AWS IAM Role Configuration Guide
This guide outlines how to configure an IAM Role with necessary permission policies, trust relationships, and cross-account access using the AWS Console. The role is intended to allow EC2 instances to access Amazon SQS and Amazon S3 securely with least privilege.
Purpose
Grant an EC2 instance the ability to:
- Read from specific Amazon SQS queues
- Access CloudWatch logs stored in Amazon S3
- Support cross-account usage (optional)
Prerequisites
- AWS account credentials with IAM privileges
- An existing SQS queue
- An existing S3 bucket with CloudWatch logs
- An EC2 instance to assume the role
Instructions
1. Create IAM Role for EC2
- Go to IAM > Roles in the AWS Console.
- Click Create role.
- Select Trusted Entity Type: Choose AWS service.
- Select EC2 as the use case.
- Click Next.
2. Attach Policies
For Single Account Setup (EC2, SQS, and S3 in the same AWS account)
Click Create policy (in new tab), and create the following:
a. Amazon SQS Read-Only Access Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonSQSReadOnlyAccess",
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}
Name this policy:
AmazonSQSReadOnlyCustom
b. S3 Read-Only Access to CloudWatch Logs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::<BUCKET_NAME>", "arn:aws:s3:::<BUCKET_NAME>/*"]
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::<BUCKET_NAME>"
}
]
}
Replace
<BUCKET_NAME>with your actual CloudWatch log bucket name in your current AWS account.
Name this policy:
S3CloudWatchReadAccess
c. SQS Full Access for Specific Queue
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:<REGION>:<ACCOUNT_ID>:<QUEUE_NAME>"
}
]
}
Replace:
<REGION>with your AWS region (e.g., us-east-1)<ACCOUNT_ID>with your current AWS account ID<QUEUE_NAME>with your SQS queue name in your current AWS account
Name this policy:
SQSQueueAccess
d. Assume Role Permission (for same account)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>/*",
"arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>",
"arn:aws:sts::<ACCOUNT_ID>:assumed-role/<ROLE_NAME>/*",
"arn:aws:sts::<ACCOUNT_ID>:assumed-role/<ROLE_NAME>/<EC2_INSTANCE_ID>"
]
}
]
}
Replace:
<ACCOUNT_ID>with your current AWS account ID<ROLE_NAME>with the name of the role you're creating in your current AWS account<EC2_INSTANCE_ID>with your EC2 instance ID in your current AWS account
Name this policy:
AssumeRolePermission
For Cross Account Setup (EC2 in one account, SQS/S3 in another)
Step-by-Step Cross-Account Configuration
For this setup, we'll use the following terminology:
- Account1: The AWS account where your EC2 instance is hosted (e.g., Account ID: 111111)
- Account2: The AWS account where your SQS queue and S3 bucket are located (e.g., Account ID: 222222)
A. In Account1 (where EC2 instance is located)
- Log in to your IAM console (https://console.aws.amazon.com/iam/) of Account1 where EC2 is hosted (e.g., Account ID: 111111)
- Click the Roles tab under Access Management
- Click the Create Role button
- For Trusted Entity Type, select AWS Service
- For Use case, select EC2
- Click Next
- Click Create policy (in new tab) to create the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<Account2_ID>:role/<Role_In_Account2>"
}
]
}
Replace:
<Account2_ID>with the account ID where your SQS/S3 resources are located (e.g., 222222)<Role_In_Account2>with the name of the role you'll create in Account2 (e.g., role_on_222222)
- Name this policy (e.g.,
CrossAccountAssumeRolePolicy) and click Create policy - Return to the role creation tab, refresh the policy list, and attach the newly created policy
- Click Next
- Name the role (e.g.,
role_on_111111) and provide a description - Click Create role
- In the IAM Role's Trust relationships tab, click Edit trust policy
- Ensure the trust policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Click Update Trust Policy
- Attach this role to your EC2 instance:
- Go to EC2 > Instances
- Select your instance > Actions > Security > Modify IAM role
- Choose the role you just created (e.g.,
role_on_111111) and click Update IAM role
B. In Account2 (where SQS/S3 resources are located)
- Log in to your IAM console (https://console.aws.amazon.com/iam/) of Account2 where SQS/S3 resources are located (e.g., Account ID: 222222)
- Click the Roles tab under Access Management
- Click the Create Role button
- For Trusted Entity Type, select Another AWS account
- Enter the Account ID of Account1 (e.g., 111111)
- Click Next
- Enter the role name (e.g.,
role_on_222222) - Click Create Role
- Search for the created role (e.g.,
role_on_222222) and open it - Steps to set the Permissions Policies:
- In the Permissions tab, click the Add Permissions button and select Create Inline Policy
- On the Create Policy page, select JSON editor and add the following SQS policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:<Region>:<Account2_ID>:<Queue_Name>"
}
]
}
- Click Review Policy
- Enter the policy name (e.g.,
SQSAccessPolicy) and click Create Policy - In the Permissions tab, click the Add Permissions button and select Create Inline Policy
- On the Create Policy page, select JSON editor and add the following S3 policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::<BUCKET_NAME>/AWSLogs/<Account2_ID>/*"]
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::<BUCKET_NAME>",
"Condition": {
"StringLike": { "s3:prefix": ["AWSLogs/<Account2_ID>/*"] }
}
}
]
}
Replace
<BUCKET_NAME>with your actual CloudWatch log bucket name in Account2.
- Click Review Policy
- Enter the policy name (e.g.,
S3AccessPolicy) and click Create Policy - In the Trust relationships tab, click Edit trust policy
- Replace the trust policy with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account1_ID>:role/<Role_In_Account1>"
},
"Action": "sts:AssumeRole"
}
]
}
- Click Update Trust Policy
C. Configure Role ARN in Logstash Input Plugin
In your Logstash configuration file, set the role_arn parameter to the ARN of the role in Account2:
input {
s3sqs {
# Other parameters...
role_arn => "arn:aws:iam::<Account2_ID>:role/<Role_In_Account2>" # e.g., "arn:aws:iam::222222:role/role_on_222222"
# Additional parameters...
}
}
Replace
<Account2_ID>and<Role_In_Account2>with your actual values.
3. Modify the Trust Relationship
For Single Account Setup
- In the IAM Role's Trust relationships tab, click Edit trust relationship.
- Replace the trust policy with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "AllowSelfAssume",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
},
"Action": "sts:AssumeRole"
}
]
}
Replace:
<ACCOUNT_ID>with your current AWS account ID<ROLE_NAME>with the name of the role you're creating in your current AWS account
Attach Role to EC2 Instance
- Go to EC2 > Instances
- Select your instance > Actions > Security > Modify IAM role
- Choose the role
<ROLE_NAME>and click Update IAM role