This recipe is reasonably short, but it contains a really important concept to anyone who is new to the AWS platform. Understanding and utilizing IAM roles for the EC2 will significantly reduce your exposure to lost credentials, and will probably help you sleep a little better at night, too. In a nutshell, instance roles help you to get AWS credentials off your servers and out of your code base(s).

Roles contain one or more policies. We're going to create a role that has some AWS Managed Policies, as well as an Inline Policy. As the name would suggest, an AWS Managed Policy is a policy that is created and fully controlled by AWS. The Inline Policy is going to be created by us, and will be embedded in our role definition.

The AWS Managed Policies that we'll use will allow read-only access to the S3 and EC2 APIs. The Inline Policy that we'll create will allow writing access to CloudWatch Logs. We'll talk through why you would or wouldn't choose a Managed Policy later in this recipe.