Securing Your Amazon Web Services Account Using Identity and Access Management



Similar documents
AWS Account Management Guidance

Managing policies. Chapter 7

AWS Directory Service. Simple AD Administration Guide Version 1.0

T his feature is add-on service available to Enterprise accounts.

Managing users. Account sources. Chapter 1

Portal User Guide. Customers. Version 1.1. May of 5

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

Integrating LANGuardian with Active Directory

Getting Started with AWS. Hosting a Static Website


DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Simple Membership Plugin Setup Documentation

Livezilla How to Install on Shared Hosting By: Jon Manning

Cash Management 5.0 User Guide

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Does the GC have an online document management solution?

Introduction to Google Apps for Business Integration

Instructions for Configuring Your Browser Settings and Online Security FAQ s. ios8 Settings for iphone and ipad app

IBM/Softlayer Object Storage for Offsite Backup

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

securing aws accounts with iam and

Automated CPanel Backup Script. for home directory backup, remote FTP backup and Amazon S3 backup

RCS Liferay Google Analytics Portlet Installation Guide

Getting Started with AWS. Hosting a Static Website

Getting Started. Getting Started with Time Warner Cable Business Class. Voice Manager. A Guide for Administrators and Users

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Velocity Web Services Client 1.0 Installation Guide and Release Notes

User Guide. Version R91. English

Comodo Mobile Device Manager Software Version 3.0

Mobility Manager 9.5. Users Guide

New Online Banking Guide for FIRST time Login

[Identity and Access Management Self-Service Portal]

Kaseya 2. User Guide. Version 6.1

Amazon WorkDocs. Administration Guide Version 1.0

PowerLink for Blackboard Vista and Campus Edition Install Guide

Recommended Browser Setting for MySBU Portal

PaperStream Connect. Setup Guide. Version Copyright Fujitsu

Client Portal Training

How to integrate Verax NMS & APM with Verax Service Desk

MATLAB on EC2 Instructions Guide

LRFP AND PROJECT APPLICATION TRACKING SYSTEM District Administrator Instructions. Accessing the Administrator Section of the Website

UM8000 Voic System Administration Guide

WorldPay Mobile Demonstration

IC L05: Security.cloud Configuring DLP on to your flow & Applying security to your Office 365 or Google Apps deployment Hands-On Lab

Initial DUO 2 Factor Setup, Install, Login and Verification

Manual POLICY PATROL SECURE FILE TRANSFER


SOS SO S O n O lin n e lin e Bac Ba kup cku ck p u USER MANUAL

Defender Token Deployment System Quick Start Guide

Here are the steps to configure Outlook Express for use with Salmar's Zimbra server. Select "Tools" and then "Accounts from the pull down menu.

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

CruzNet Secure Set-Up Instructions for Windows Vista

Amazon EFS (Preview) User Guide

AVG Business SSO Partner Getting Started Guide

ACH Alert Positive. User Guide Client Security

Configuring user provisioning for Amazon Web Services (Amazon Specific)

The 5 Minute WordPress Setup Guide

Jive Case Escalation for Salesforce

SaaS Encryption Enablement for Customers, Domains and Users Quick Start Guide

FTP, IIS, and Firewall Reference and Troubleshooting

WhatsUp Gold v16.1 Installation and Configuration Guide

BSDI Advanced Fitness & Wellness Software

Sophos Mobile Control Startup guide. Product version: 3

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

JusticeConnect AVL for Windows SETUP GUIDE

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

SPEECH REPOSITORY 2.0. Registration procedure

Virtual Code Authentication User Guide for Administrators

RoomWizard Synchronization Software Manual Installation Instructions

Business mail 1 MS OUTLOOK CONFIGURATION... 2

Single Sign-On Administrator s Guide

Reference and Troubleshooting: FTP, IIS, and Firewall Information

PassKey Manager. Schoolwires Centricity

Vendor User Accounts managing your NAP User Account

AVG Business SSO Connecting to Active Directory

OneLogin Integration User Guide

NT Authentication Configuration Guide

Password Manager for PC and Android

Sophos Mobile Control Startup guide. Product version: 3.5

How to create an Expense Report through iexpense in the iphone Mobile App

Secure Messaging Server Console... 2

NEW USER REGISTRATION AND VERIFICATION

APNS Certificate generating and installation

Mobile and Text Customer Experience Online Banking Training Guide. i 2015 ChoiceOne Bank

