Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Google+ Instagram Youtube

Github Stackoverflow Pinterest

https://wilsonmar.github.io/aws-iam

Secure your account


Overview

This tutorial describes how you can secure your account and avoid other making you pay for runaway bills to mine their Bitcoin. Here are also notes about Security toward pass AWS certification exams.

The “shared responsibility model” means AWS secures what’s of the cloud, you secure what’s in the cloud. See this sung and musical by Kate Turchin, a Cloud Security Advocate. “We must all do our part… so MFA your IAM and rotate all your keys…”

Estimate bills

This section is addressed to account administators who setup root accounts linked to credit cards.

  1. PROTIP: Before you dive in, calculate your potential bills by providing usage estimates to the AWS calculator:

    http://calculator.s3.amazonaws.com/index.html

    It has a different sheet for each service. Parameters for EC2 include the number of EC2 instances, hosts, EBS volumes, IPs, data transfer, app and network load balancing.

    PROTIP: Remember that there is an additional surcharge for support as a percentage of the whole bill. Rates vary depending on the level of support chosen.

    3rd-party Alternatives

    NOTE: Comparison-shop alternatives to services AWS offers:

    aws-iam-alts-643x443

  2. Budget:

    https://console.aws.amazon.com/billing/home?#/budgets/create?type=COST

    https://aws.amazon.com/premiumsupport/compare-plans

    PROTIP: Pricing for Developer support is the Greater of $29 or 3% of monthly AWS usage, so you may end up paying more if you spend more than $966.67.

    AWS Professional Services

  3. NOTE: Setup billing alerts and notifications

    Define organizations

    Use AWS Organizations (previously __) to group several accounts for consolidated billing.

    There is a limit of 20 linked accounts for consolidated billing.

    Root account lockdown

  4. Create an AWS account with a credit card and an email.

    https://console.aws.amazon.com/console/home

    The account which controls billing is called the root account, which as unlimited access to AWS resources and unlimited ability to rack up charges. By resources I mean: users, groups, roles, IAM Access Policies, API keys, etc. globally for all regions.

  5. PROTIP: When providing answers to Security Challenge Questions, you should not specify the real answer, which someone can figure out by social engineering. Instead, answer with some nonsense and

  6. Write down the questions and answers in a safe place (such as within 1Password)

    Also write down the Account Id number (12 digits).

    Account ID to sign in

    When signing in under IAM, the Account Id number needs to be provided.

    To identify your Account ID:

  7. Click on your name on the upper black menu at the top of the page, then select “My Account”.

    In the AWS Console

  8. Sign in the AWS Console

    https://console.aws.amazon.com/console/home

  9. Click to view all Services at the upper-left black menu band.
  10. Scroll to the category “Security, Identify, and Compliance” list of ever-growing services:

    aws-iam-svcs-cat-207x318-16992

    • WAF (Web Application Firewall) provides application-level attacks such as SQL injection and cross-site scripting.
    • Shield protects against DDoS (Denial of Service) attacks

    • Click “Artifact” (at the bottom of the list) to read documents associated with security certifications.
    • Cognito provides an API to federate authentication with various social identity providers (Facebook, Twitter, etc.)
    • GuardDuty
    • Inspector
    • Amazon Macie
    • AWS Single Sign-On
    • Certificate Manager manages security certificates
    • Cloud HSM provides
    • Directory Service

    What’s not listed is the AWS Best Practices which this tutorial addresses.

    • Cloud Trail audits usage
  11. Click IAM (for Identity Access Management) for the list Security Status

    aws-iam-status-334x256-24837

    To get back to this later, click “Dashboard” on the IAM menu on the left.

    The FAQ to this is at https://aws.amazon.com/iam/faqs/

  12. Click on “Delete your root access key”.

  13. Check “Don’t show me this message again” and Continue to Security Credentials.

    Password

  14. PROTIP: Use 1Password to store your passwords so that you can use a “strong” password of so many characters that it will take hackers too much time to crack it. Because you only have to remember one master password, you can are free to change various passwords as often as you want with no fear of forgetting them.

    Apply an IAM password policy

  15. Click “Manage Password Policy” so AWS will ensure that “strong” passwords are used (and not easy to guess ones). AWS defaults are terrible:

aws-iam-weak-386x336-39852

Over time, as hackers have access to more powerful computers that can guess passwords quicker, larger passwords are necessary to make it more difficult to crack.

