Finish half IAM note

doc/source/chapter01_overview/external-resources.rst

@@ -22,6 +22,8 @@ The book is `free available online <https://cloud4scieng.org/chapters/>`_.
 gives a nice overview of various cloud computing applications in our field.
 It doesn't tell you how to actually use the cloud, though.
 
+.. _researcher-handbook-label:
+
 [4] **Researcher’s Handbook by AWS** is the most useful AWS material for you 
 (as a scientist, not an IT person). You will need to sign-up the 
 `AWS Research Cloud Program <https://aws.amazon.com/

doc/source/chapter02_beginner-tutorial/awscli-config.rst

@@ -114,6 +114,8 @@ Additional notes
 
   It is totally fine to give your EC2 Key Pair to your friend to allow them to log into a your EC2 instances. You can easily create a new EC2 Key Pair to launch another EC2 instance that your friend have no access to. On the other hand, **NEVER** give you Secret Access Key to others. This will allow them to purchase AWS resources on your behalf!
 
+.. _mention-ec2-iam-label:
+
 **2. Simplifying AWSCLI configuration on EC2**
 
 .. note::

doc/source/chapter03_advanced-tutorial/iam-role.rst

@@ -1,3 +1,38 @@
 Enable S3 access from EC2 by IAM role
 =====================================
 
+I've promised you :ref:`in the beginner tutorial <mention-ec2-iam-label>` that you can skip ``aws configure`` before using AWSCLI on EC2. Here is how.
+
+What is Identity and Access Management (IAM)
+--------------------------------------------
+
+`Identity and Access Management (IAM) <https://aws.amazon.com/iam/>`_ is a very powerful ultility to **control the permissions** of your AWS resources. More specifically, a "permission" is: 
+
+  **X is allowed to use Y**
+
+"Y" is generally some AWS resources, like EC2 or S3. In the most common case, "X" can is a specific user. You can create multiple **users** under a single AWS **account** (an "account" is tied to a single credit card); each user can have its unique ID, password, and permissions. This is useful for managing a research group, but not quite useful if you are the only user.
+
+The :ref:`Researcher’s Handbook <researcher-handbook-label>` has very detailed instructions on how to set multiple users (called "IAM users"), so I will not repeat it here. You, the account owner, are also encouraged to create an IAM user for yourself, instead of using the root AWS account to log in (as you've been doing till now). This is again for security reasons. An IAM user will never have access to the billing information and your credit card number, even if that user has the most powerful "AdministratorAccess" which is almost equivalent to root access.
+
+.. note::
+  Yes, there are just so many "security best practices" on AWS (Key Pairs, security groups, IAM users...), and their benefits are not intuitive to researchers who really just want to get the computing done and publish papers. But please do check out those security stuff when you have time.
+
+To further complicate things, **"X" doesn't have to be a human user, but can also be a AWS resource**. This is what we want to do here -- grant S3 access to our EC2 instances, i.e.
+
+  | **"X" = our EC2 instances**
+  | **"Y" = S3 buckets**
+
+"Y" can also be more detailed as "read-only access to S3" (so, no write access) or even "read-only access to a specific S3 bucket" (so, no access to other buckets). All those possible combinations make the IAM console kind of daunting for beginners. Fortunately, here we only need to enable a simple permission rule, which it is very easy to do.
+
+Grant S3 permission to EC2
+--------------------------
+
+
+Create a new IAM role 
+^^^^^^^^^^^^^^^^^^^^^
+
+
+
+Assign that role to EC2
+^^^^^^^^^^^^^^^^^^^^^^^
+