Marcum LLP MFT Guide

Troubleshooting / FAQ

Snow Active Directory Discovery

How To Use Syntheticys User Management On A Pc Or Mac Or Macbook Powerbook (For Mac) On A Computer Or Mac (For Pc Or Pc) On Your Computer Or Ipa (For Ipa) On An Pc Or Ipad

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

AWS Service Catalog. User Guide

Store, Edit and Share your files in OneDrive for Business on Web. A. Activate OneDrive for Business (Only for First-time Users)

Multi-Factor Authentication Job Aide

WHM Administrator s Guide

Windows Clients and GoPrint Print Queues

Initial Setup of Microsoft Outlook with Google Apps Sync for Windows 7. Initial Setup of Microsoft Outlook with Google Apps Sync for Windows 7

Windows XP Exchange Client Installation Instructions

QUANTIFY INSTALLATION GUIDE

SpringCM Troubleshooting Guide for Salesforce

Single Sign-On Portal User Reference (Okta Cloud SSO)

Transcription:

Securing Your Amazon Web Services Account Using Identity and Access Management 1

Table of Contents Introduction...3 Setting up your AWS account to use IAM for the first time....3 Activating IAM user access to Billing Information......3 Customizing your AWS Management Console sign in link...4 Creating an Administrative IAM Group....4 Administrator Policy.....5 Creating an Administrative IAM User 5 Logging in as an IAM User.....6 Creating IAM Groups for the rest of your users...6 Power User Policy....7 Billing Policy.. 8 Set Own Password Policy...8 Manage Own Access Keys Policy.....9 Manage Own MFA Policy..10 Creating IAM Users for the rest of your team....11 Other Resources.13 2

Introduction Your application can only ever be as secure as the processes around how you manage access to the environment that it resides in. With Amazon Web Services (AWS), understanding and properly utilizing Identity and Access Management (IAM) is crucial to securing your entire AWS deployment. Setting up your AWS account to use IAM for the first time When you first sign up for your AWS account, root account credentials are automatically created for you. These login credentials allows full access to all resources in the AWS account, and there's no ability to restrict those privileges in any way. Due to the power of this account, it's best to only use it for the initial setup and creation of IAM users, and then lock the credentials away in a safe place for emergency use only. Activating IAM user access to Billing Information As a first step, you may want to grant access to the Billing & Cost Management section to IAM Users. By default, only the root account can access this section. If you enable it for IAM Users, beware that any full access policies you create will then have access to your billing information, including the last four digits of and contact information for your payment card, and the ability to edit or delete payment methods. While you can restrict access to this information using IAM Policies (e.g. see our Power User policy below), if the user has access to the IAM APIs (e.g. see our Administrator policy below), they would be able to modify their own privileges and give themselves access to the Billing & Cost Management section anyway. To enable Billing & Cost Management for IAM Users, login to the AWS Management Console with your root account credentials, and from the account drop down menu in the top right select Billing& CostManagement > AccountSettings, scroll down to the IAMUserAccesstoBilling Informationsection and click Edit. Check the box beside ActivateIAMAccessand click Update (see fig. 1). You should now see a message that IAM user access to billing information is activated. 3

Figure 1. Enabling IAM access to Billing & Cost Management Customizing your AWS Management Console sign in link At this time you may want to customize the sign in link for your AWS Management Console. By default it starts with your 12 digit account ID. You may want something more memorable like your company name (Note: this name is unique across all AWS accounts, so your first choice may not be available). To customize your sign in link, select the IAMlink from the Servicesdrop down menu in the top left (it's nested under both AllAWSServicesand Deployment&Management). At the top of the Dashboardyou will see your current IAM users sign in link, and can click Customizeto the right of it to change it to something more desirable. Creating an Administrative IAM Group The last action you want to take before locking away your root account credentials is to create yourself an IAM User with administrative privileges. We recommend that you never attach policies directly to a user, but always create descriptive groups to attach policies to, and assign users to those groups. This allows you to easily see who has access to what at a glance. In the IAMsection, click on Groups, then the CreateNewGroupbutton. Type a descriptive group name (e.g. "Administrators") and click NextStep. For this group, you can Selectthe AdministratorAccesspolicy from the SelectPolicyTemplatesection provided or, SelectCustom Policyand copy and paste the policy below into the PolicyDocumenttext area and give it a PolicyNamelike "AllowAll" or similar. This is a very basic policy that simply allows access to all 4

resources. Administrator Policy "Version" : "2012 10 17", "Statement" : [ "Sid" : "AllowAll", "Action" : "*", "Resource" : "*" Note: We're using the unique Statement ID (Sid) as a form of comments in our policies. Creating an Administrative IAM User Click on the Usersoption in the left hand menu while in the IAMsection of the AWS Management Console and click on the CreateNewUsersbutton. Enter a username for your new IAM User in a format of your choice (e.g. your company email address). Unfortunately the IAM Create User wizard has the "Generate an access key for each user" option checked by default, which we don't recommend doing. If you want to allow specific users to have access keys, we recommend adding them to a second group that allows them to do so, which we'll cover in a later section. Uncheck this checkbox and click Create. Click on your new user you just created in the Userssection and click AddUsertoGroups. Select the administrative group you just created, and click AddtoGroups. To be able to login as your new IAM User, you'll need to click ManagePasswordunder the Security Credentials >Sign-inCredentialssection. Assign a custom or auto generated password and click Apply. We recommend storing it in a safe password manager (e.g. LastPass). We also recommend enabling Multi Factor Authentication (MFA) (e.g. Google Authenticator) at this time by following the steps in the ManageMFADevicewizard. 5

Logging in as an IAM User The login page for your root account is different than that for your IAM Users. Go to the URL you created in the section Customizing your AWS Management Console sign in link and make sure that your customized account name is listed in the Accountfield, then fill in the UserNameand Passwordyou just created. If you enabled MFA, check the box next to IhaveanMFATokenand enter a code from your MFA device in the MFACodefield and click SignIn. You are now logged in to the AWS Management Console as an IAM User instead of the root account. Creating IAM Groups for the rest of your users Before creating IAM Users for the rest of your team members, you may want to customize your AWS account password policy. In the IAMsection, click on PasswordPolicyin the left hand menu. As well as setting a sufficiently complex policy as to force your users to set and maintain strong passwords, one setting here you may want to check is Allowuserstochangetheirown password. If you don't want all users to be able to set their own passwords, you can leave this unchecked and use a Set Own Password Policy to allow users to set their own passwords on a case by case basis. Figure 2. An example of a strong password policy. 6

Next you'll want to create the IAM Groups required for the new users you'll want to create. Following the steps in the earlier section Creating an Administrative IAM Group we'll create a group for Power Users (which you may choose to use for the majority of your trusted, senior resources) as well as some secondary groups that will be used for augmenting privileges of other primary groups (e.g. granting Billing access to some Power Users, but not others). Power User Policy The following IAM Policy allows users access to everything except the IAMsection (so they can not create or modify users or their privileges) and the Billing&CostManagementsection. "Version" : "2012 10 17", "Statement" : [ "Sid" : "AllowAll", "Action" : "*", "Resource" : "*", "Sid" : "DenyAwsPortalIam", "Effect" : "Deny", "aws portal:*", "iam:*", "Resource" : "*" 7

Billing Policy The following IAM Policy will allow any user access to the Billing&CostManagementsection. If you attach this to a secondary Billing group, you can then assign access to the Billing section on a case by case basis, regardless of the user's other privileges. "Version" : "2012 10 17", "Statement" : [ "Sid" : "AllowViewBilling", "aws portal:viewbilling", "Resource" : [ "*" Set Own Password Policy If you leave the Allowuserstochangetheirownpasswordsetting disabled in the account's Password Policy, you'll need to create a group with the below policy for non Administrators to be able to change their passwords. This is especially important if you create users with the Require usertocreateanewpasswordatnextsign-inoption checked, or have a Password Policy with password expiration enabled. "Version" : "2012 10 17", "Statement" : [ "Sid" : "AllowChangeOwnPassword", "iam:changepassword", "Resource" : [ "arn:aws:iam::account ID WITHOUT HYPHENS:user/$aws:username" 8