  1. PROTIP: The largest Minimum password length AWS allows is 128 characters. But 1Password can generate up to only 64 characters. Practically, 22 characters is a reasonable minimum. Require at least one number and one non-alphanumeric character.

    aws-iam-1password-291x259-19343

  2. Scroll down to “Security Token Service Regions” and deactivate regions your organization will never use.

    PROTIP: The region is where most of your users are located. New services are usually restricted to one region, such as N. Virginia or N. California where AWS does development work.

    MFA (Multi-Factor Authentication)

    Have AWS text or call your smartphone (a virtual device) to make sure that it’s really you logging in.

  3. Click Activate MFA
  4. Click “A virtual MFA device”.
  5. Click Next Steps.

  6. On your iPhone or Android, open the Store app and get the Google Authenticator app installed.
  7. Open up your QR code app and align the code visually.

    PROTIP: Don’t have a QR scanner app? My favorite QR app is Norton Snap, which blocks out malicious URLs the image represents. Snap automatically visits the website represented by the picture of dots.

    Your QR app may just copy to the invisible Clipboard. Then you would have to switch to a web browser and click on the URL field to paste from Clipboard.

  8. The Google Authenticator app opens.
  9. The Google Authenticator app displays a new code every minute.
  10. Type in the AWS Console website the code displayed. Wait for the second code.
  11. Click “Activate virtual MFA”.

    Access keys (access key ID and secret access key)

    See that “AWS recommends that you rotate your access keys every 90 days”? Some find it easier to remember by doing it on the first day of each month. Why? There are thousands of big computers around the world literally staying up at night trying different combinations.

  12. PROTIP: Make an appointment on your Calendar with a recurring schedule.

    PROTIP: Rotation applies to access key of IAM child accounts, not the root account.

    You don’t want programmatic access to your root account, so you don’t need no stinkin’ keys.

  13. Click Delete to the key. Write down the date Created.
  14. Don’t create a new Access Key.

    Use groups to assign permissions

    PROTIP: For a user to do something usually require several AWS resources. So several permissions need to be granted to a user. To simplify assignments, we define Groups of permissions which we then can assign to each user.

    In other words, An IAM group is a management convenience to manage the same set of permissions for a set of IAM users.

  15. Click Manage Groups then Create New Group.

    PROTIP: Groups are usually associated with a particular job: admin, sales, HR, front-end developer, back-end developer, etc.

    A user can belong to multiple groups. More complex organizations manage differences in permissions for company, division, project, location, job level, etc. So 128 characters may not be enough if large words are used. Thus, abbreviate and use acronyms.

    PROTIP: Put abbreviations and acronyms in a wiki publicly available to avoid duplicate usage.

  16. “aws_iot_buttons” is the group name I use as an example.

PROTIP: Use underlines or dashes. Space characters are not allowed.

The list shown are “AWS Managed”.

  1. Click on Policy Type to select Job function.

  2. PROTIP: Instead of scrolling down the massive list in Attache Policy (Alexa, Amazon, AWS, etc.), type in the Filter field the first few letters (such as “IoT”) and the list gets smaller. Notice the filter you type is applicable to not just characters beginning with what you typed, but also characters inside names as well.

  3. Click to select.
  4. Click “Create Group”.

    Note different policies have different levels of access, with admin having more capabilities than “read only” ones.

  5. Names shown on the screen is called a “Policy Summary”.
  6. Click “JSON” to see the file that AWS reads to assign policies. Here you seen what Actions the policy allows.

  7. Click “Access Advisor” to see users who have been assigned to use the policy.

    https://docs.aws.amazon.com/iot/latest/developerguide/create-iot-policy.html

    Create IAM Users

  8. Click Users on the left menu.
  9. Click Add User.
  10. Specify User Name. For example: user1@myco.com

    PROTIP: Use underscores to separate words in IAM User Names rather than spaces.

  11. Check “Programmatic Access”.
  12. Uncheck “User must create a new password at next sign-in”.
  13. Click “Next: Permissions”.
  14. Click “Attach existing policies directly” for the first user.

    PROTIP: The policy attached depends on what the user will be allowed to do.

  15. Send to each user the AccountId, UserName using a different mode of communication than the password.
  16. User signs in using the credentials Account Id, the UserName, and password
  17. Click “Send email”

    PROTIP: Send credentials to your alternate email rather than to a cloud drive (Amazon, Google, Box, etc.); an email account that you setup with a fake birthdate and other personal information; one you never give out to anyone.

