The Amazon AWS service API is an essential tool for automating the deployment, monitoring, and management of AWS resources. To grant programs the necessary API access, a common technique is to create AWS access keys and store them in configuration files, or even hardcoded into source code. I employed this method in last month’s installment, Implementing A Custom AWS Dashboard.
However, using keys in this way adds a security risk. Keys stored in configuration files or source code are at risk for unauthorized disclosure, and these keys grant unrestricted access to all your account’s AWS functions, far broader access than is usually necessary for a particular task. AWS Identity and Access Management (IAM) roles offer a solution to both problems.