Instance metadata does provide rotating credentials, which is a step forward, but in every other way it's a net security <i>loss</i>:<p>1) All instance metadata, including IAM roles, are available to every user and every process on the instance for the life of the instance.<p>2) You cannot externally terminate access to credentials for the life of the instance (all instance metadata sticks around until the box is stopped or terminated).<p>3) You can not internally terminate access to credentials (for example, by removing a file)<p>4) STS session tokens are invisible (you can't audit them) and irrevocable[1] before their expiration.<p>5) Instance metadata is usually only available on AWS instances<p>As an AWS Certified SA (but otherwise not affiliated except for my startup (plug: <a href="https://userify.com" rel="nofollow">https://userify.com</a>, Team SSH key management) being an AWS tech partner and AWS funds our tech (ty AWS!)), I prefer a root-only file backed into the AMI that can be actually deleted/shredded from the instance after the relevant processes have started and it's read into RAM -- but of course anyone who gains root can scan memory for keys anyway, so this is not fool-proof either, but it's far safer than instance metadata. (Unfortunately, you need to rotate keys frequently if you do it this way, and that is absolutely not automated like STS is.)<p>However, for fast development and testing, IAM instance roles (aka instance profiles) are great.<p>1. <a href="https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9#.3ogaeluvi" rel="nofollow">https://danielgrzelak.com/backdooring-an-aws-account-da007d3...</a>
If anyone is interested in learning more - I'm giving a quick lunch & learn talk at noon Wednesday, July 27th, at the AWS Pop-Up loft in San Francisco. Check out more details here: <a href="https://aws.amazon.com/start-ups/loft/sf-loft/" rel="nofollow">https://aws.amazon.com/start-ups/loft/sf-loft/</a>
What's the forensics story (how do you understand after the fact who did what actions) for using IAM roles in this way? To my knowledge, Cloudtrail includes only the assumed IAM role in the actual API actions.