Lab Record · Cloud Computing

AWS Cloud
Experiments

13 Weeks — Amazon Web Services Practicals

W01

EC2 Instance Creation and Connection

AWS EC2 · Browser Connect · PuTTY · SSH

▾

Objective

Launch an EC2 instance on AWS and connect to it using two methods: the browser-based EC2 Connect method and the PuTTY SSH client using a PPK key file.

Part A — Launch EC2 Instance

01Open the Amazon EC2 Dashboard from the AWS Management Console.
02Click Launch Instance. Provide an instance name, e.g., Linux-ec2.
03Select an AMI (Ubuntu). Note: AMI is region-specific and the AMI ID changes with the region.
04Select the Instance Type. By default, t3.micro is selected as a free-tier eligible instance.
05Under Key Pair, create a new RSA key pair. The .pem file downloads automatically.
06Configure Network Settings: select VPC, subnet. For Linux, allow SSH (port 22) in the security group.
07Click Launch Instance. AWS creates the EC2 with the specified configuration and region.

Part B — Browser-Based Connection (EC2 Connect)

01Select the running instance in the EC2 Console.
02Click Connect at the top → choose EC2 Instance Connect tab → click Connect.
03A browser-based terminal opens. Connection is established without any client software.

Successfully connected to EC2 instance via browser-based method

Part C — PuTTY Connection (PPK File)

01Download and install PuTTY from the official site (putty.org).
02Create the EC2 instance with key pair format set to PPK during creation.
03If you have a .pem file, open PuTTYgen → Load the .pem file → click Save Private Key to generate the .ppk file.
04Open PuTTY. Copy the instance's Public IP address and paste it in the Host Name field.
05In the sidebar: Connection → SSH → Auth → Credentials. Browse and select the .ppk file.
06Click Open. At the login as: prompt, type ubuntu (for Ubuntu AMI) and press Enter.

Successfully connected to EC2 instance via PuTTY

Conclusion

An EC2 instance was successfully launched on AWS. Two connection methods were demonstrated: the browser-based EC2 Connect method (no client needed) and PuTTY with a PPK key file for SSH access. Security groups control access by allowing only the required port (SSH 22).

W02

EBS Volume — Attach, Scale, Snapshot, and Cross-Region

EBS · lsblk · fdisk · mount · Snapshot · Cross-Region

▾

Objective

Scale an EC2 instance by changing its type, create and attach an EBS volume, perform cross-instance data transfer, and replicate data across AWS regions using snapshots.

Part A — Scale Instance Type

01Create an EC2 instance with instance type t2.nano.
02Stop the instance (cannot change type while running).
03Select the instance → Actions → Instance Settings → Change Instance Type. Select the desired type → click Apply.
04Start the instance. It now runs with the updated CPU and RAM specification.

Part B — Create and Attach EBS Volume

01Go to EC2 Dashboard → Elastic Block Store → Volumes → Create Volume.
02Set volume type (gp3/gp2), size, and Availability Zone (must match the target EC2 instance). Click Create Volume.
03Select the new volume → Actions → Attach Volume → select the target instance → specify device name → click Attach.

Part B — Use the Attached Volume (Instance A)

PowerShell / SSH — Instance A

# Check all available disks
lsblk

# Check filesystem of each device
lsblk -fs

# Create a partition on the new volume
sudo fdisk /dev/nvme1n1
# Press 'm' for help menu, then follow prompts to create partition

Part B — Mount Volume on Instance B

PowerShell / SSH — Instance B

# Create mount directory
sudo mkdir /mnt/ebstry

# Mount the volume partition
sudo mount /dev/nvme1n1p1 /mnt/ebstry

# Verify mount - all previous data will be available
lsblk

Part C — Snapshot and Cross-Region Replication

01Detach the volume from the instance in N. Virginia.
02Select the volume → Actions → Create Snapshot. Wait for the snapshot to complete.
03Select the snapshot → Actions → Copy Snapshot. Choose destination region: Oregon.
04Switch to Oregon region. Go to Snapshots → Actions → Create Volume from Snapshot.
05Create a new EC2 instance in Oregon. Attach the volume to that instance. Connect via SSH.

