Building Least-Privilege Architectures with Kiro Assistance
Source: Dev.to
I was wondering if it could be able to create a simple example about a stack that applies the least privilege architecture principle using AWS, and as I was thinking about a simple and practical example, what could be better than using Kiro? But wait a moment, what is Kiro? Good question! Kiro is an AI-powered assistant developed by AWS that is designed to help you reason about your cloud architectures while you build them. Instead of just writing code and hoping for the best, Kiro works alongside you, helping you understand what you’re doing, why you’re doing it, and whether it actually makes sense from a best-practices perspective. You can ask Kiro questions about IAM policies, CloudFormation templates, security decisions, or even architectural trade-offs, and it will guide you with explanations, suggestions, and improvements. Think of it as a knowledgeable AWS companion that helps you move faster while avoiding common mistakes. And what could be an easy example? well I think that for a beginner it could be beneficial to practice the most used and famous services, like S3, IAM and EC2, those are powerful and usually one of the first services that we learn to use in the AWS ecosystem. The objective of this practice will be to build an EC2 Node.js (Express) application that: With the following high-Level Architecture: Without more further ado, let's start! First of all, I decided to use Kiro IDE, so let's download it and install it, also as I'm currently using a Windows system, so I'll need to install the AWS CLI for Windows, but please follow the instructions on that page depending on your current OS. After the installation process, I started to build the first prompt, here you can use Kiro or another model of your convenience. After thinking and discussing the best prompt to start this project, and instead of starting with a permissive IAM role, we asked AWS Kiro to generate the CloudFormation template directly from the application’s security requirements, and here is the first prompt that I sent to AWS Kiro: You are helping me design infrastructure using AWS CloudFormation. I am building an EC2-based Node.js (Express) application with the following behavior: Security requirements: Infrastructure requirements: After that, Kiro started to think and write a lot of code!, some files were the .yaml for the stack creation and others for the documentation (DEPLOYMENT.md). As expected, here you can see that all the requested files were created with the requested configuration. Also, Kiro created this policy the most restrict possible, allowing the EC2 to do only the following: And here Kiro creates an IAM Role resource named NodeJsAppRole, where only EC2 instances are allowed to assume this role, and then attached the just created role to an Instance Profile, so our EC2 will be able to use it. Doing so, Kiro just ensured the Least-Privilege Architecture that we are creating. Important notes about my experience with Kiro: After debugging and fixing the code with Kiro's help, we were able to finally create the the stack!! 🥳 As you can see on this image, now the Cloudformation resources are created! So, let's test this deployment! For that you could use the command "curl" on the terminal or open the web browser and go to "http://PUBLIC_IP:3000/health" where "PUBLIC_IP" is the EC2 public IP, doing so, you'll only see the message "healthy" as return in a JSON format as you can see in this Screen shoot: Doing so, the EC2 will try to write in the specified S3 file the log of it's own status, remember that this EC2 instance have a very tight IAM role attached to it's instance profile, so it would be able to interact only under our previously described permissions!. The EC2 then created a new file with the prefix "app-" and the year, month and day of it's creation. And if you download the file, you'll see the time stamp of the health check performed by the EC2 instance finalizing this test process. As you saw during this entire process, Kiro is able to create a new stack, with a simple EC2 instance that interacts with S3 and ensuring Least-Privilege Architectures in a user friendly way. It's important to note that for this experiment it was used only 11.22 credits of the 500 bonus credits that I received as new Kiro user! I hope this article were interesting and useful for you and inspired you to try to build your own project or stack with the support of this new friend named Kiro! 🤓 Thanks for reading, and stay tuned for upcoming articles 📚
Bye! 👋 Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse - Reads a configuration file from S3 at startup.
- Writes application logs to a specific S3 prefix.
- Uses an IAM role designed with least privilege from the beginning, assisted by AWS Kiro - EC2 Instance Runs Node.js + Express
Uses an IAM Instance Profile
- Runs Node.js + Express
- Uses an IAM Instance Profile
- IAM Role Attached to EC2
Scoped S3 permissions
- Attached to EC2
- Scoped S3 permissions
- S3 Bucket config/app-config.json → read-only logs/ → write-only
- config/app-config.json → read-only
- logs/ → write-only
- CloudFormation Stack Defines all infrastructure
- Defines all infrastructure - Runs Node.js + Express
- Uses an IAM Instance Profile - Attached to EC2
- Scoped S3 permissions - config/app-config.json → read-only
- logs/ → write-only - Defines all infrastructure - The application runs on a single EC2 instance
- It reads a configuration file from Amazon S3 at startup: Bucket: one application-specific bucket
Object key: config/app-config.json
- Bucket: one application-specific bucket
- Object key: config/app-config.json
- It writes application logs to the same S3 bucket under: logs/ - Bucket: one application-specific bucket
- Object key: config/app-config.json - The EC2 instance must use an IAM role (no static credentials)
- IAM permissions must follow the principle of least privilege
- Do NOT use wildcard actions (e.g., s3:*)
- Do NOT use wildcard resources (*)
- Grant only the exact permissions required for the described behavior - Use AWS CloudFormation (YAML)
- Define: An S3 bucket for application data
An IAM role and instance profile for EC2
An IAM policy attached to the role with least-privilege S3 access
An EC2 instance
- An S3 bucket for application data
- An IAM role and instance profile for EC2
- An IAM policy attached to the role with least-privilege S3 access
- An EC2 instance
- The template should be clear, readable, and suitable for a security-focused article - An S3 bucket for application data
- An IAM role and instance profile for EC2
- An IAM policy attached to the role with least-privilege S3 access
- An EC2 instance - Explain the purpose of each IAM permission you include
- Comment on why broader permissions are not required
- Avoid adding any unnecessary AWS services or permissions - Only read the Resource: 'arn:aws:s3:::${ApplicationBucket}/config/app-config.json'
- Only write log files under logs/ prefix aka 'arn:aws:s3:::${ApplicationBucket}/logs/*'.
- Only list objects under logs/ prefix aka 'arn:aws:s3:::${ApplicationBucket}/logs/*'. - Kiro is fast and write A LOT of code so, have some patience and try to read the majority of all the text created for you, It will be worth it!
- In my case, Kiro created a file named "DEPLOYMENT.md" this file had the process to deploy this stack, it had some placeholder values so, I had to read, find and change them, to endure that the deployment commands worked right.
- Kiro didn't known the correct AMI number, so I had to find the correct EC2 Image Id (AMI number) required for this deployment.
- Whenever you ask Kiro to troubleshoot an issue, you'll see a lot of commands trying to run, first read the command and then allow it to run, you don't want to run a crazy command hahaha!
- When troubleshooting, if Kiro is stuck it'll ask you if you want to stop that iteration and you'll have to input more information about the issue so it'll try another way to fix it.
- Kiro and you can work together so, don't hesitate to login to your AWS console and find the logs to send it to Kiro sharing these logs, Kiro can have more information about the issue that you are facing.
