Wilson Mar bio photo

Wilson Mar

Hello!

Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Create users in group, then add permissions to secure your accounts

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Cyrillic Russian   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

This tutorial is addressed to Account Administators who setup root accounts linked to credit cards. This describes how you can secure your AWS account and avoid having others making you pay for runaway bills (to mine their Bitcoin, etc.).

Here are also notes about Security toward passing AWS certification exams.


Security Topics

https://cloudonaut.io/aws-security-primer includes a thorough mind-map of concepts related to IAM and AWS Security: aws-iam-cloudnaut-1937x1317.png

Cloudonaut.io is maintained (from Stuttgart, Germany) by Michael Wittix (@hellomichibye) and his brother Andreas Wittix are of https://widdix.net. They published video courses with O’Reilly, Manning, Pluralsight, and A Cloud Guru. They maintain repositories at https://github.com/widdix about IAM:

He wrote How to become an AWS expert recorded 19 DEC 2018.

Shared Responsibility

AWS’s “shared responsibility model” means what’s of the cloud. You (the admin) secures what’s in the cloud. See this sung and musical by Kate Turchin, a Cloud Security Advocate:

“We must all do our part… so MFA your IAM and rotate all your keys…”

Group policies -> Add Users

VIDEO: LAB: Here is a step-by-step tutorial to use the AWS Management Console GUI to create a group policy for Lambda, S3 Bucket, DynamoDB. Then attach users to the group.

  1. Create Policy
  2. Create User Group
  3. Attach Users to Group (Attaching IAM policy directly to the IAM user is not a good practice)

https://blog.opstree.com/2021/06/01/aws-iam-best-practices-part-1/


  1. Obtain an account and password to login to the AWS Mangement Console.
  2. Search for IAM (or pull down a browser bookmark)

    Least privilege strategy

  3. PROTIP: Design the permissions you need for each service before coming here. For example: Lambda, S3, DynamoDB). This is so you’re not giving out “FullAccess” but use a more granular least privilege approach to limit scope of access.

    For example, only Administrators can create accounts and delete critical resources.

    Consider AWS SCPs (Service Control Policies) for AWS Organizations (@AWSsecurityinfo)

    Create Policy

  4. Click “Policies” on the left menu.
  5. Click “Create Policy” (blue icon).
  6. Click “Import managed policy”.

    This is a misnomer. It should really be “Create policy to import into IAM for it to manage”.

  7. Repeat for each service:

    1. Type the service name in the field labeled “Filter policy”. Note you don’t have to press Enter.
    2. Click the dot associated with “FullAccess”.
    3. Click “Import”.

  8. Click “JSON” tab.

    REFERENCE: Policies Grammar

    • Each statement has a “Sid” (Statement ID) label unique within the JSON file.
    • The Effect is Allow or Deny.

    Actions in each AWS Service

    • Action: “iam:PassRole” for Lambda
    • Action: “iam:CreateServiceLinkedRole” for DynamoDB
    • Action: [ cloudwatch & logs ]
    • Action: [ … ]

    lists for Each AWS service its actions, resources, and condition context keys for use in IAM policies.

    https://iam.cloudonaut.io provides a Complete AWS IAM Reference (via https://github.com/widdix/complete-aws-iam-reference)

    Policy Variables and Naming Conventions

    Create a reusable set of IAM policies to restrict access not only between project and application admins and users, but also between different development, stage, and production users.

    BLOG: See Naming Conventions on examples of policy variables, such as:

        "Condition": {
         "StringEquals": {
             "aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}",
             "aws:RequestTag/access-application": "${aws:PrincipalTag/access-application}",
             "aws:RequestTag/access-environment": [ "dev", "stg", "prd" ],   
             "aws:RequestTag/cost-center": "${aws:PrincipalTag/cost-center}"
         }
    

    Notice the use of 3-character environment names so a list of variable names align vertically.

    Attribute-based access control (ABAC)

    ABAC is an authorization strategy that defines permissions based on attributes defined by Tags attached to IAM resources, including IAM entities (users or roles) and to AWS resources. ABAC policies are more flexible than traditional AWS policies, which require you to list each individual resource. Use of ABAC allow resources to grow with fewer changes to AWS policies.

  9. PROTIP: Look at the “Character count” at the lower-left corner.

    CAUTION: REMEMBER: Each JSON document has a limit of 6,144 bytes.

    Tag Naming Conventions

    PDF: AWS Tagging Best Practices

  10. Click “Next:Tags”.

    Tags are not required by AWS, but most enterprises require them for accounting to cost centers, etc. and so likely have Terraform Enterprise Sentinel policies to stop provisioning unless they are defined.

    PROTIP: Tags are also useful for troubleshooting in that they enable you to filter logs.

    Adopt a Standardized Approach for Tag Names

    PROTIP: Name tags using a prefix identifying the organization name or abbreviated name, all lowercase, with hyphens separating words. Examples:

    • anycompany:cost-center to identify the internal Cost Center code
    • anycompany:environment-type to identify whether the environment is development, test, or production
    • anycompany:application-id to identify the application the resource was created for

  11. Click “Review” (policy) for a Summary to each service Access Level to Resource scope.

    “Least privilege”?