PowerShell — Oregon Instance

lsblk
sudo mkdir /mnt/ebstry
sudo mount /dev/nvme1n1p1 /mnt/ebstry
df -h

Data from N. Virginia is accessible in Oregon via snapshot copy

Conclusion

EBS volumes were created, attached, mounted, and verified. Scaling was achieved by changing the instance type. Cross-region data replication was demonstrated by copying a snapshot from N. Virginia to Oregon and mounting it on a new instance.

W03

Elastic File System (EFS) — Shared Storage

EFS · NFS · Amazon Linux · Multi-Instance Sharing

▾

Objective

Create an EFS file system and mount it on two EC2 instances in different Availability Zones, demonstrating shared file access across instances.

Setup — Create Instances and Security Group

01Create instance efslab-1: Select Amazon Linux as AMI. Set Availability Zone to us-east-1a.
02Create a new Security Group named efslab. Add an inbound rule: Type: NFS, Source: Anywhere.
03Create instance efslab-2: Select Amazon Linux as AMI. Set Availability Zone to us-east-1b. Select the existing efslab security group.

Create EFS File System

04Search for EFS in the AWS Console → click Create File System. Provide a name → click Create.
05Select the file system → View Details → Network tab → click Manage. Update the security group to efslab.
06Click Attach on the EFS page → copy the NFS client mount command.

Mount on Instance 1 and Create File

SSH — Instance 1 (efslab-1)

# Paste the NFS client command (change directory name at the end)
# Example:
sudo mount -t nfs4 -o nfsvers=4.1 fs-xxxxxxxx.efs.us-east-1.amazonaws.com:/ efslab

# Navigate to the mounted directory
cd efslab

# Create a file
touch file.txt

# Add content to the file
echo "Shared via EFS" > file.txt

Verify from Instance 2

SSH — Instance 2 (efslab-2)

# Paste the same NFS client mount command (change directory name)
sudo mount -t nfs4 -o nfsvers=4.1 fs-xxxxxxxx.efs.us-east-1.amazonaws.com:/ efslab

# Navigate to directory
cd efslab

# List files (file.txt from Instance 1 appears)
ls

# Display file content
cat file.txt

file.txt

Shared via EFS

File created on Instance 1 is accessible from Instance 2 via EFS

Conclusion

EFS was configured and mounted on two EC2 instances in different Availability Zones. A file created on Instance 1 was immediately accessible from Instance 2, demonstrating EFS as a shared, elastic NFS file system across multiple instances.

W04

Simple Storage Service (S3) — Buckets, ACLs, Versioning, Replication

S3 · ACL · Bucket Versioning · Cross-Region Replication

▾

Objective

Create an S3 bucket, configure public access via ACLs, enable versioning, and set up cross-region object replication.

Part A — Create Bucket and Upload Object

01Search for S3 in the AWS Console → click Create bucket.
02Provide a unique bucket name. Keep bucket type as General Purpose. Leave ACLs disabled and public access blocked by default. Click Create bucket.
03Click on the bucket name → Upload → Add files. Select a file from your PC → click Upload.
04Click on the uploaded object → copy the Object URL. Open it in a browser — access is denied (public access is still blocked).

Part A — Enable Public Access via ACL

05Go to bucket → Permissions → Block Public Access → Edit. Uncheck all → Save changes.
06Go to Object Ownership → Edit. Select ACLs Enabled → Save changes.
07Go to Access Control List → Edit. Under Everyone (public access), enable List objects and Read objects. Save.
08Click on the uploaded image → Object Permissions → ACL → Edit. Enable Read for public access → Save.
09Copy the Object URL → paste in browser. The image is now publicly accessible.