    API Keys

    API Keys are assigned to developers using the AWS CLI (Command Line Interface) for programmatic (by a program) rather than manual clicking and typing on a keyboard.

    API keys make use of pairs of public (access) key and private (secret) key which stand in for real users typing in passwords.

    SSH Keys

    SSH keys are used only with AWS CodeCommit to access their repositories.

    Roles for federated access

An analogy is a private ball where royal guests arrive wearing formal attire present an invitation card to enter. The fancy outfits with sashes and medals are kinda like group permissions that confer permissions to someone. The invitation card is kinda like IAM roles which are only for specific times.

The host of the party is kinda like AWS’s STS (Security Token Service) identify broker which grants access tokens to enable services to “assume” a role to perform on AWS services.

IAM roles are used by computer programs reaching through Enterprise identity federation into Microsoft Active Directory using SAML (Security Assertion Markup Language) or through Web identity federation into Google, Facebook, Amazon, etc.

IAM roles issue keys are valid for short durations, making them a more secure way to grant access.

An IAM user needs to be granted two distinct permissions to launch EC2 instances with roles:

  • Permission to launch EC2 instances.
  • Permission to associate an IAM role with EC2 instances.

STS returns:

  • A Security Token
  • An Access Key ID
  • A Secret Access Key

More security

  • egress rules on your Security Groups (after all there’s no reason ever that your database should be connecting to IP addresses in Russia),
  • vulnerability scanning,
  • Host-Based Intrusion Detection (HIDS) systems

TCO Calculator

The Total Cost of Ownership calculator is basically a sales tool to calculate savings moving to AWS from on-premises servers:

Toggle Basic/Advanced for more fields.

The instance type is automatically selected based on the memory selected.

Inspector service

https://aws.amazon.com/inspector automates security assessment to help improve the security and compliance of applications deployed on AWS.

The first 250 agent-assessments is free during your first 90 days. Then it’s $0.30 per agent per assessment (agent-assessment) per month.

Trusted Advisor

Scans the environment to identify tips for usage and security.

Well-Architected Review

Enterprise subscribers ($15,000/month) have AWS Solution Architects conduct a Well-Architected Review in addition to a designated Technical Account Manager (TAM) for proactive guidance.

Free video training and books (in pdf and Kindle) on the Well-Architected Framework

References

After signing up for https://www.aws.training, Authentication and Authorization with AWS Identity and Access Management 15 minutes

SWF (Simple Workflow Functions) sequences manual work.

AppStream streams desktop apps (like Citrix).

Elastic Transcoder of videos into various sizes and formats (ogg, mp4, etc.)

Orion Papers on Lucidchart

https://cloudonaut.io/aws-security-primer/ includes a thorough mind-map of concepts related to IAM. aws-iam-cloudnaut-1937x1317

https://scriptcrunch.com/aws-certification-iam-essentials-cheat-sheet/

Social Media

http://www.techexams.net/forums/cloud/131715-passed-cv0-001-a.html

More on Amazon

This is one of a series on Amazon:

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Git and GitHub vs File Archival
  5. Git Commands and Statuses
  6. Git Commit, Tag, Push
  7. Git Utilities
  8. Data Security GitHub
  9. GitHub API
  10. TFS vs. GitHub

  11. Choices for DevOps Technologies
  12. Java DevOps Workflow
  13. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  14. AWS server deployment options

  15. Cloud regions
  16. AWS Virtual Private Cloud
  17. Azure Cloud Onramp
  18. Azure Cloud
  19. Azure Cloud Powershell
  20. Bash Windows using Microsoft’s WSL (Windows Subystem for Linux)

  21. Digital Ocean
  22. Cloud Foundry

  23. Packer automation to build Vagrant images
  24. Terraform multi-cloud provisioning automation

  25. Powershell Ecosystem
  26. Powershell on MacOS
  27. Powershell Desired System Configuration

  28. Jenkins Server Setup
  29. Jenkins Plug-ins
  30. Jenkins Freestyle jobs
  31. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  32. Dockerize apps
  33. Docker Setup
  34. Docker Build

  35. Maven on MacOSX

  36. Ansible

  37. MySQL Setup

  38. SonarQube static code scan

  39. API Management Microsoft
  40. API Management Amazon

  41. Scenarios for load