Mastering AWS with 7.0: A Dive into New Modules for Enhanced Security and Seamless Migrations

December 13, 2023 by Alina Buzachis

As the technology landscape continues to evolve, the latest release of the Red Hat Ansible Certified Content Collection for introduces a suite of powerful modules that redefine the boundaries of automation within Amazon Web Services (AWS) while redefining how organizations approach security deployments and seamless migrations within the AWS ecosystem.

In our previous blog post, "What's New: Cloud Automation with 7.0.0," we presented the latest release, outlining the changes, new features and newly supported modules. In this blog post, we embark on an exploration of two interesting use cases that highlight the capabilities of these new Ansible-supported modules included in the 7.0 release. Let’s dive into it!

Looking to get started with Ansible for Amazon Web Services?  


Use Case #1: Implementing Security Best Practices and Access Control for AWS Resources

Security in AWS is more critical than ever before, and the collection for AWS, 7.0, is up to the challenge with a host of new Identity and Access Management (IAM) modules. Discover the blueprint for a resilient security posture as we delve into 7.0's IAM modules, showcasing how organizations can implement robust security practices and  control access to safeguard their AWS resources.

This use case focuses on leveraging the following new modules:




Lists S3 buckets and details about those buckets.


Manages AWS IAM User access keys.


Gathers information about AWS IAM User access keys.


Manages AWS IAM groups.


Manages User Managed IAM policies.


Updates an IAM Password Policy.


Manages AWS IAM roles.


Gathers information on IAM roles.


Assumes a role using AWS Security Token Service and obtain temporary credentials.


Obtains information about Aurora global database clusters

By combining these modules, organizations can implement security best practices and fine tune access control, enabling a robust defense against evolving threats. Let’s learn about each module's role in crafting a comprehensive security strategy for your AWS resources.

Let’s assume your organization has an AWS environment where a development team needs secure access to AWS resources to build and test applications. You may want to set up an access control and security configuration for the members of the development team, so that they have controlled access to AWS resources and follow best security practices. 

In this scenario, the main stakeholders are the:

  • AWS Account Administrator: Responsible for configuring and managing AWS resources and security.
  • Development Team: Consisting of developers, engineers, and related personnel who need access to AWS resources.

Let's break down an Ansible Playbook into several steps and see how each one can assist in automating and streamlining the use case scenario described above. 

Use case implementation steps:

  1. User and Group Setup:
    1. Create two IAM users, “DevUser1” and “DevUser2”, representing individual developers in the team who need access to AWS.
    2. Create an IAM group named "Developers". This group allows for streamlined permission management for all developers. Add both “DevUser1” and “DevUser2” to the “Developers" group, ensuring that they inherit the group permissions. This allows for easier permission management for the team.
      - name: Implementing Security Best Practices and Access Control for AWS Resources
        hosts: localhost
         user_1: "DevUser1"
         user_2: "DevUser2"
         group_name: "Developers"
         managed_policy_name: "DeveloperPolicy"
         role_name: "CustomRole"
         cluster_name: "example-rds-cluster"
         bucket_name: "example-bucket"
         - name: Get ARN of calling user
           register: aws_caller_info
         - name: Set AWS account id
             aws_account: "{{ aws_caller_info.account }}"
         - name: Create IAM Users
             name: "{{ item }}"
             state: present
             - "{{ user_1 }}"
             - "{{ user_2 }}"
         - name: Create IAM Group and add users to it
             name: "{{ }}"
             users: "{{ item.members }}"
             state: present
             - { name: "{{ group_name }}", members: ["{{ user_1 }}","{{ user_2 }}"] }
  2. Managed Policy Creation:
    1. Create a custom IAM managed policy, "DeveloperPolicy", which contains the necessary permissions for the developers. This policy may include permissions for read-only access to various AWS resources, such as S3 buckets for storing application data, RDS and EC2 instances for hosting applications.
       - name: Create IAM Managed Policy
           name: "{{ managed_policy_name }}"
           policy: "{{ lookup('file', 'managed_policy_update.json') }}"
           state: present
  3. IAM Password Policy:
    1. Establish a strict IAM password policy that enforces password requirements, including length, complexity, and expiration. This helps all IAM user passwords adhere to security best practices.
       - name: Configure IAM Password Policy
           min_pw_length: 12
           require_symbols: true
           require_numbers: true
           require_uppercase: true
           require_lowercase_characters: true
           require_lowercase: true
           pw_max_age: 90
           pw_reuse_prevent: 3
           allow_pw_change: true
  4. Access Key Management:
    1. Create access keys for “DevUser1” and “DevUser2”. These access keys can be used for programmatic access to AWS services like the AWS CLI or SDKs.
       - name: Create IAM Access Keys
           user_name: "{{ item }}"
           state: present
           no_log: true
           - "{{ user_1 }}"
           - "{{ user_2 }}"
       - name: Fetch access keys for {{ user_1 }}
           user_name: "{{ user_1 }}"
  5. IAM Role for Cross-Account Access:
    1. Create an IAM role named "CustomRole" that allows both “DevUser1” and “DevUser2” to assume the role. This role can be used when there's a need to grant temporary access to other AWS accounts or resources.
    2. Attach the "DeveloperPolicy" to the "CustomRole" so that developers have the necessary permissions when they assume the role.
       - name: Create IAM Role
           name: "{{ role_name }}"
           assume_role_policy_document: |
         "Version": "2012-10-17",
                "Statement": [
                     "Effect": "Allow",
                     "Principal": {
                     "AWS": [
                       "arn:aws:iam::{{ aws_account }}:user/{{ user_1 }}",
                       "arn:aws:iam::{{ aws_account }}:user/{{ user_2 }}"
                  "Action": "sts:AssumeRole"
           state: present
       - name: Attach Managed Policy to {{ role_name }}
           name: "{{ role_name }}"
             - "{{ managed_policy_name }}"
           state: present
       - name: Gather information about the IAM role
           name: "{{ role_name }}"
         register: _result_iam_role_info
  6. Validation and Testing:
    1. Use the playbook to assume the "CustomRole",  resulting in the issuance of temporary security credentials. These temporary credentials allow developers to access AWS resources with the specified permissions for the duration of their session.
       - name: Assume role
           role_arn: "{{ _result_iam_role_info.iam_role.arn }}"
           role_session_name: DevUser1Session
         register: _result_assumed_role
       - name: Set AWS temporary credentials 
           access_key: "{{ _result_assumed_role.sts_creds.access_key }}"
           secret_key: "{{ _result_assumed_role.sts_creds.secret_key }}"
           session_token: "{{ _result_assumed_role.sts_creds.session_token }}"
       - name: Gather information about an S3 bucket
           access_key: "{{ access_key }}"
           secret_key: "{{ secret_key }}"
           session_token: "{{ session_token }}"
           name: "{{ bucket_name }}"
       - name: Get info on a specific DB cluster
           global_cluster_identifier: "{{ cluster_name }}"