Part B — Enable Versioning

01Go to bucket → Properties → Bucket Versioning → Edit. Enable versioning → Save changes.
02Upload the same file again. Toggle Show versions to see both versions listed.
03Deleting an object adds a delete marker — the object is still present when versions are visible. To permanently delete, select all versions including the delete marker and delete them.

Part C — Cross-Region Replication

01Create a source bucket in N. Virginia. Enable versioning on it.
02Create a destination bucket in Oregon. Enable ACLs and versioning.
03On the source bucket → Management → Create Replication Rule. Set scope to All objects. Select the Oregon bucket as destination. Choose LabRole as IAM role → Save.
04Upload any document to the source bucket. The same document automatically appears in the Oregon destination bucket.

Object uploaded to N. Virginia appears automatically in Oregon bucket

Conclusion

S3 was explored in depth: bucket creation, public access via ACLs, object-level permissions, versioning with delete markers, and cross-region replication. These features cover the core S3 capabilities needed for scalable, redundant object storage.

W05

VPC Creation and EC2 Instance Connectivity

VPC · Subnets · Route Tables · Internet Gateway · Security Groups

▾

Objective

Create a custom VPC with public and private subnets, configure route tables and an Internet Gateway, then launch EC2 instances with proper network connectivity.

Step 1 — Create VPC and Subnets

01Go to AWS Console → VPC → Create VPC. Provide a CIDR block (e.g., 10.0.0.0/16).
02Create a Public Subnet (e.g., 10.0.1.0/24) and a Private Subnet (e.g., 10.0.2.0/24) within the VPC.

Step 2 — Create and Configure Route Tables

01Go to Route Tables → Create route table. Select the VPC. Name it public-route.
02Create another route table named private-route in the same VPC.
03Select public-route → Actions → Edit routes → Add route. Destination: 0.0.0.0/0, Target: Internet Gateway. Select the gateway → Save changes.
04Go to Subnets → Public Subnet → Edit subnet settings. Enable Auto-assign public IPv4 address.
05Select public-route → Edit subnet associations. Select the public subnet → Save associations. Repeat for private route and private subnet.

Step 3 — Create Security Group and Launch Instances

01Create a Security Group with inbound rules: SSH (22), HTTP (80), and HTTPS (443).
02Launch an EC2 instance (Ubuntu). In network settings: select the VPC, select the public subnet, and enable public IP. Use the created security group.
03Launch a second EC2 instance (Ubuntu) in the private subnet with no public IP (for internal use only).

Public instance: reachable from the internet via public IP

Private instance: not reachable directly from internet

Conclusion

A custom VPC was created with both public and private subnets. Route tables were configured to connect the public subnet to the Internet Gateway. EC2 instances were launched in appropriate subnets with security group rules enforcing access control.

W06

VPC with NAT Gateway — Private Instance Internet Access

NAT Gateway · Jump Server · Private Subnet · Internet Routing

▾

Objective

Configure a NAT Gateway to allow a private subnet EC2 instance to access the internet without being publicly reachable. Use a Jump Server to access the private instance.

Architecture Setup

01Create VPC my-vpc with a public and private subnet. Create two route tables and an Internet Gateway. Connect the public route table to the Internet Gateway.
02Launch instance web-app (Ubuntu) in the public subnet. Allow SSH, HTTP, and HTTPS in its security group.
03Launch instance db-server (Ubuntu) in the private subnet. Disable public IP. Allow SSH only. This instance has no direct internet access.
04Launch instance jump-server (Ubuntu) in the public subnet. This acts as the relay to access the private instance.

Verify No Internet on Private Instance

SSH via Jump Server — db-server

# SSH into jump-server first, then into db-server
# Test internet from db-server (will fail without NAT)
ping google.com
# Result: Network unreachable

Create NAT Gateway and Update Route

05Go to VPC → NAT Gateways → Create NAT Gateway. Provide a name. Select the public subnet and allocate an Elastic IP. Click Create.
06Go to the private route table → Edit routes → Add route. Destination: 0.0.0.0/0, Target: select the NAT Gateway. Save changes.

