I'm tracking how to send an Email Using the AWS SDK for Python (Boto).
At the AWS Developer Guide using-credentials page I read that:
For security best practice, use AWS Identity and Access Management (IAM) user access keys instead of AWS account access keys [emphasis added].
Then at the Managing Access Keys for IAM Users I am eventually led to this section and I duly confirm using
aws iam list-access-keys
that I have just created (in JSON form):
{
"AccessKeyMetadata": [
{
"UserName": "My_User_Name",
"Status": "Active",
"CreateDate": "2018-09-03T00:43:37Z",
"AccessKeyId": "JRUFKDHUWHE8DD495CHD"
}
]
}
but I lack clarity about whether this identity is the "AWS account access keys" that I was earlier warned does not fall in the "security best practice".
How do I create an IAM identity (user access + password) for sending email through SES and boto (while eliminating the chance I am exposing the entire AWS account)?
Ranting (and a constructive suggestion to AWS staff writers, if here): Specific branding would help. At Ikea I might order a chair or a table with the meaningless name Fjorstuvstok, but I know with certainty that I am ordering the chair I want.
The AWS account access keys are the ones owned by the root account user. To check what these are, you need to know your root account user name. This can be checked using the aws cli using the AWS root credentials, or loging in with your root account credentials to the AWS Console and clicking "My Security Credentials" under your username in the top right corner.
Assuming you use the cli, make sure you've configured the root credentials in ~/.aws/credentials. Then run:
aws iam get-user
{
"User": {
"UserName": "my_root_user_name",
"PasswordLastUsed": "2018-09-03T06:40:38Z",
"CreateDate": "2017-03-01T08:53:36Z",
"UserId": "9XXXXXXXXXXX",
"Arn": "arn:aws:iam::9XXXXXXXXXXX:root"
}
}
This will provide you with details of your root user. This username can then be used to query for access keys:
aws iam list-access-keys --user-name my_root_user_name
If any of the keys listed from this result are being used for SES, then that's bad news. AWS reccomends that you use Access Keys assigned to IAM Users (non-root).
The AWS account access keys mean the Root account access /secret keys of your AWS account. When you register yourself with aws using your email, the account created is Root account. There is key associated with that, which needs to be removed. (As this is Root account, it provides unrestricted access to all AWS services. Check AWS Account Root User Credentials vs. IAM User Credentials
The warning suggested to use IAM user access keys. So you can create IAM user in your aws account and create associated access key id and secret access key and configure that on your machine from where you are running your code. ( This is not good practice in higher deployment environment. If the machine gets compromised then access key will be exposed)
As its unclear how you are running your application code (from ECS or EC2 or AWS Lambda), You should create IAM role to grant access to SES from where you are going to run your code. This will avoid exposing IAM access key Id and Secret access key from your application code / machine.
Related
I lost access to my AWS account due to loss of my phone with Authenticator app, but I still have access to console. The problem is that somehow the phone number in my account was incorrect and I can't restore access automatically. Support said there is a typo in number and if I have another user with full access, I will be able to change it to correct number and proceed to restore my account via MFA troubleshooting form.
So, the question is how to create that user?
I already did this:
aws iam create-login-profile --user-name VeryAdmin --password verypassword
aws iam add-user-to-group --user-name VeryAdmin --group admin
And successfully logged in to console, but still has no access to changing the number. The article in documentation said that the user should have access to this:
The IAM user enabled on the AWS account has administrator access permission.
The IAM user has access to the AWS Billing console.
No idea how to correctly add them via CLI
Unfortunately to change any details belonging to your account you will need to be logged in as root user:
Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and AWS Regions, don't require root user credentials
https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html
im trying to get eb cli working.
in my cmd i do
>eb init
which opens up a new terminal, which then soon asks for aws-access-id and aws-secret-key
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): xxxx
(aws-secret-key): xxxxxxxxxx
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
im not 100% sure whether aws-access-id referes to my username, the email address that created it or user id....
same goes for the aws-secret-key , im assuming right now that its the password for the account not some 1 off secret key.