    Policy Naming Conventions

  12. Type a name for the policy.

    There is a LIMIT of 128 characters for each IAM policy name.

    It’s not necessary to include “policy” in the name.

  13. Click “Create Policy”.

    Create User Group

  14. Click “User groups” on the left menu.
  15. Click “Create group” (blue icon).
  16. Type a group name user the field labeled “User group name”.

    PROTIP: Specify the organizational hierarchy such as “division-dept-team”.

  17. Scroll down to attach a policy by clicking the box next to a policy name.

    Attach Users to Group

    NOTE: This is tedious if you have many users. So many automate this.

  18. Click “Users” in the left menu.
  19. Click the box to the left of each user.

  20. OPTIONAL: Click the cog a the upper-left to select columns to display ARN.

  21. Click “Add users”.
  22. Type in a user name.
  23. Select “Programmatic access” (to issue credentials for using CLI) or “AWS Management Conole access” for the website GUI.
  24. Click “Next: Permissions”.
  25. Click “Next: Tags”.
  26. Click “Next: Review”.

    Notice user has “ChangePassword” permissions.

  27. Click “Create user”.

    “You successfully created the users shown below. You can view and download user security credentials. You can also email users instructions for signing in to the AWS Management Console. This is the last time these credentials will be available to download. However, you can create new credentials at any time.

    “Users with AWS Management Console access can sign-in at: https://369074208713.signin.aws.amazon.com/console

  28. Click “Send email” to the user.

    You may need to configure your default email app preferences. To make Gmail your email on MacOS, open Apple’s Mail app. Press apple+, (comma) for the Mail app Preferences. For “Default mail reader:” select “Google Chrome.app”. Click the red x to close the dialog. Press command+Q to close the Mail app.

  29. Click “Close”.

NOTE: Users and roles are both considered a “principals” in AWS (the principal element in role trust policy).

Roles

DOC: An AWS role is not associated with standard long-term credentials such as a password or access keys.

Instead of being uniquely associated with a person, a role is intended to be assumable by anyone who needs it.

Assuming a role provides temporary security credentials for a role session. Assigning a role delegates access to users, applications, or services that don’t normally have on-going access to AWS resources.

  1. In the development account, an administrator grants members of the Developers group permission to switch to the role. This is done by granting the Developers group permission to call the AWS Security Token Service (AWS STS) AssumeRole API for the UpdateApp role.

  2. Any IAM user that belongs to the Developers group in the development account can now switch to the UpdateApp role in the production account.

https://www.hudl.com/bits/how-we-stay-sane-with-a-large-aws-infrastructure aws-naming-sample


https://confluence.huit.harvard.edu/display/CLA/Cloud+Architecture+Home


TCO Calculator for moving

Amazon’s TCO (Total Cost of Ownership) calculator is basically a sales tool to calculate savings from moving to AWS from on-premises servers. It’s online at:

  • Toggle Basic/Advanced for more fields.

  • The instance type is automatically selected based on the memory selected.

3rd-party cloud alternatives

PROTIP: Know that there are competitors for cloud services – not just among the major cloud providers (Amazon, Microsoft, Google), but also among 3rd-party vendors offering niche solutions:

NOTE: Comparison-shop alternatives to services AWS offers:

aws-iam-alts-643x443

Estimate bills

  1. PROTIP: Before you dive in, calculate your potential bills by providing usage estimates to the AWS calculator:

    http://calculator.s3.amazonaws.com/index.html

    It has a different sheet for each service. Parameters for EC2 include the number of EC2 instances, hosts, EBS volumes, IPs, data transfer, app and network load balancing.

    PROTIP: Remember that there is an additional surcharge for support as a percentage of the whole bill. Rates vary depending on the level of support chosen.

Account administators who hold root accounts linked to credit cards should do the following:

Beware the Hourly Directory service

aws-dir-svs-bill-648x143-8607

PROTIP: AWS Directory Services is activated as a pre-requisite for instances, but is not deactivated automatically when those instances are removed, and continue to accrue charges every hour until manually stopped.

PROTIP: To avoid this money-sucing situation, use a script to instantiate and include deactivation of AWS Directory Services as part of that automated script. That or use a corporate shared Directory.

[_] Activate Tags Preferences

  1. Go to https://console.aws.amazon.com/billing/home#/preferences/tags or select your user name at the top black menu and select “My Billing Dashboard”. The Billing dashboard appears. An example:

    aws-onboarding-billing-dashboard-640x325.jpg

  2. Select Preferences from the left menu.
  3. Check all the boxes and provide your email address.
  4. Click “Save Preferences”.

    Activate Cost Explorer

    https://console.aws.amazon.com/billing/home#

    Activate AWS Cost Explorer and 24 hours later, you can graph, visualize, and analyze spend. Filter by specifying date ranges, services, tags, or a combination. Learn more

    aws-cost-explorer-activated-624x241

    Billing Tags

    [_] Estimate bills

  5. PROTIP: Before you dive in, calculate your potential bills by providing usage estimates to the AWS Calculator.

    It has a different sheet for each service. Parameters for EC2 include the number of EC2 instances, hosts, EBS volumes, IPs, data transfer, app and network load balancing.