Verify Internet Access on Private Instance

SSH via Jump Server — db-server

ping google.com
# Result: replies received (internet now reachable via NAT Gateway)

Private instance has outbound internet access via NAT Gateway

Inbound connections from the internet are still blocked (private IP only)

Conclusion

A NAT Gateway was deployed in the public subnet and the private route table was updated to route internet-bound traffic through it. The private db-server now has outbound internet access while remaining inaccessible from the internet directly.

W07

Lambda Triggered by S3 Upload → DynamoDB Logging

AWS Lambda · S3 Trigger · DynamoDB · CloudWatch Logs

▾

Objective

Create a Lambda function that is automatically triggered when an object is uploaded to an S3 bucket, and stores the object metadata into a DynamoDB table.

Step 1 — Create Lambda Function

01Search for Lambda in the AWS Console → click Create function.
02Choose Author from scratch. Enter function name: lambda-function. Select runtime: Python 3.10.
03Under Permissions, choose Use an existing role. Select LabRole (which has permissions for S3 and DynamoDB). Click Create function.

Step 2 — Test the Function

01In the Lambda console, go to the Test tab → Create new event. Select template: S3 Put. Update the bucket name in the event JSON to match your S3 bucket.
02Click Save → click Test. The function should execute successfully.

Step 3 — Add S3 Trigger

01In the Lambda console, click Add trigger. Select source: S3.
02Select your bucket (must be in the same region as Lambda). Check the acknowledgement checkbox. Click Save.

Step 4 — Trigger and Verify

01Go to your S3 bucket → Upload any document → click Upload.
02Go to DynamoDB → Explore items. Select the table. Under Items returned, the uploaded object metadata is now visible.

Object metadata stored in DynamoDB after S3 upload event

Step 5 — View CloudWatch Logs

01In the Lambda console → Monitor tab → click View CloudWatch logs. Select a log stream to see execution details and print outputs.

Conclusion

A serverless workflow was implemented: S3 upload triggers Lambda, which stores object metadata to DynamoDB. CloudWatch Logs verified execution. This is the standard event-driven architecture pattern in AWS serverless applications.

W08

SNS, SQS and S3 → SNS → SQS → Lambda Pipeline

SNS · SQS · Lambda · S3 Event Notification · Email

▾

Objective

Set up SNS for email notifications and SQS for message queuing, then build an end-to-end pipeline: S3 upload event triggers SNS, which fans out to SQS, which can trigger Lambda for processing.

Part A — SNS Topic and Email Subscription

01Search for SNS in the AWS Console → Topics → Create topic. Type: Standard. Name: MyEmailTopic. Click Create topic.
02Open the topic → Subscriptions → Create subscription. Protocol: Email. Endpoint: your email address. Click Create subscription.
03Check your email inbox for a confirmation email from Amazon SNS. Click Confirm subscription.
04Go to the S3 bucket → Properties → Event notifications → Create event notification. Set destination to SNS topic, choose your topic. Click Save. Upload a file to trigger the notification email.

Part B — SQS Queue and Message Test

01Search for SQS → Create queue. Type: Standard. Name: MyQueue. Leave defaults → Create queue.
02Open MyQueue → Send and receive messages. In Message body, enter a test message → click Send message.
03On the same page, click Poll for messages. The sent message appears in the list.

Part C — S3 → SNS → SQS → Lambda Pipeline

01Create an S3 bucket named s3-sns-sqs-lambda. Create an SNS Standard topic named MyS3SNSTopic. Copy the SNS Topic ARN.
02Create an SQS Standard queue named MyS3Queue. Copy the Queue ARN.
03Open MyS3SNSTopic → Create subscription. Protocol: Amazon SQS. Endpoint: select MyS3Queue. Click Create subscription.
04Open MyS3Queue → Access Policy → Edit. Update the policy JSON with the SQS ARN and SNS ARN to allow SNS to send messages to the queue.


