# Authentication ## Allow S3 access from EC2 instance * Create a role for the instance, with permissions for whatever it will use (i.e. read/write for specific bucket folders, read secret, Redshift, etc): AmazonRedshiftAllCommandsFullAccess, AmazonS3ReadOnlyAccess, SecretsManagerReadWrite * Assign that role to the instance https://repost.aws/knowledge-center/ec2-instance-access-s3-bucket ## Troubleshooting ### EC2 slowly or never responds "EBS throughput is under-provisioned"" EC2 instance cannot send out the data fast enough. Often happens with several EBS volumes, and together they can accept data faster than the EC2 instance can transmit it. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html In the AWS console, on the EC2 instance page, "AWS Compute Optimizer", near the warning "Under-provisioned", click "View detail" to display a window with recommended changes, along with graphs demonstrating the difference in CPU and cost. For the spnet_dev machine, this error appeared after I raised the EBS volume from 8 Gb to 30 Gb. I chose t3.micro, which showed differences (changes necessary) in Hypervisor, Storage interface, and Network interface. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resize-limitations.html ### EC2 stops responding during docker compose => [front-end base-front-end 4/6] RUN npm install ## Questions remaining * Roles for “workload” * Travis: How to assign broad privileges to a process, run it, then identify the minimum privileges it needs? * Temporary access roles vs static * Access Control ??? ## Notes to be Organized and Completed ### Authentication * Give EC2 instance a role, access to S3, etc, NOT an AWS key, pass instance profile (contains role, role contains privileges. Role must have permission to read secret) * Role, create * What kind of thing, service, i.e. EC2, lambda, SAML assertion? * What permissions? Can use or edit AWS managed permissions policy, What can it do, JSON defines, * Trust relationship, AssumeRole * User can get roles through Group or permission/policy document directly * Access Advisor - see what has been used or not, and pare down the permissions * Security group (ports, inbound, outbound) * Can include all traffic from another SG, need to do that for both SGs * Parameter store (cheaper) stores less secret info, define config for a project, need read parameter policy on the role using it, no additional charge for standard parameters, up to 10k, less than 4k, * Secure parameters , will encrypt them, can use KMS key, need to add to your policy doc * Can make public parameters * Secrets - 0.40/mo per secret 0.05/10,000 accesses * Temporary credentials with IAM Roles? Vs Access keys for long-term access? * Identities = AWS resources (EC2 instance, lambda functions) * Secrets for roles/identities for initiating contact/processes * https://docs.aws.amazon.com/secretsmanager/latest/userguide/hardcoded.html * APIkey/secret, user/password, private key, token, certificate … * Create a role to manage the secrets * Create a role to retrieve secrets - grant the role permission to access only select secrets, give that role to the code/process of interest