    PROTIP: Remember that there is an additional surcharge for support as a percentage of the whole bill. Rates vary depending on the level of support chosen.

  6. See the Budget page:

    https://console.aws.amazon.com/billing/home?#/budgets/create?type=COST

    https://aws.amazon.com/premiumsupport/compare-plans

    PROTIP: Pricing for Developer support is the Greater of $29 or 3% of monthly AWS usage, so you may end up paying more if you spend more than $966.67.

    AWS Professional Services

    Over time, the cost per EC2 instance has trended downward* aws-onboarding-cost-ec2-447x288.jpg

    [_] Set Billing alerts

  7. NOTE: Setup billing alerts and notifications

    IAM Policies for this include:

    • Billing
    • AWSPriceListServiceFullAccess

    [_] Define organizations

  8. Click your account name at the black top menu:

    aws-onboarding-accounts-167x128-5783

  9. Click “My organizations”.

  10. Review the User Guide

    PROTIP: Up to 20 linked AWS accounts can be grouped together for consolidated billing under “AWS Organizations” to take advantage of volume discounts above.

    IAM Policies for this does not include:

    • AWSOrganizationsServiceTrustPolicy (A policy to allow AWS Organizations to share trust with other approved AWS Services for the purpose of simplifying customer configuration)

Well-Architected Framework Review

Enterprise subscribers ($15,000/month) can have AWS Solution Architects (from Amazon Professional Services) conduct a “Well-Architected Review” of advice covered in the Well-Architected Framework described in this free video training and books (in pdf and Kindle).

Free video training and books (in pdf and Kindle) has a separate document/video for each of the topics covered in the Well-Architected Framework:

  • Cost Optimization
  • Performance
  • Security
  • Fault Tolerance
  • Service Limits

Trusted Advisor

https://aws.amazon.com/premiumsupport/technology/trusted-advisor/

AWS Trusted Advisor is a software service (not a consulting offering) which scans your environment to identify recommendations (green checkbox icon) and investigation (orange triangle) that help you follow AWS best practices, to reduce costs, improve performance, improve security.

aws-Trusted-Advisor-1096x264

The Trusted Advisor Dashboard reports the result from scans of your account’s setup based on the Well-Architected Framework.

The policy needed for this:

  • AWSTrustedAdvisorServiceRolePolicy

The AWS CLI command:

aws support describe-trusted-advisor-check-result \
      --check-id eW7HH0l7J9 \
      --query 'result.sort_by(flaggedResources[?status!="ok"],&metadata
   

To get the check-id:

# region must be us-east-1 as it only when support command works
CHECK_ID=$(aws --region us-east-1 support describe-trusted-advisor-checks --language en --query 'checks[?name==`Service Limits`].{id:id}[0].id' --output text)
echo $CHECK_ID
   

If you don’t have a premium subscription, this error message appears:

An error occurred (SubscriptionRequiredException) when calling the DescribeTrustedAdvisorCheckResult operation: AWS Premium Support Subscription is required to use this service.
   

Inspector service

The Amazon Inspector Service (described here automates security assessments to help improve the security and compliance of applications deployed on AWS.

The first 250 agent-assessments is free during your first 90 days.

There are many agents on each machine.

Then it’s $0.30 per agent per assessment (agent-assessments) per month.

What security vulnerabilities an organization has is rather confidential information. So be stingy about granting policies related to Inspector:

Policies for auditors who evaluate security would be:

  • AmazonInspectorReadOnlyAccess (to auditors who evaluate security)
  • SecurityAudit

Policies for those who carry out security assessments:

  • AmazonInspectorFullAccess
  • AmazonInspectorServiceRolePolicy grants Amazon Inspector access to AWS Services needed to perform security assessments.

Related policies include:

  • AWSAccountActivityAccess
  • AWSAccountUsageReportAccess
  • AWSConfigRole
  • AWSResourceGroupsReadOnlyAccess
  • AWSServiceCatalogAdminFullAccess
  • AWSServiceCatalogEndUserFullAccess

  • PowerUserAccess
  • SecretsManagerReadWrite

CLI for costing

At https://medium.com/circuitpeople/aws-cli-with-jq-and-bash-9d54e2eabaf1 Lee Harding answers questions like “What is each service costing me?” Fix the error in this:

aws ce get-cost-and-usage --time-period Start=$(date "+%Y-%m-01"),End=$(date --date="$(date +'%Y-%m-01') + 1 month  - 1 second" -I) --granularity MONTHLY --metrics USAGE_QUANTITY BLENDED_COST  --group-by Type=DIMENSION,Key=SERVICE | jq '[ .ResultsByTime[].Groups[] | select(.Metrics.BlendedCost.Amount > "0") | { (.Keys[0]): .Metrics.BlendedCost } ] | sort_by(.Amount) | add'

Hystax OptScale identifies unused environments; Tracks deploy plans history in Jira, Slack, OptScale UI. Available in Marketplace or SaaS for Kubernetes in public clouds.


More on Amazon

This is one of a series on Amazon: