Moving to cloud equals to concerns with security, as it should. You are putting your services up on a bunch of remote datacenters which you have no control of whatsoever. So let’s start securing what we can, like our root credentials first.
For the sake of understanding, let’s pretend you just started using AWS. Go ahead and connect to the management console with your root credentials, a.k.a, the one that has your credit card/ billing information and can do whatever is you wish, and of course, screw you by the end of the month 😉
All right, back to securing the account… find IAM (Identity and Access Management) under Security, Identity & Compliance as in the image below:
You will land to its dashboard which initially will look something like the image below. The first thing here I would is click on “Customize“, so I can get my custom URL to access my account as you can see under “IAM users sign-in link”.
IAM Password Policy
Just like building a house, let’s start from the bottom up… so first thing here is to define and apply a password policy by expanding the last option and clicking on “Manage Password Policy“:
You can define your password policy as your business might require you to, one good configuration would look similar to:
If you scroll down, you can disable regions where you won’t be able to request temporary credentials from. In my case I am more interested in the regions I intend to work with, which are North Virginia, Oregon and São Paulo.
Groups and permissions
Back to the dashboard, now it is time to create groups, for that just expand the “Use groups to assign permissions” box and click on “Manage Groups”.
Just enter the group name you wish and hit “Next Step”. I will create an infrastructure group which will have admin privileges in this example.
Now you can choose from existing policies and customize your group’s privileges. In my case, AdministratorAccess will be enough, as I am creating my own non-root account. This will allow me to use everything I need without having access to finance data.
The last step is a simple review window. If you are happy with your setup, just click on “Create Group” and you are done here.
Go back to the dashboard for the next step.
Create IAM users
Here is where you add users to access your cloud, including your own. Just expand “Create individual IAM users” and click on “Manage Users”.
On the next screen, just click on “Add user”.
Enter the user details. Please note that if you are creating a user account to perform automation or system integration, it is a good idea to change its access type to programmatic, which is not the case for me since I intend to use the management console. Click on “Next step” to proceed.
Here we set the permissions for the user. I will add my user to the group “infrastructure”.
The last page is the review, just like for all the other stuff we’ve been doing. Review your settings and click on “Create user”.
Multi Factor Authentication for root account
Now things will get more interesting, we will add a second layer of security to our root account. At this point I don’t have to tell you to go back to the dashboard, right? Moving on… expand “Activate MFA on your root account” and click on “Manage MFA”.
Spoiler alert: Currently supported MFA virtual devices:
I will use Google Authenticator because google owns me, probably owns you too…
Well, once you’ve clicked on Manage MFA, the next screen would be actually where you pick what device you want to use. I will go with a virtual one, as stated in the above spoiler.
There’s a small disclaimer that can direct you to a link with compatible stuff, which is the spoiler image above. Click on “Next Step”.
Now you have to scan the QR code with your MFA app, in my case Google Authenticator.
Once you scan the QR Code, you will see an image like below and the token will start changing every minute. The above Authentication Code 1 & 2 must be filled with the 2 sequentially generated numbers on your MFA app
Having done so, just click on “Activate Virtual MFA” and if all went well, you should see the message below. Just click on “Finish”.
Delete root access keys
This is a best practice, you should delete your root access key. You will understand why as soon as you expand the “Delete your root access keys” panel and read the disclaimer. Click on “Manage Security Credentials”.
You will be prompted with the following popup, just click on “Continue to Security Credentials”
Here you will see a lot of options and panes you can expand and collapse. Expand the “Access Keys (Access Key ID and Secret Access Key)” panel and you will find your root access key. Click on Delete under “Actions” column.
A prompt will appear so you can confirm the deletion of the Access Key. Click on Yes. (Be sure to be deleting the right access key, if you have already other keys in place).
Once you are back to the dashboard, your settings should appear all green. Looks a lot better, right?
Let’s test it out… the whole point of doing that is to avoid my IT account wouldn’t have privileges to access my finance data… let’s put it to proof.
Connecting to AWS with your IAM User
Now we should test the access. Just browse to the custom URL you have setup up there in the beginning and enter the user id and password created.
Once you are connected… Expand the options and click on “My Billing Dashboard”, which would take you to finance stuff.
If all is setup well, you should receive the error below. Yay…
Now you can start creating different groups and granting different privileges for your technical team while leaving the finance data out of their reach… or kind of… we have limited their access so they can’t see or deal with finance data, but they still can use as much resource as they like in the cloud… which will incur in charges and $$$$.
Stay tuned for the next chapters on how to avoid that. 😉