Pretty simple question but I can't find any online resources to clarify if it is possible to do this. I want to transfer data from WinSCP to an S3 bucket in an Amazon environment but instead of creating an IAM user with an IAM policy I want to utilize SSH.
The reasoning behind using this method is to bypass the new AWS requirement that requires IAM credentials to be rotated every 90 days. Any insight would be much appreciated.
It can't be done. AWS S3 doesn't speak SSH. Its requests must be signed by the AWS Signature process, which uses IAM key, secret, and session token.
If your s3 action is running on an EC2 instance, you can use an instance profile to provide short term access credentials for your application. Same for ecs including fargate and lambda.
If you're running the script as a human user, you can use aws sso or IAM federation to move from long lived access keys to short lived credentials.
Or, you could use something like code pipeline to automatically operate on your behalf based on changes coming from version control like Github, which would remove your need for AWS access credentials, instead delegating that access to code pipeline or something in AWS. Hard to say much about that option without knowing more about your use case.
Otherwise, you're stuck handling the credentials. And in my humble opinion, you should consider that 90 day rotation an acceptable cost for the security it provides.
The reasoning behind using this method is to bypass the new AWS requirement that requires IAM credentials to be rotated every 90 days
This sounds like a requirement your account imposes itself - and a good one. I'm not aware of any such requirement being imposed by AWS. Can you provide a source for your assertion?
This happens when accessing EC2 console for any region.
Global services like S3, IAM and account related pages can be accessed without problems.
No AWS Organization issue, no policy issue.
Just go to your email and click the link AWS management console and open an AWS account.
So, now you can access your EC2.
Check whether you have skipped one or more steps during registration.
You may have received an email stating you need to complete those steps.
File a support case to receive the email again if you missed it.
It takes a while to AWS to verify your card details after you register a new account with AWS. It would be great if AWS would give a more sensible message.
Wait for account activation :
After you choose a Support plan, a confirmation page indicates that your account is being activated. Accounts are usually activated within a few minutes, but the process might take up to 24 hours.
AWS create and activate account
I'm using an AWS student pack provided by my university. I want to switch the location to Bahrain from N. Virginia. Everytime I try to do that I get the following error:
AWS Educate Starer Accounts are very limited.
You can check what is allowed in the link below:
AWS Services Supported with AWS Educate Starter Account
Shortly, you have no access to billing information and many, many other services and options.
you don't need to enter in the Billing area into the console to change to Bahrain.
What you have to do is:
Login on AWS Educate site (https://aws.amazon.com/education/awseducate/)
Right Up corner (AWS Account) inside the AWS Educate portal
Click "AWS Educate Starter Account". It will open another tab, "Workbench".
Click to open "AWS Console"
Now, you are logged on AWS console.
Go to Services, select a services that changes with a region, for example, EC2, RDS, etc., if you see "Global" on right top corner, you cannot change the region to Bahrain, please select another service first, then select the region.
I hope I could help.
I'm currently creating an open source web interface for a very CPU intensive task that's making use of other open source projects. Because it is very simple and I want to keep it open source, I don't want to bother with a revenue scheme supporting it. My plan currently is to host the site in an S3 bucket and have some simple lambda functions managing the execution delegation to the client his AWS account.
My question is, is it possible to grant access to somebody his AWS account, similar to how it works with OAuth 2.0. In an ideal world, I'd like them to see a big "authorize" button redirecting them to AWS, listing the permissions and having a confirm or deny button. Trust issues aside, this is the only resource I could find and it looks quite cumbersome for somebody to authorize my app which in essence will only perform computations on their AWS EC2 account.
Actually, cross account access using IAM roles is absolutely the best way to do this. The docs have all the info you would need. It can be very simple for your user. The set up instructions for Spotinst, a third party AWS service provider, demonstrate how simple it can be. They have it in four steps:
Connect Spotinst to your Cloud Provider:
Click on the "Open template in Cloudformation" button and follow the instructions. Make sure to not refresh or leave this page until
you save your credentials.
Paste the Role ARN that was created.
Click on the "Connect account" button.
If you try it out I think you'll find it to be even easier than adding oauth to your service.
I am a longtime Amazon.com customer, and now I am interested in using Amazon Web Services (AWS). So I have a question on creating an AWS account.
Do I have an option to create an AWS account that's completely separate from my Amazon.com account (with different email addresses)?
What would happen if I use the same email address for AWS and Amazon.com?
Soooo..... Ages ago... I made an AWS account, it will not let me log in to normal amazon.com with that account telling me every time my password is incorrect which it is not.... attempting to create a new account with same email asks me if i want to disable my old account..... so yea it seems the answer is:
YES: simply create the account from AWS.
If creating accounts at amazon.com THEN aws with same e-mail, you will have one linked account to log in to both.
On the other hand if both are created seperately on different e-mails, and somehow one gets compromised the other doesn't, but then you have two different logins to deal with.
So as it turns out they lied about it disabling my aws account, I decided to try it, and now I have two accounts under the same e-mail, with different passwords... So if you want that, create on aws first, then create with same email on amazon.com and when it says it will disable the other account, don't worry it won't, however it will require you to choose a different password.
Oh and one last thing... If I try to log into AWS with Amazon.com password it brings me to create a new AWS account and it's a pain to get out of that screen...
My Amazon Retail account was compromised last week. I closed it and guess what - no access to my Amazon AWS account. On querying this I was told (by Amazon) that you have to have an Amazon Retail account and that it has to be THE SAME account as your AWS one.
So a service that is a honeypot for criminals gives them the keys to your Web based business, and Amazon have zero interest in separating the two. That is nuts - sites are moving next week, can't take the risk.
People have been shouting about it on the Amazon forum for years, so I think that whilst there may be workarounds the fundamental principle must be correct. I can't risk playing about with workarounds for something as dumb as this.
These are both great questions
First,
Yes, you can and SHOULD create an aws root account email that is unique for your AWS account(s). While approaches may vary, and your email server may filter out what would otherwise be perfectly applicable emails, here is how I do it
I create an email account that is ONLY for my AWS root accounts.
AWS Requires EVERY AWS account to have a unique email
here is my pattern: myname.aws.accts#gmail.com
I have an admin (Organization) account, so I use the following email: myname.aws.accts+admin#gmail.com
I have one prod, one test and one dev account. Here are the following email patterns:
myname.aws.accts+prod#gmail.com; myname.aws.accts+test#gmail.com; myname.aws.accts+dev#gmail.com.
I've also used the pattern: myname.aws.accts+123456789012#gmail.com where 123456789012 represents the AWS Account number.
These are all interpreted as unique by AWS but route to the same email account: myname.aws.accts#gmail.com
One last comment. I have another client who uses MS Exchange and for some reason the email+extension#mybiz.com has the 'extension' portion filtered out, and these emails do NOT process. In this biz we worked around this by creating alias' emails that are still unique to AWS and aliased them in the exchange server to the awsadmin# email. does the job. probably not best practice, but in a pinch...
Second
Yes. You can link your AWS and amazon.com accounts to the same root user email.
DON'T DO IT
This is generally an anti-pattern. NOT best practice, and fraught with problems...
I know of no good reason to do this. Once done, it is nigh near impossible to convince AWS - AMAZON to unlink these accounts. You WONT be able to separate them yourself - they are strongly coupled once the link is made. you might succeed in separating your AWS and AMAZON account if you are a paying customer of AWS business or Enterprise level support, and even then, they may tell you to just delete the AWS account if you don't want AWS and amazon shared.
Once the two accounts - store and AWS - are created with the same email account, I believe they are forever linked via a single master Amazon account, and there seems to be no way to separate them: If you change the password or email address on one, it reflects in the other.
When my only AWS use was an unimportant VM with a website, it was no big deal, but once I start hosting higher-value stuff, it gets a lot more scary.
As far as I can tell, the only way to separate them is to create a new AWS account (with different email address) and transfer your resources from the old to the new.
This appears to be a painful exercise, you can't directly move an EC2 instance, though you can transfer a snapshot of an image, but everything else I don't know about yet. I would be surprised if I could transfer a fixed Elastic IP, which means changing an IP address I've been using for a long time.
In the short term - as far as I can tell - the only way to secure AWS from your consumer account compromise is to put MFA on the AWS account and then use IAM for access. That's not a bad idea anyway.
I'll be creating a new AWS account (with different email address) for all stuff going forward, and transitioning old-to-new as I get to it, but this looks like a miserable (and unbillable) exercise.
It's just crazy that Amazon doesn't appear to have a way to address this.
Yay for me being an early adopter?
EDIT: It might be possible to link two accounts via "Organizations"; that might give some options for migration that are a bit less painful. Not sure yet.
EDIT Nov 2022: Amazon appears to have rolled out split credentials: when I logged into my unified account - same email for store and AWS - it invited me to create a diff password for the AWS stuff. This is wonderful!
So your AWS and Amazon are the same accounts so you cannot create a separate retail account with the same address. (Though you can get around it by doing email+SOMETHING#domain.toplevel) So if your amazon.com account gets compromised, they theoretically have access to your AWS account.
To keep your AWS account secure, there are a few things you can do. Firstly and probably most importantly, you need to make sure you have MFA setup on the account. In fact, you should do this whether you use amazon.com with the same account or not.
I heavily suggest looking at the Trusted Advisor Best Practice Checks on AWS' website.
The rule of thumb here: they are not interchangeable.
If you created AWS account it will not allow you to login automatically to Amazon.com.
The same with consumer account, it doesn't provide access to AWS by default, because AWS has separate verification process.
Amazon Music account means access to consumer Amazon.com but not to AWS.
Though, I never tried to delete AWS and don't know what happens if you delete either of them, whether this causes deletion of the other or not.