, "Sid" : "AllowGetAccountPasswordPolicy", "iam:getaccountpasswordpolicy", "Resource" : [ "*" Manage Own Access Keys Policy If you want to allow specific users to create their own Access Keys, we recommend creating a secondary group for this with the IAM Policy below. "Version" : "2012 10 17", "Statement" : [, "Sid" : "AllowListUsers",, "iam:listusers" "Resource" : [ "arn:aws:iam::account ID WITHOUT HYPHENS:user/*" "Sid" : "AllowListCreateUpdateDeleteOwnAccessKeys", "iam:listaccesskeys", 9

"iam:createaccesskey", "iam:updateaccesskey", "iam:deleteaccesskey", "Resource" : [ "arn:aws:iam::account ID WITHOUT HYPHENS:user/$aws:username" Note: You will have to replace ACCOUNT-ID-WITHOUT-HYPHENSwith your 12 digit AWS account ID in the policy above. Although it can be handy for developers to have Access Keys to use the AWS Command Line Interface (CLI), you should never embed these keys in production code or store them on EC2 instances you should utilize IAM Roles for Amazon EC2 for most purposes. If you need to provide Access Keys to third party services (e.g. to grant access to an S3 bucket) you should create new, separate IAM Users specifically for that purpose, with very restricted IAM Policies, and generate Access Keys (but not passwords) for those users for use on such services. Give these users a descriptive name so you know what purpose they serve. Manage Own MFA Policy The following IAM Policy allows user to manage their own MFA devices through the AWS Management Console. "Version" : "2012 10 17", "Statement" : [ "Sid" : "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices", "iam:*virtualmfadevice", "Resource" : ["arn:aws:iam::account ID WITHOUT HYPHENS:mfa/$aws:username" 10

, "Sid" : "AllowUsersToEnableSyncDisableTheirOwnMFADevices", "iam:deactivatemfadevice", "iam:enablemfadevice", "iam:listmfadevices", "iam:resyncmfadevice", "Resource" : ["arn:aws:iam::account ID WITHOUT HYPHENS:user/$aws:username", "Sid" : "AllowUsersToListVirtualMFADevices", "iam:listvirtualmfadevices", "Resource" : ["arn:aws:iam::account ID WITHOUT HYPHENS:mfa/*", "Sid" : "AllowUsersToListUsersInConsole", "iam:listusers", "Resource" : ["arn:aws:iam::account ID WITHOUT HYPHENS:user/*" Creating IAM Users for the rest of your team Once all your groups and policies are created, you can start creating IAM Users for the rest of your team members. It's good practice to require MFA for your users (although this currently has 11

to be manually enforced), and the Manage Own MFA Policy comes in handy for securely letting users create this on their own before granting them full access to the Management Console. Create a new user and assign them a password, as outlined in Creating an Administrative IAM User, except when creating the password make sure to check the Requireusertocreatea newpasswordatnextsign-inbox and only add them to the "Manage Own MFA" group for starters. Send your team member their user name and password and ask them to reset their passwords and activate an MFA device. Once that's complete and their IAM Users are secured you can then add them to their intended group (e.g. Power Users). You can easily tell which users have MFA devices activated by clicking the settings icon in the top right of the Userssection, and ensuring MFADeviceis checked in the Show/HideColumns dialogs (see fig. 3). Figure 3. Show the MFA Device column. 12

Other Resources 1. AWS Identity and Access Management (IAM) (http://aws.amazon.com/iam/) 2. FAQs for AWS IAM (https://aws.amazon.com/iam/faqs/) 3. TriNimbus Technologies Operational Recommendations (http:///aws solutions/operational recommendations/) 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information