Controlling EC2 and RDS access for third party - amazon-web-services

I'm setting up an EC2 instance and an Amazon RDS database to host a .NET website. I want my third-party webmaster to handle its setup, but once he has completed setup and the website is running, I want to remove his access to EC2 and RDS completely.
All I want to give him access to is RDP in EC2 with root access in case he needs to install extra software and the ability to create and edit tables within an SQL database in RDS. He does not have any role in managing and modifying EC2/RDS instances.
I've tried allotting IAM access with groups and all but I can't figure out how to myself retain superuser access while I remove him once he is done setting up the web server and SQL database. How do I give him temporary revokable access while I maintain superuser access that will not be affected even if I remove him from IAM?

Amazon IAM won't help you with what you want to do.
IAM is used when you want to restrict and/or allow access to the upper-level management of the resources through the AWS Management Console and/or the AWS API.
However, what you want to do is control access to the internals of your resources (EC2 instance(s) and RDS instance). For these, you need to do them using their own internal security controls:
For your RDS instance, create a non-admin user with just enough permissions for them to accomplish what they want to do. For example, if your RDS instance is MySQL, then give them INSERT, SELECT, UPDATE, DELETE, CREATE TABLE, etc. permissions. Do not give them the ability to create/modify users or anything administrative like that. Best practice is give them permissions for as little as possible and add permissions (if you think it's OK) as they ask for them.
For your EC2 instance(s), do not give them root access. Create a non-root user specifically for your webmaster. Give that user "just enough" permissions to install the website. Do not allow them to use yum or apt. Instead, if they need it, they should tell you and you can do it as root.
In both cases, once your webmaster is done, delete their users and close the security group(s) to them.
Never give root/admin access to a third-party. There are many reasons, but the primary ones are these:
With root access, your webmaster could create other users and/or back doors that allow them access even after you revoke their access. Don't give them the chance to do that.
Since you are responsible for these resources, you should be aware of everything that was done to them: all users that get created, all software that's installed, etc.

Related

How a limited access to AWS Web Console can be provided?

I work as a contractor for a large enterprise company and I was assigned to a new project recently for which we need to request resources on AWS. For our project we will need access to EC2 and RDS.
I am not very familiar with AWS, so my question is: will it be possible to get access to AWS Web Console for our team with limited services (access only to EC2 and RDS in our case)? How much work is needed to provide such access (to set up IAM etc)?
I am a bit concerned that I will not get access to AWS Web Console, because I was asked if I needed a sudo user for a VM. It was frustrating for me to hear such question, because I will need several VMs rather than one.
By default, IAM Users have no access to services. In such a situation, they can access the AWS management console, but there will be many error messages about not having access to information, nor the ability to perform actions.
Once an IAM User is granted the necessary permissions, the console will start working better for them. However, it an be difficult to determine exactly which permissions they require to fully use the console. For example, to use the EC2 console, the user would require ec2:DescribeInstances, which allows them to view details about all EC2 instances. This might not be desirable in your situation, since they might not want these users to see such a list.
Then comes the ability to perform actions on services, such as launching an EC2 instance. This requires the ec2:RunInstances permission, but also other related permissions to gain access to security groups, roles and networking configuration.
Bottom line: Yes, you will be able to access the AWS management console. However, your ability to view or do things will be limited by the permissions you are provided.

Creating custom AWS IAM actions

Can AWS IAM be used to control access for custom applications? I heavily rely on IAM for controlling access to AWS resources. I have a custom Python app that I would like to extend to work with IAM, but I can't find any references to this being done by anyone.
I've considered the same thing, and I think it's theoretically possible. The main issue is that there's no call available in IAM that determines if a particular call is allowed (SimulateCustomPolicy may work, but that doesn't seem to be its purpose so I'm not sure it would have the throughput to handle high volumes).
As a result, you'd have to write your own IAM policy evaluator for those custom calls. I don't think that's inherently a bad thing, since it's also something you'd have to build for any other policy-based system. And the IAM policy format seems reasonable enough to be used.
I guess the short answer is, yes, it's possible, with some work. And if you do it, please open source the code so the rest of us can use it.
The only way you can manage users, create roles and groups is if you have admin access. Power users can do everything but that.
You can create a group with all the privileges you want to grant and create a user with policies attached from the group created. Create a user strictly with only programmatic access, so the app can connect with access key ID and secure key from AWS CLI.
Normally, IAM can be used to create and manage AWS users and groups, and permissions to allow and deny their access to AWS resources.
If your Python app is somehow consuming or interfacing to any AWS resource as S3, then probably you might want to look into this.
connect-on-premise-python-application-with-aws
The Python application can be upload to an S3 bucket. The application is running on a server inside the on-premise data center of a company. The focus of this tutorial is on the connection made to AWS.
Consider placing API Gateway in front of your Python app's routes.
Then you could control access using IAM.

Amazon Web Services Developer User Permissions

I have an Amazon Web Services account which will be used to host the backed of an app. The backend uses PHP/MySQL and will most likely use an EC2 instance and RDS. I have my own account which has access to everything. I need to create an account for a developer to put the backend on AWS but I don't want them to have access to anything except what they need. I know how to create IAM users and Groups but I don't know which permissions to grant the developer. Under Select Policy Template there is a Power User template, is that good for a developer? Has anyone done this before?
The Power User Access template in AWS Identity and Access Management (IAM) grants permission to do ANYTHING except using IAM. A user with this permission can view, create or remove any resources in your AWS account, but they could not create new users or modify any user permissions.
It is recommended that you only give people the least amount of privilege required to use AWS, so that they do not intentional nor accidentally do something unwanted. However, if you do not have enough knowledge of AWS to know what functionality is required, you will most likely need to trust the developer to configure the system for your needs.
A few tips:
Only give them access via an IAM User -- never give them your root credentials
If you don't know what permissions are required, then "Power User" is at least safer than "Administrator" since they cannot edit IAM settings
When they have completed their work, revoke their access so they cannot create any more AWS resources
Determine whether you also wish to revoke access to the EC2 instances (you'll have to do this on the instances themselves)
You may need to define some roles that will be used with Amazon EC2 -- these are defined in IAM, so the developer will not have permission to create the roles himself
Ask the developer for documentation of what he has deployed
Turn on Detailed Billing to identify what AWS charges you are receiving and check them against the documentation
Turn on CloudTrail to activate auditing of your account (it is activated per-region)
Alternatively, you could do all the AWS configuration (launching an EC2 instance, creating the database) and only let the developer login to the EC2 instance itself. That way, they would not need access to your AWS account.

Is using IAM Roles really more secure than storing encrypted credentials on disk?

The use of IAM Roles is being touted as the preferred way to get credentials to an EC2 instance so it can talk to the AWS APIs. I understand that the key is temporary and gets rotated which is a clear advantage over using credentials stored on the disk. However, it introduces another serious security issue which is avoided by using encrypted credentials on the disk.
If my credentials are on a file system, I can use the file-system's built in permissions mechanism to prevent any process but the one that needs the keys from reading them. In this case, if someone compromises the instance using some vulnerability in software running as a different user than the one that that needs access to AWS APIs, he can not read the file containing the credentials (enforced by OS). (I'm not considering the case where he can elevate to root access, in which case all bets are off).
However, when using IAM roles, the credentials are available via a network call to:
http://169.254.169.254/latest/meta-data/iam/security-credentials/*.
Any process, even those with virtually zero permission can do a wget (or curl, etc) to this URL and have the credentials, ready to use. The fact that they rotate does nothing much to make this scenario any more secure.
The only remediation I could readily come up with here is a local firewall to limit which processes can access the IP address 169.254.169.254. This seem clunky and inelegant.
Is there a recommended way to address this security problem when using IAM roles?
The way to think about IAM roles is giving privileges to instances, instead of to processes or users. If your instance has users or processes that shouldn't have a privilege, you shouldn't provide that privilege via an IAM role.
We generally don't use instances as general purpose machines, but only for a specific application purpose. For that use case IAM roles are much better than creating an IAM user with fixed credentials and putting the credentials on the instance. In either case, an intruder taking over the instance can use it for whatever privileges we are giving to that instance. But with a role, the intruder can't take those credentials away and use them separately for an extended period because the credentials expire and are rotated frequently. The intruder has to maintain ownership and presence on the instance to compromise a role, and if the intruder can do that, you've lost all security anyway.
We also create IAM roles along with new instances via a CloudFormation stack, which allows each instance to have exactly the privileges it needs, not a general set of privileges for all instances of its sort.

How do we provide our AWS app with access to customers' resources without requiring their secret key?

I am in the early stages of writing an AWS app for our users that will run our research algorithms using their AWS resources. For example, our code will need to spin up EC2 instances running our 'worker' app, access RDS databases, and create access SQS queues. The AWS Java SDK examples (we are writing this in Java) use a AwsCredentials.properties file to store the Access Key ID and Secret Access Key, which is fine for examples, but obviously not acceptable for our users, who are would be in essence giving us access to all their resources. What is a clean way to go about running our system on their behalf? I discovered AWS Identity and Access Management (IAM) which seems to be for this purpose (I haven't got my head around it yet), esp. Cross-account access between AWS accounts. This post makes it sound straightforward:
Use the amazon IAM service to create a set of keys that only has
permission to perform the tasks that you require for your script.
http://aws.amazon.com/iam/
However, other posts (e.g., Within IAM, can I restrict a group of users to access/launch/terminate only certain EC2 AMIs or instances?) suggest there are limitations to using IAM with EC2 in particular.
Any advice would be really helpful!
The key limitation with regards to RDS and EC2 is that while you can restrict access to certain API actions there are no resource level constraints. For example with an IAM S3 policy you can restrict a user to only being able to perform certain actions on certain buckets. You can write a policy for EC2 that says that user is allowed to stop instances, but not one that says you can only stop certain instances.
Another option is for them to provide you with temporary credentials via the Security Token Service. Another variant on that is to use the new IAM roles service. With this an instance has a set of policies associated with it. You don't need to provide an AwsCredentials.proprties file because the SDK can fetch credentials from the metadata service.
Finally one last option might be consolidated billing. If the reason you are using their AWS resources is just because of the billing, then setup a new account which is billed from their account. The accounts are isolated from each other so you can't for example delete their instances by accident. Equally you can't access their RDS snapshots and things like that (access to an RDS instance via mysql (as opposed to the AWS api) would depend on the instance's security group). You can of course combine this with the previous options - they could provide you with credentials that only allow you to perform certain actions within that isolated account.