Excercise 2.1

Shared Responsibility Model

Getting Started

Best Practices for Securing your aws account

AWS recommends several best practices for securing your AWS account:

  1. Require MFA for root-level access.
  2. Do not share root credentials with anyone other than the account holder.
  3. Physically secure root account hardware MFA devices in a safe place, such as a vault.
  4. Create individual IAM users.
  5. ​Use groups to assign permissions to IAM users.
  6. Enable MFA for privileged users.
  7. Use IAM roles for applications that run on Amazon EC2 instances.
  8. Delegate by using IAM roles instead of sharing credentials.
  9. Rotate credentials regularly.
  10. Remove unnecessary credentials.
  11. Use policy conditions for extra security.
  12. Monitor activity on your AWS account. Remove root credentials.
  13. Use access levels to review IAM permissions.
  14. Use AWS-defined policies to assign permissions whenever possible.
  15. Use IAM roles to provide cross-account access.

    Creating user accounts and Groups

    Create User

  16. Go to IAM and click add user
  17. Add a user, called John
  18. For access type, select both Programmatic access and AWS management console
  19. Click Next to add permission
  20. Click add group, call it system-admins and give it admin access Note: Access key id and secret access key are tokens that you use to programmically login to aws account using the command line tool. Keep in mind you can’t use these keys to login to AWS console and you can’t use use id and pass to access aws from command line.

    Create Group

  21. Lets now create a group called HR
  22. Attach a policy to allow HR user to only access S3 with READ ONLY ACCESS
  23. Type s3 and begin search. AmazonS3ReadOnlyAccess
  24. Add the newly created user to HR group
  25. Go to groups and permissions to validate the group permission
  26. We can also add permission to the user individually rather that adding it to the group.
  27. Under Attach existing policies directly select AmazonGlacierReadOnlyAccess
  28. Note that this permission is not from a group. So you an attach permission to both users and groups.
  29. Go to Users, John and click on Security Credentials to review the settings. Notice that you don’t see the secret access key any more. That is why you either download them or email them to the user.
  30. By clicking Mark inactive, you can disable the user account from accessing aws from command line.

    Create a Role

    We want to create a role allwoing our EC2 instances acces to our S3 bucket.

  31. Under IAM, go to roles, click on create role
  32. Select EC2 and for the policy, select Amazon S3 Full Access
  33. Name the role S3-Admin-Access
  34. Once the role is created we can apply that role to the EC2 instance.

Next take a look at createing billing alarms

Install and Configure AWS CLI on Windows With MSI

Note: Root accout: Account created with the email when you signed up IAM User sign-in link: Can be customized to a different name

  1. Begin by logging in to the AWS Management Console with your user name, password, and MFA device (if applicable).
  2. Navigate to the IAM service.
  3. Select Security, and then click on your user name.
  4. Under Security Credentials, click Create Access Key.
  5. Before closing the dialog box that appears, save your access key and secret key in a safe place.
  6. Download the MSI Installer (https://s3.amazonaws.com/aws-cli/AWSCLI64.msi). ​
  7. Run the downloaded MSI installer.
  8. Follow the instructions that appear.
  9. Open a command prompt.
  10. Type aws –version
  11. Configure the AWS CLI by running the command aws configure and filling in the access key and secret key that you obtained in Step 5. Optionally (but highly recommended), specify a default region, such as us-east-2. Also optionally, specify a default format type.
  12. Test that you have set up the AWS CLI correctly and can connect to the AWS API endpoints by running the command aws ec2 describe-availability-zones. The AWS CLI should return a list of the available Availability Zones in your default region.

On Linux or Mac

If Python isn’t installed on your system, install it using the directions at http://www.python.org/. If pip isn’t installed on your system, install it using the directions at https://pip.pypa.io/en/stable/installing/. Install the AWS CLI using the command pip install awscli --upgrade --user.

Set your profile

Linux, OS X Example:

$ export AWS_DEFAULT_PROFILE=account1
$ aws dynamodb list-tables
Windows Example:

$ set AWS_DEFAULT_PROFILE=account1
$ aws s3 ls

Create user account

aws iam create-user --user-name user1

  1. Assign password
  2. Add user to a group, if you don’t have a group created yet, create one called EC2-Admin group
  3. Login as the newly created user

Summary

IAM consists of the:

  • Users
  • Groups (a way to group user and apply policies to them collectivly)
  • Roles
  • Policy Documents (can be applied to users, groups, roles) Policy documents are universal and made up json, key value pair
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
  • IAM is universal and does not apply to regions at this time.
  • Root account is created when you setup your aws account
  • New users have no permissions when first created
  • New users are assgined Access key and Secrect access key
  • These are not the same as your user id and passwords
  • Always setup MFA for your accounts
  • Setup a password rotation policy for your account