Read-Only Credentials For EC2

A common concern of EC2 users with regard to using third-party tools like Elastic Detector is the fact that those tools require the users’ AWS EC2 credentials to work. In the wrong hands, those credentials can be misused to cause significant damage by e.g. shutting down instances. Fortunately, AWS provides a solution called Identity and Access Management (IAM).

In this blog-post, we want to give you a step-by-step hands-on description how to use IAM to generate “Read-Only” credentials for EC2, i.e. credentials that allow third-party providers to call only those API methods that retrieve information, and prevent API calls that modify something. With the help of the IAM command line tools it is possible to define groups of users and associate a certain policy to them, which defines which API calls are allowed under which conditions.

1. Install IAM Client Tools
First of all, you need to download the IAM command line tools from Amazon and deploy them on your machine.

Therefore, go to and click the download button.

Unzip the downloaded file. Detailed Installation Instructions can be found in the README file.

Basically, the EC2 Credentials (the “root” credentials) must be written into a specific file, the environment variables $AWS_IAM_HOME$ (path to IAM directory created during unzip) and $AWS_CREDENTIAL_FILE$ (path to credentials file) must be set, and the tools included into the environment path (variable $PATH$).

Make a test if the tools are correctly installed by typing:

iam-userlistbypath -h

The tool should respond by showing you all options of that command.

2. Create A Group
Create a group ExternalProviders.

iam-groupcreate -g ExternalProviders

Check that the group was successfully created.


You should see something like


3. Create A User
Create a user named Secludit for the group ExternalProviders.

iam-usercreate -g ExternalProviders -u Secludit -k

Store the credentials that are displayed. Those are your read-only credentials.
Check if the user was created and linked to the group

iam-userlistgroups -u Secludit

You should see something like


4. Add The Read-Only Policy
The following command adds a policy named ReadOnly to the group ExternalProviders.

iam-groupaddpolicy -g ExternalProviders
-p ReadOnly -e Allow
-a cloudwatch:GetMetricStatistics
-a cloudwatch:ListMetrics
-a ec2:Describe* -r '*'

The option -a specifies which API calls are allowed. Our specification tells IAM that all calls of the EC2 API are allowed that start with ‘Describe’ (e.g. DescribeInstances, DescribeSecurityGroups, DescribeSnapshots, etc) and to use the CloudWatch API to retrieve statistics.

Now execute the following command to be sure that everything worked fine.

iam-grouplistpolicies -p ReadOnly -g ExternalProviders -v

You should see


5. Revoke The Credentials
Last, but not least – here is how to revoke the credentials. You do not need to remove them from the third party provider tools you use, you can do simply the following do invalid them:

iam-groupdelpolicy -g ExternalProviders -p ReadOnly

This removes the policy and thus revokes any access rights for all users of the group ExternalProviders.

Note: for most EC2 management consoles (that e.g. allow to launch or stop machines), read-only credentials are not enough. Consult your third-party provider to know exactly which API calls need to be enabled. You can do a lot more and finer-grained restrictions with IAM than shown in this post, e.g. restrict access to certain IP addresses or specific resources. Don’t hesitate to contact us for questions on that topic.

4 thoughts on “Read-Only Credentials For EC2

  1. Pingback: AWS Policy Generator « Elastic Security

  2. Pingback: Monitoring Tool: Amazon EC2 plugins for Nagios « Elastic Security

  3. Pingback: Amazon EC2 Copy AMI and Snapshot: CloudyScripts updated « Elastic Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s