          05Open the SNS Topic → Edit access policy. Replace the SNS topic ARN, S3 bucket ARN, and Account ID in the policy to allow S3 to publish to SNS.
          06Configure the S3 bucket event notification to publish to the SNS topic on object uploads. Upload a file to verify the full pipeline triggers correctly.


        
          S3 upload → SNS notification → SQS message delivered → Lambda processes



      
        Conclusion
        
          SNS and SQS were configured independently and then connected into a full event pipeline. An S3 upload triggers SNS, which delivers to SQS, enabling decoupled, asynchronous event-driven processing with Lambda.



  
  
    
      W09
      
        Elastic Load Balancer with Auto Scaling
        ALB · Target Groups · Apache HTTPD · Auto Scaling Groups · AMI
      
      ▾
    
    

      
        Objective
        Deploy two EC2 web servers behind an Application Load Balancer, then configure an Auto Scaling Group to automatically maintain instance count and recover from failures.
      

      
        Part A — Launch Web Servers
        SSH — webserver-1
        sudo yum update -y
sudo yum install httpd -y
systemctl start httpd
systemctl enable httpd
echo "This is Server 1" > /var/www/html/index.html

        SSH — webserver-2
        sudo yum update -y
sudo yum install httpd -y
systemctl start httpd
systemctl enable httpd
echo "This is Server 2" > /var/www/html/index.html
        Verify: paste each server's public IP in a browser to confirm the correct page loads.
      

      
        Part B — Create Security Group and Load Balancer
        
          01Create Security Group loadbalancer-sg. Inbound rule: HTTP (80) from anywhere. Leave outbound as default.
          02Go to EC2 → Load Balancers → Create Load Balancer → Application Load Balancer. Name: my-loadbalancer. Scheme: Internet-facing. Select all subnets. Choose loadbalancer-sg.
          03Create a target group named my-targetgroup. Target type: Instance. Protocol: HTTP, Port: 80. Select both web server instances → Include as pending → Create target group.
          04Attach the target group as the listener for the load balancer → Create load balancer.
        
        
          Copy DNS name of load balancer → paste in browser
          Refreshing alternates between "This is Server 1" and "This is Server 2"
        
      

      
        Part C — Auto Scaling Group
        
          01Select webserver-1 → Actions → Image and Templates → Create Image. Name: my-webserver-AMI. Click Create Image.
          02Go to EC2 → Launch Templates → Create Launch Template. Name: my-template. Select the AMI created above. Instance type: t2.micro. Select your key pair.
          03Create an Auto Scaling Group using the launch template. Desired: 2, Minimum: 1, Maximum: 4. Attach to the existing load balancer and target group. Click Create Auto Scaling Group.
          04To test auto recovery: select and terminate an instance. The Auto Scaling Group automatically launches a replacement within the desired capacity range.
        
        
          Terminated instance is replaced automatically by Auto Scaling
          Load balancer continues routing traffic to healthy instances
        
      

      
        Conclusion
        
          An Application Load Balancer distributed traffic across two Apache web servers. An Auto Scaling Group with a custom AMI was configured to maintain instance count between 1 and 4. Terminating an instance confirmed automatic recovery, demonstrating high availability and fault tolerance.
        
      

    
  

  
  
    
      W10
      
        Elastic Beanstalk — Deploy a Java Web Application
        Eclipse · Apache Tomcat · WAR File · Elastic Beanstalk
      
      ▾
    
    

      
        Objective
        Build and test a Java web application locally in Eclipse, export it as a WAR file, and deploy it to AWS Elastic Beanstalk without manually provisioning any infrastructure.
      

      
        Part A — Create and Run App Locally in Eclipse
        
          01Open Eclipse → File → New → Dynamic Web Project. Project Name: NotesApp. Target Runtime: Apache Tomcat. Click Finish.
          02Right-click the project → Run As → Run on Server. Choose Apache Tomcat. Confirm the Notes App runs locally in the browser.
        
      

      
        Part B — Export as WAR File
        
          01Right-click the project → Export → WAR file. Choose destination folder on your local machine. Click Finish.
        
      

      
        Part C — Deploy to Elastic Beanstalk
        
          01Open AWS Console → search for Elastic Beanstalk → click Create application. Name: NotesApp. Add an optional description. Click Create.
          02Click on the application → Create new environment. Select platform: Tomcat. Upload your .war file. Leave remaining settings as default → click through Next and Create.
          03Wait for the environment to reach Ready state. Click the Domain link to open your deployed application.
        
        
          Application live at: http://notesapp-env.eba-xxxxxxxx.us-east-1.elasticbeanstalk.com
          EC2 instances are automatically created and managed by Elastic Beanstalk
        
      

      
        Conclusion
        
          A Java web application was developed and tested locally on Apache Tomcat, exported as a WAR file, and deployed to AWS Elastic Beanstalk. Beanstalk automatically provisioned the underlying EC2, load balancer, and scaling infrastructure without manual configuration.
        
      

    
  

  
  
    
      W11
      
        Amazon Lex — Hotel Booking Chatbot
        Amazon Lex · Intents · Slots · Slot Types · Utterances
      
      ▾
    
    

      
        Objective
        Build a conversational chatbot using Amazon Lex that can handle hotel booking requests, collect user information via slots, and provide confirmation responses.
      

      
        Step 1 — Create the Bot
        
          01Search for Amazon Lex → choose Create a blank bot.
          02Bot name: HotelBookingBot. IAM role: Create new role. Leave remaining settings as default. Click Next.
          03Language: English. Voice: optional. Click Done.
        
      

      
        Step 2 — Create Intent and Utterances
        
          01Go to Intents → Add intent. Name: BookHotel. Click Create.
          02Add sample utterances (phrases the user might say to trigger this intent):
        
        
          I want to book a hotel
          Book a room
          Reserve hotel
          I need a room
        
      

      
        Step 3 — Add Slots (Data Collection)
        
          01Click Add slot. Slot name: location. Slot type: AMAZON.City. Prompt: Which city do you want?. Mark as Required. Click Add.
          02Click Slot Types → Add slot type → Add blank slot type. Name it RoomType. Add values: single, double, suite.
          03Return to the BookHotel intent → Add slot. Slot name: RoomType. Slot type: RoomType (the custom type just created).
          04Click Advanced options on the RoomType slot → Slot prompts → More prompt options → Add → Add card groups. Add card title and buttons with values single, double, suite. Click Update prompts.
        
      

      
        Step 4 — Configure Responses
        Initial Response:
Welcome to Hotel Booking! What is your name?

Confirmation prompt:
Do you want to confirm booking in {location} for {nights} nights?
      

      
        Step 5 — Build and Test
        
          01Click Save intent → click Build. Wait for the build to complete.
          02Click Test. The chat panel opens. Type a booking utterance and follow the conversation flow to verify slots are collected correctly.
        
        
          Bot: Welcome to Hotel Booking! What is your name?
          User: I want to book a hotel
          Bot: Which city do you want?
          Slots are filled sequentially with each user response
        
      

      
        Conclusion
        
          A hotel booking chatbot was built with Amazon Lex using intents, utterances, and custom slot types. The bot collected city, room type, and other booking details through a guided conversation, demonstrating AWS Lex for building conversational AI interfaces without any ML expertise.
        
      

    
  

  
  
    
      W12
      
        IAM User with Permissions — GUI and CLI Access
        IAM · IAM User · Access Keys · AWS CLI · Policy Enforcement
      
      ▾
    
    

      
        Objective
        Create an IAM user with limited S3 permissions, verify access control through the AWS Console GUI, then configure AWS CLI with the user's credentials and confirm the same policy restrictions apply programmatically.
      

      
        Part A — Create IAM User
        
          01Log in as Root User → search for IAM → go to Users → Create user.
          02Enter a username. Check Provide user access to the AWS Management Console. Set a custom password. Click Next.
          03Permissions: select Attach policies directly. Search for and select AmazonS3FullAccess. Click Next → Create user.
          04On the final page, click Download .csv file. This file contains the Console URL, username, and password.
        
      

      
        Part B — Test GUI Access (Console Login)
        
          01Sign out from root. Use the sign-in URL from the CSV (or go to console.aws.amazon.com → select IAM User). Enter the Account ID, username, and password from the CSV.
          02Test 1 (Failure): Navigate to EC2. Attempt to view instances. Result: Access Denied — EC2 permission is not granted.
          03Test 2 (Success): Navigate to S3. Create a bucket. Result: Success — S3 full access is granted by the attached policy.
        
      

      
        Part C — Create Access Keys and Configure AWS CLI
        
          01Log back in as root → IAM → select the user → Security credentials → Access keys → Create access key. Select use case: Command Line Interface. Acknowledge warning → click Next → Create access key. Download the CSV.
          02Install the AWS CLI tool from aws.amazon.com/cli.
        
        CMD / PowerShell
        # Configure CLI with access key credentials
aws configure
# Enter: Access Key ID, Secret Access Key, Default region (ap-south-1), Output format (json)

# Test S3 access (should succeed)
aws s3 ls

# Create an S3 bucket (should succeed)
aws s3 mb s3://your-unique-bucket-name

# Test IAM access (should fail - Access Denied)
aws iam list-users
        
          aws s3 ls            -- Success: lists buckets
          aws s3 mb s3://...   -- Success: bucket created
          aws iam list-users   -- Error: AccessDenied
          CLI enforces the same IAM policy as the Console GUI
        
      

      
        Conclusion
        
          An IAM user was created with S3-only permissions. Access control was verified through both the Console GUI (EC2 denied, S3 allowed) and the AWS CLI (IAM listing denied, S3 operations allowed). This confirms that IAM policies apply consistently across all access methods.
        
      

    
  

  
  
    
      W13
      
        Attach IAM Role to EC2 for S3 Access Without Keys
        IAM Role · EC2 Instance Profile · S3 · Keyless Access
      
      ▾
    
    

      
        Objective
        Create an IAM Role with S3 permissions and attach it to an EC2 instance so the instance can access S3 without storing any access keys on the machine.
      

      
        Step 1 — Create IAM Role
        
          01Search for IAM → Roles → Create role.
          02Trusted entity: AWS Service. Use case: EC2. Click Next.
          03Search for and select AmazonS3FullAccess policy. Click Next.
          04Role name: EC2-S3-Role. Click Create role.
        
      

      
        Step 2 — Launch EC2 and Attach Role
        
          01Go to EC2 Dashboard → Launch Instance. Name the instance and use default settings. Click Launch instance.
          02Select the running instance → Actions → Security → Modify IAM role.
          03Select EC2-S3-Role from the dropdown → click Update IAM role.
        
      

      
        Step 3 — Verify S3 Access from EC2 (No Keys Required)
        SSH — EC2 Instance
        # List all S3 buckets - works without aws configure
aws s3 ls

# Access is granted via the attached IAM role, no access keys needed
        
          2024-01-15 10:32:45 my-bucket-name
          2024-02-20 08:14:22 another-bucket
          S3 access works without storing any credentials on the instance
        
      

      
        Why IAM Roles Are Better Than Access Keys
        
          KeyNo credentials stored on disk — access keys in files can be leaked via repository commits, logs, or server compromise.
          KeyAutomatic credential rotation — IAM role credentials are temporary and rotated automatically by AWS STS.
          KeyScoped access — the role only grants exactly the permissions defined in the attached policy, following least-privilege principle.
        
      

      
        Conclusion
        
          An IAM Role with S3 full access was created and attached to an EC2 instance as an instance profile. The instance successfully accessed S3 using aws s3 ls without requiring any access keys to be configured, demonstrating the secure and recommended approach to granting AWS service permissions to EC2 instances.