  • Secure and Controlled Access: The setup gives developers access to AWS resources while adhering to security best practices, reducing the risk of unauthorized actions.
  • Password Policy Compliance: The IAM password policy enforces strong password requirements, enhancing account security.
  • Role-Based Access: The "CustomRole" enables developers to assume a role when temporary elevated permissions are needed, facilitating secure cross-account access.
  • Permission Management: Grouping developers in the "Developers" IAM group simplifies permission management, allowing for consistent access controls.
  • Auditability: All access and actions can be audited and monitored to maintain security and compliance.


Use Case #2: Migrating On-Premises Virtual Machines to AWS

The second leg of our journey delves into the world of seamless migrations, spotlighting Ansible's two new modules. 




Manages AWS EC2 import image tasks.


Gathers information about importing virtual machine tasks.

The intricate process of migrating on-premises virtual machines to AWS demands precision and efficiency. The 7.0 collection empowers organizations with two new modules to orchestrate this migration seamlessly. Learn how these modules simplify the migration journey, providing organizations with the flexibility and scalability inherent in the AWS cloud. We uncover the nuances of utilizing these modules to import images, enabling a smooth transition that preserves both data integrity and operational continuity. 

Suppose you have a number of virtual machines (VMs) running on your on-premises infrastructure or  another cloud platform, and you want to migrate them to AWS. The module is used to automate the process of importing an existing VM image into AWS as an Amazon Machine Image (AMI). This can be useful in various scenarios, such as migration, disaster recovery, or simply for creating custom AMIs from VMs running on other platforms. Here's a playbook showing how the and modules can be used to import an existing VM image as an AMI:

- name: Import VM image to AWS
  hosts: localhost
   - name: Import VM image
       task_name: "clone-vm-import-image"
         - format: raw
              s3_bucket: "clone-vm-s3-bucket"
              s3_key: "clone-vm-s3-bucket/ubuntu-vm-clone.raw"
       state: present

   - name: Check status of the EC2 import image task
         - Name: "tag:Name"
           Values: ["clone-vm-import-image"]
         - Name: "task-state"
           Values: ["completed", "active"]

Once the image import is complete, you can use the imported AMI to launch new EC2 instances, effectively replicating VMs that were running on the on-premise infrastructure or  another cloud platform.


Where to go next

  • Red Hat Summit and AnsibleFest 2023 - if you missed out on this event, check out sessions available online and make sure to register for AnsibleFest 2024!
  • Self-paced exercises - We have interactive, in-browser exercises to learn and dive into Ansible Automation Platform.
  • Trial subscription - Are you ready to install Ansible Automation Platform? Get your own trial subscription for unlimited access to all the components of Ansible Automation Platform.



AWS, Cloud Automation, Ansible content collections


Alina Buzachis

Alina Buzachis, PhD, is a Senior Software Engineer at Red Hat Ansible, where she works primarily on cloud technologies. Alina received her PhD in Distributed Systems in 2021, focusing on advanced microservice orchestration techniques in the Cloud-to-Thing continuum. In her spare time, Alina enjoys traveling, hiking, and cooking.

rss-icon  RSS Feed