AWS Security Blog

New in AWS Elastic Beanstalk: Support for Federation and Instance Profiles

In September, the AWS Elastic Beanstalk team announced two new features that involve roles: support for federation and support for instance profiles.

Support for federated users means that people in your organization can sign in to the AWS Management Console and manage Elastic Beanstalk using their own credentials, without having to have a IAM user identity. You define permissions for federated users using an IAM role. In the following screenshot, you can see that Elastic Beanstalk is now enabled for a federated user who is accessing the AWS Management Console via a role:

Screenshot showing Elastic Beanstalk enabled for a federated user accessing the AWS Management Console via a role

You can enable single sign-on (SSO) for the AWS Management Console using a SAML identity provider or a custom proxy service.

Elastic Beanstalk also now supports instance profiles that let you specify an IAM role for your Elastic Beanstalk applications. Instead of passing credentials to an application (or embedding them), you can create an IAM role that defines just the permissions that your application needs for access to AWS, such as access to Amazon S3, RDS, or DynamoDB. When your application runs, it can get temporary AWS credentials that have the permissions that are defined in the role, and then use those temporary credentials to access AWS. Using a role in this way can be more secure than passing credentials in some other way, and you also don’t need to worry about rotating credentials.

These new features help make Elastic Beanstalk both more flexible and more secure. If you use Elastic Beanstalk, we urge you to investigate these improvements. You can learn more in the Elastic Beanstalk documentation here: Using IAM Roles with AWS Elastic Beanstalk

-Jeff