credential now has two new properties, which are AWS global condition keys, adding information about the instance from which they were originally issued. These properties, the VPC ID and the Instance’s Primary Private IP address, can be used in IAM policies, Service Control Policies (SCPs), VPC endpoint policies, or resource policies to compare the network location where the credential originated to where the credential is used. Broadly-applicable policies can now limit the use of your role credentials to only the location from where they originated. Examples of these policies are in this blog post. When creating IAM Roles, as with any IAM principal, use least-privilege IAM policies that restrict access to only the specific API calls your applications require. 

These properties are now available in all AWS Regions, including AWS GovCloud (US) regions. There is no additional charge to use this feature. For more information on IAM for EC2, see the User Guide. For more information on actions, resources, and condition keys for Amazon EC2, see the Service Authorization Reference guide.