What Is an EC2 IAM Profile? The Secure Alternative to AWS Access Keys on EC2

omarfarsaoui
https://letstalkaboutdevops.com/

When automating infrastructure on AWS, one of the most common mistakes is storing AWS access keys directly on EC2 instances.

For example, many tutorials suggest creating a file like:

~/.aws/credentials

[default]
aws_access_key_id=ACCESS_KEY
aws_secret_access_key=SECRET_KEY

While this works, it introduces security risks:

  • Credentials can be accidentally exposed
  • Keys may be committed to Git repositories
  • Rotation becomes difficult
  • Compromised servers expose long-lived credentials

AWS provides a much better solution: EC2 IAM Profiles.

In this article, we’ll explain what an EC2 IAM Profile is, how it works, and why every DevOps engineer should use it whenever possible.

What Is an EC2 IAM Profile?

An EC2 IAM Profile is a mechanism that allows an EC2 instance to securely receive temporary AWS credentials without storing access keys on the server.

In simple terms:

  1. You create an IAM Role.
  2. You attach permissions to that role.
  3. You attach the role to your EC2 instance.
  4. AWS automatically provides temporary credentials to applications running on that instance.

No access keys required.

IAM Role vs IAM Profile

This is where many AWS users get confused.

IAM Role

An IAM Role defines:

  • What actions are allowed
  • Which AWS services can assume the role

Example:

{
  "Effect": "Allow",
  "Action": [
    "route53:ChangeResourceRecordSets"
  ],
  "Resource": "*"
}

IAM Instance Profile

An Instance Profile is a container that allows an EC2 instance to use an IAM Role.

When you attach a role to an EC2 instance in the AWS Console, AWS automatically creates and uses an instance profile behind the scenes.

Most engineers simply refer to the entire setup as an “EC2 IAM Profile.”

Why Use IAM Profiles Instead of Access Keys?

Traditional Approach

vim ~/.aws/credentials
[default]
aws_access_key_id=AKIA...
aws_secret_access_key=SECRET...

Problems:

  • Long-lived credentials
  • Manual rotation
  • Easy to leak
  • Security audits become harder

IAM Profile Approach

No credential files.

No secrets.

AWS automatically generates temporary credentials and rotates them for you.

Benefits:

  • Improved security
  • Automatic credential rotation
  • Easier compliance
  • Reduced operational overhead

How EC2 Retrieves Credentials

When an application on the EC2 instance needs AWS credentials, the AWS SDK checks several locations.

One of the last checks is the EC2 Instance Metadata Service (IMDS).

The SDK requests temporary credentials from:

http://169.254.169.254/

AWS returns temporary credentials associated with the attached IAM Role.

Applications such as:

  • AWS CLI
  • Terraform
  • Ansible
  • Certbot DNS plugins
  • Python boto3
  • AWS SDK for Java
  • AWS SDK for Go

can all use these credentials automatically.

Example: Route53 DNS Updates

Suppose your server needs to update Route53 DNS records during SSL certificate renewal.

Instead of storing credentials:

aws_access_key_id=...
aws_secret_access_key=...

Create an IAM Role with permissions like:

{
  "Effect": "Allow",
  "Action": [
    "route53:ChangeResourceRecordSets",
    "route53:ListHostedZones",
    "route53:GetChange"
  ],
  "Resource": "*"
}

Attach the role to the EC2 instance.

Now Certbot or Ansible can access Route53 without any stored secrets.

Verify Your EC2 IAM Profile

SSH into the instance and run:

aws sts get-caller-identity

Example output:

{
  "UserId": "AROA...",
  "Account": "123456789012",
  "Arn": "arn:aws:sts::123456789012:assumed-role/Route53Role/i-0123456789"
}

If you see an assumed-role ARN, the IAM Profile is working correctly.

How to Attach an IAM Role to an Existing EC2 Instance

AWS Console

  1. Open EC2 Console
  2. Select your instance
  3. Actions
  4. Security
  5. Modify IAM Role
  6. Select the desired role
  7. Save

The new permissions become available within a few minutes.

Best Practices

Follow Least Privilege

Grant only the permissions required.

Avoid:

{
  "Action": "*",
  "Resource": "*"
}

Instead, allow only the services your application needs.

Use Temporary Credentials

Never create access keys unless absolutely necessary.

Enable IMDSv2

AWS recommends using Instance Metadata Service Version 2 (IMDSv2) for enhanced security.

Audit Permissions Regularly

Review IAM roles periodically to remove unused permissions.

Conclusion

An EC2 IAM Profile is one of the simplest security improvements you can make in AWS.

Instead of storing access keys on servers, attach an IAM Role to your EC2 instance and let AWS provide temporary credentials automatically.

For DevOps teams managing infrastructure, automation, CI/CD pipelines, Route53 updates, backups, or monitoring, IAM Profiles should be the default choice whenever workloads run on EC2.

Less credential management. Less risk. Better security.

Related Posts

Leave a Reply