I have used the console login link to register the iam account and change the password.
I have set the permissions of this user group to be AdministratorAccess
##################################
what is aws-access-id:
my username?
the email address?
user id?
is there anything that looks wrong?
You need to use Access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
If you have access to IAM and have sufficient privileges you can generate such keys for yourself. If not you need to contact your AWS administrator.
Please take a look at Managing access keys for IAM users for more information.
After I log in to AWS Cognito via my browser, I get an access key and a secret access key along w/a session token, but I can't see which role I've been assigned. I know which role I should be assigned, but is there a way to programmatically validate this?
I'm trying to use the role I've been assigned to access a restricted bucket, but am so far not having any success and one of the ways for me to trouble shoot this is to determine which role I've been assigned.
With sts.GetCallerIdentity.
cli example (js link above):
aws --profile XXXXXXXX sts get-caller-identity
{
"UserId": "AIDAIXXXXXXXXTHOVLM",
"Account": "123456789098",
"Arn": "arn:aws:iam::123456789098:user/dan"
}
It is indeed frustrating to debug without this, and it didn't used to exist, but now it does. Hurrah!
I want to manage the my AWS environment using PowerShell. We are getting access through IAM roles. I am facing trouble to generate the Access key & secret key for my IAM role. Can someone guide me how can i generate these keys.
An IAM Role can only be used by an IAM User. This is because the User needs to authenticate to AWS to prove that they are that user. This will then provide IAM User credentials.
If you then wish to use a role, you can use the User credentials to call Use-STSRole, which will assume the role and return a set of credentials associated with the Role. (Note: The credentials will expire after a period of time, typically one hour.)
For more details, see: Switching to an IAM Role (Tools for Windows PowerShell)
You do not generate IAM Access Key / Secret Key for roles. AWS generates these for you and makes them available in the instance's metadata.
The AWS Tools for Windows PowerShell will automatically extract the access key / secret key from the instance's metadata if you have installed PowerShell and the AWS Tools correctly.
This link will provide more information about PowerShell and IAM Roles:
IAM Roles for EC2
[Update after new comment]
If your goal is to generate IAM access keys for a new user, login to the AWS console, go to IAM, go to users, Add User, click "Programmatic access", then Set permissions for the user and finish by creating the user. On the next screen will be the access keys. You need to download (or copy) the Secret access key as it will NOT be shown again.
For an existing user, click on the user, click on the "Security credentials" tab, then click the "Create access key" button. Copy or download the keys. Note: You cannot access previously created access keys. If you have lost the secret access key, then you have to generate new ones.
Managing Access Keys for Your AWS Account
According to AWS Doc there is a way through API:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" –v http://169.254.169.254/latest/meta-data/iam/security-credentials/*role_name*
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
We want to use AWS services via API calls, CLI, Etc., from our on-premise infrastructure as well as from AWS cloud infrastructure.
As we know, we can use the AWS access key as follow:
This is a snippet from an example
// Setup AWS SNS
AWS.config.update({
region: 'eu-west-1',
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
});
var sns = new AWS.SNS();
var params = {
Message: "SMS message test",
MessageStructure: 'string',
PhoneNumber: '0045xxxxxxxx',
Subject: 'Alarm',
MessageAttributes :{
'AWS.SNS.SMS.SenderID': {
'DataType': 'String',
'StringValue': 'MySender'
},
'AWS.SNS.SMS.SMSType': 'Transactional'
}
};
sns.publish(params, function(err_publish, data) {
if (err_publish) {}
});
This code uses the access keys through the environment variables. That approach is partially accepted because you're tied to modify those environment variables to update access keys.
So, what are the best practices or different approaches for using the access keys in a good manner?
AWS Documentation
Access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign programmatic requests that you make to AWS if you use the AWS SDKs, REST, or Query API operations. The AWS SDKs use your access keys to sign requests for you, so that you don't have to handle the signing process. You can also sign requests manually. For more information, see Signing AWS API Requests.
