Posted On: Mar 6, 2023

You can now use new Credential Control Properties to more easily restrict the usage of your IAM Roles for EC2.

IAM Roles for EC2 allow your applications securely to make API requests from your instances without requiring you to directly manage the security credentials that the applications use. The application is granted the permissions for the actions and resources that you've defined for the role, and temporary and rotating IAM credentials are automatically provisioned to your instances' metadata service. Your applications, usually through the Amazon SDKs or CLI, then automatically retrieve and use those temporary credentials.

Previously, if you wanted to restrict the network location where the provisioned role credentials could be used, you would need to hard-code the VPC IDs and/or IP addresses of the roles in the role policy or VPC Endpoint policy. This required significant administrative overhead and potentially many different policies for different roles, VPCs, etc.

As of today, each and every role credential has two new properties unique to that particular instance’s copy of the credential. These new properties, which are global condition keys, add information about the instance from which your EC2 role credentials were originally issued. These properties, specifically the VPC ID and the Primary Private IP address of the instance, can then be used in condition statements in Identity and Access Management (IAM) policies, VPC endpoint policies, or resource policies. These conditions compare the network location where the credential originated to the network location from where the credential is actually being used. Broadly-applicable policies can now limit the use of your role credentials to only the location where they originated. When creating IAM Roles, as with any IAM principal, use least privilege IAM policies that restrict access to only the specific API calls your applications require.

These properties are now available in in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD.

There is no additional charge to use this feature. For more information on Identity and Access Management for EC2, see the Amazon EC2 User Guide. For more information on actions, resources, and condition keys for Amazon EC2, see the Service Authorization Reference guide.