There are many users in my Amazon IAM. All of them added to admin group. May I deny used Amazon CLI for all and allow only one don't change group memberly?
Thank you.
It sounds like your situation is:
Your users are authorized to have access to an Amazon EC2 instance via their EC2 Key Pairs
The EC2 instance was launched with a Role that has been given certain permissions
Any user who logs into the EC2 instance can therefore run AWS Command-Line Interface (CLI) commands that take advantage of permissions assigned to the Role
You do not want all users to have such permissions
If you do not want all users to have such permissions, then you should not assigned a Role to the EC2 instance. Instead, provide IAM credentials separately to each application on the server (although that can be a lot of effort in itself).
Another option is to allow users to use the applications (eg via an exposed port, such as a web server) but do not allow them to login to the instance.
Related
When associating an EC2 instance with a IAM role via "aws ec2 associate-iam-instance-profile" it seems that all Linux users on the instance can make API calls via those credentials. Is there a way to leverage the IAM instance profile but restrict access to specific users within the OS?
No, this is not possible.
The EC2 instance metadata is available to anyone who can access the URL, which typically means any user and any app on the computer.
It sounds like you will need to store credentials against each application, by using a credentials file.
I'm just getting in touch with EC2 and came across the IAM Role concept. This question is to clear my doubt about the concept on restriction level.
Lets say I have an EC2 instance with attached IAM Role Role A which posses one policy AmazonS3ReadOnlyAccess, correct me if i'm wrong but it means this particular instance only allow to perform S3 Read only operation.
Now says I created a User with Programmatic access and AmazonS3FullAccess policy.
If this user SSH into the EC2 instance, can he write file to s3 ?
I still unable to try it out by myself as I don't have a linux machine and still figuring on how to connect to Ec2 using putty
Lets say I have an EC2 instance with attached IAM Role Role A which
posses one policy AmazonS3ReadOnlyAccess, correct me if i'm wrong but
it means this particular instance only allow to perform S3 Read only
operation.
Yes
Now says I created a User with Programmatic access and
AmazonS3FullAccess policy. If this user SSH into the EC2 instance, can
he write file to s3 ?
IAM users cannot SSH to EC2 instances using IAM user credentials. After provisioning a EC2 instance, you need to use regular Operating System User constructs, to SSH to the Server (Default user keys created by AWS).
In addition if a user SSH to EC2 instance and use a Programatic Access Credentials of a EC2 User through AWS CLI, REST API or SDKs (Doesn't have to be a EC2 instance, it also can be your on-premise server) then if the IAM User has a S3 write policy, the CLI commands or API calls or the code using SDK is able to write files to S3.
So in a summary
Use IAM roles if you are running a EC2 instance, for your CLI commands, Code with SDK, or REST API calls to access AWS Resources.
If you are using a server on-premise or outside AWS, use IAM User's Programatic Access keys to do the same.
Insight on how IAM roles work internally with EC2
When you attach a IAM role to a EC2 instance, AWS periodically updates the EC2 instance with temporal Access Credentials to that EC2 instance (Which is a good security practice).
These credentials are accessible through the Metadata URLs for the CLI, REST API and Code using SDKs inside EC2 instance.
Note: When using Roles, its much secure since it uses Temporal access credentials vs IAM Users Programatic Access uses Long lived access credentials.
I have a scaling group of several EC2 instances.
I have API keys which I would like to distribute to the instances using round-robin.
How can I code the instances to get the credentials once they go live?
Is there an AWS service for that?
It is not AWS credentials which could be solved by defining IAM Roles.
Thanks
Use "user data" option when you start your EC2 instance, You can run the bash script.
I recommend the following step.
1-put your cred or other shared information to S3 or dynamoDB.
2-write script to read and setting this data when your EC2 was starting.
The closest thing AWS has to this is called IAM Roles. A role includes a set of IAM permissions (like an IAM user). When you start a VM, you can set the role of the VM. The VM can then call the AWS API and get temporary credentials that give it access to the services that are defined in the IAM role.
See here for more details:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
This does not exactly meet your requirement for round-robin credentials distribution. But it might be a better option. IAM roles are as secure a method of distributing credentials to EC2 instances as you can get.
AWS now provides two services that could be used for that purpose:
The Secrets Manager would seem to be the most fitting, but does cost money from the start.
The Parameter Store is also an option and is free for up to 10k parameters.
I have outsourced the development of some services to another company, and now I need the other company to be able to create an ec2 instance on my behalf.
I have other instances which I don't want the company to view and be able to change.
I know how to create an IAM-user but I don't know how to create the right policy to give that user access to ec2 and to create and manage instances, he/she has created, without having access to other instances.
Is it possible and if yes, how does that policy look like ?
thanks
Thomas
This is not a simple answer. Creating an instance requires permission to call the RunInstances command, but would also need permission to use the associated Security Group and AMI. The other company would also likely want the ability to view details of the instance(s) they have launched, and the ability to Start/Stop it.
In fact, the EC2 Management Console doesn't work well if you deny permission to view existing EC2 instances.
Resource-specific permissions can be granted, which allow only calls that affect a particular instance (or VPC, AMI, etc). So, a RunInstances command could be limited to a specific AMI, keypair, snapshot, subnet, etc. The StopInstances command could then be limited to the instance they created (but you'd need the ID, so you can only grant that once the instance is launched).
Also, please note that launching an instance requires permissions in Identity and Access Management (IAM), which is separate to permissions to login to an instance.
Recommendation: It might be safest if you were to launch the instance for them, then provide them with access to login to the instance to perform their work. If they require more access to your AWS Account, it could become quite involved determining to which resources they should/shouldn't have access.
See:
Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances
Supported Resource-Level Permissions for Amazon EC2 API Actions
I have an Amazon Web Services account which will be used to host the backed of an app. The backend uses PHP/MySQL and will most likely use an EC2 instance and RDS. I have my own account which has access to everything. I need to create an account for a developer to put the backend on AWS but I don't want them to have access to anything except what they need. I know how to create IAM users and Groups but I don't know which permissions to grant the developer. Under Select Policy Template there is a Power User template, is that good for a developer? Has anyone done this before?
The Power User Access template in AWS Identity and Access Management (IAM) grants permission to do ANYTHING except using IAM. A user with this permission can view, create or remove any resources in your AWS account, but they could not create new users or modify any user permissions.
It is recommended that you only give people the least amount of privilege required to use AWS, so that they do not intentional nor accidentally do something unwanted. However, if you do not have enough knowledge of AWS to know what functionality is required, you will most likely need to trust the developer to configure the system for your needs.
A few tips:
Only give them access via an IAM User -- never give them your root credentials
If you don't know what permissions are required, then "Power User" is at least safer than "Administrator" since they cannot edit IAM settings
When they have completed their work, revoke their access so they cannot create any more AWS resources
Determine whether you also wish to revoke access to the EC2 instances (you'll have to do this on the instances themselves)
You may need to define some roles that will be used with Amazon EC2 -- these are defined in IAM, so the developer will not have permission to create the roles himself
Ask the developer for documentation of what he has deployed
Turn on Detailed Billing to identify what AWS charges you are receiving and check them against the documentation
Turn on CloudTrail to activate auditing of your account (it is activated per-region)
Alternatively, you could do all the AWS configuration (launching an EC2 instance, creating the database) and only let the developer login to the EC2 instance itself. That way, they would not need access to your AWS account.