Access keys are also used with command line interfaces (CLIs). When you use a CLI, the commands that you issue are signed by your access keys. You can pass access keys either with the command or store as configuration settings on your computer.
Temporary access keys, known as temporary security credentials
In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials
Advantages
They are short term.
After they expire, they're no longer valid.
You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account.
For example, you can grant entities from other AWS accounts access to resources in your AWS account (cross-account access). You can also grant users who don't have AWS security credentials access to resources in your AWS account (federation). For more information, see Temporary Security Credentials in the IAM User Guide.
Approaches for using Access keys
Access keys in Environment variables
This approach is the most common for development and testing environments because they will test their developments using a close scope, likewise for scenarios where our apps are deployed within an on-premise infrastructure.
Usage of Access keys through Environment variables (NodeJs)
// Setup AWS SNS
AWS.config.update({
region: 'eu-west-1',
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
});
var sns = new AWS.SNS();
var params = {...});
sns.publish(params, function(err_publish, data) {...});
Access keys through instance metadata
This is the most secure way to use the Access keys within an EC2 or container because you don't need to put any Access keys neither in your code nor in Environment variables.
Retrieving Security Credentials from Instance Metadata
The following command retrieves the security credentials for an IAM role named s3access.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
The following is an example output
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2017-05-17T15:09:54Z"
}
IAM Roles
The IAM Roles provide a good and secure way to grant permissions to your services.
IAM Role console: This is how looks like
The IAM Role allows you to describe a policy with the specific permissions. That role could be attached to an EC2 instance and automatically the service within it will be granted with those permissions. So, we can execute API calls without the need to put the Access keys:
var s3 = new AWS.S3({params:{Bucket: 'bucketname', Key: 'filename'}});
var body = fs.createReadStream('file_to_upload');
s3.upload({Body:body})
.on('httpUploadProgress',function(evt){
console.log(evt);
})
.send(function(err,data){
console.log(err,data);
});
As you can see, there is any Access keys in that code because the SDK will get the Access keys from /latest/meta-data/iam/security-credentials/s3access.
Access keys within Named Profiles
The Named profiles are used for CLI (Command line interface), so you can create profiles with different usages. For example, you can use the AWS access keys from a specific region.
The AWS CLI supports named profiles stored in the config and credentials files. You can configure additional profiles by using aws configure with the --profile option or by adding entries to the config and credentials files.
The following example shows a credentials file with two profiles:
~/.aws/credentials
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user2]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Each profile uses different credentials—perhaps from two different IAM users—and can also use different regions and output formats.
~/.aws/config
[default]
region=us-west-2
output=json
[profile user2]
region=us-east-1
output=text
Using Profiles with the AWS CLI
$ aws ec2 describe-instances --profile user2
The command above will use the credentials within profile user2
Best practices for using Access keys
Remove (or Don't Generate) Account Access Key
An access key is required in order to sign requests that you make using the AWS Command Line Tools, the AWS SDKs, or direct API calls. Anyone who has the access key for your AWS account root user has unrestricted access to all the resources in your account, including billing information. You cannot restrict the permissions for your AWS account root user.
Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys
In many scenarios, you don't need a long-term access key that never expires (as you have with an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire.
Manage IAM User Access Keys Properly
If you do need to create access keys for programmatic access to AWS, create an IAM user and grant that user only the permissions he or she needs. Then generate an access key for that user. For details, see Managing Access Keys for IAM Users in the IAM User Guide.
Precautions when using access keys
Don't embed access keys directly into code.
Use different access keys for different applications.
Rotate access keys periodically.
Remove unused access keys.
Configure multi-factor authentication for your most sensitive operations.
Resources
AWS Security Credentials
AWS Account Root User Credentials vs. IAM User Credentials
AWS Security Audit Guidelines
AWS Account Identifiers
Using Instance Profiles