How twtech uses Roles to Access AWS Services instead of aws-access-key... A Security Strategy much needed for every DevSecops Environment.

 

How twtech Installs aws-cli utility & verified version  on ubuntu system.

sudo snap install aws-cli --classic

aws --version

twtech-uses Never enter the aws access keys to an instance in cloud, for several critical reasons.

1. Security Risk: Keys Can Be Stolen

If access keys are stored in plain text (e.g., environment variables, config files, or scripts on an EC2 instance), anyone with access to that instance can steal them — including:

·                  Malicious insiders

·                  Attackers exploiting a vulnerability

·                  Malware injected via insecure software

These keys could then be used outside your environment to wreak havoc.

 2. Hard to Track & Rotate

Manually entered access keys:

·                  Are difficult to audit and manage.

·                  Rotation becomes a nightmare — if keys get leaked or need changing, you have to hunt down every instance manually.

·                  This violates the principle of least privilege and automation.

3. Better Alternatives Exist: Use IAM Roles

The best practice is to assign IAM roles to the instances (e.g., EC2, Lambda, ECS). Benefits:

·                  Temporary credentials are securely issued by the Instance Metadata Service (IMDS).

·                  No manual handling of keys.

·                  Automatic rotation and fine-grained permissions.

# bash

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

 4. Violates Compliance and Policy Standards

Manually entering keys often violates:

·                  Company security policies

·                  Industry compliance standards (like SOC2, ISO 27001, HIPAA)

·                  AWS Well-Architected Framework guidelines

 5. Risk of Accidental Exposure

Keys entered on instances are often:

·                  Committed to Git repos by mistake

·                  Logged in shell history or debug logs

·                  Left lying around in user profiles

Once exposed — it's game over for your AWS account.

 twtch-users Do This Instead

·                  Use IAM roles with least privilege attached to your EC2/Lambda/ECS.

·                  Use AWS Systems Manager Parameter Store or Secrets Manager for sensitive data.

·                  For local dev, use AWS CLI with aws configure and scoped permissions

NB:

The terminal must have awscli utility installed verified. It is need to make APIs calls to aws.

Again, twtech-users never add aws credentials (access keys) to terminal.

Below , twtech  verifies that created role and attached to the instance  can grants just the needed permission for user (twtech-pat) …PoLP.