AWS Security Operations

From NovaOrdis Knowledge Base
Jump to navigation Jump to search




In process of being migrated from https://home.feodorov.com:9443/wiki/Wiki.jsp?page=AmazonSecurity


Internal

Setting AWS Credentials

Setting AWS Credentials

Create a Key Pair

Amazon AWS instance access key pairs are explained here.

External reference for the procedures to create (or import) a key pair: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-key-pair

This procedure describes how to create the em provisioning key pair:

Go to the EC2 console https://us-west-2.console.aws.amazon.com/ec2/v2/home.

Left tab -> Network and Security -> Key Pairs -> Create Key Pair

The key is created and the file containing the private key is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is .pem. Save the private key file in a safe place.

Create a Security Group

Create a Security Group http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-base-security-group

Create a Security Group with CloudFormation

AWS::EC2::SecurityGroup
Resources:
  InternalALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub ${EnvironmentName}-alb-security-group
      VpcId: !Ref VpcID
      GroupDescription: |
        The security group protecting access to the environment ALB. Only the internal
        traffic is allowed
      SecurityGroupIngress:
        - IpProtocol: -1
          CidrIp: 10.7.0.0/16

List the Security Groups

EC2 Console -> Resources -> Security Groups.

IAM Operations

Create an IAM User

Creating an IAM user:

Creating an IAM User in Your AWS Account

Create an IAM Group

Creating an IAM group:

Creating IAM Groups

Create an IAM Role

Creating an IAM role:

Creating IAM Role

Create an ECS Task Role

This is the procedure to create an ECS task definition task role.

IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role

Select type of trusted entity: "AWS service"

Choose the service that will use this role: "Elastic Container Service"

Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."

Next: Permissions

Select: AmazonECS_FullAccess ("Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks").

The role cannot be created with only AmazonECSServiceRolePolicy.

Set permissions boundary: Create role without permissions boundary

Next: Tags

Next: Review

Role name: playground-task-role

Description: A generic task role. Allows ECS tasks to call AWS services on the IAM user behalf.

Trusted entities: AWS service: ecs-tasks.amazonaws.com


Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task Role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"

Policies: AmazonECS_FullAccess

Permissions boundary: Permissions boundary is not set

Create Role.

Create an ECS Task Execution Role

This is the procedure to create an ECS task definition task execution role.

IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role

Select type of trusted entity: "AWS service"

Choose the service that will use this role: "Elastic Container Service"

Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."

Next: Permissions

Select: AmazonECSTaskExecutionRolePolicy ("Provides access to other AWS service resources that are required to run Amazon ECS tasks")

Set permissions boundary: Create role without permissions boundary

Next: Tags

Next: Review

Role name: playground-task-execution-role

Description: A generic task execution role.

Trusted entities: AWS service: ecs-tasks.amazonaws.com


Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task execution role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"

Policies: AmazonECSTaskExecutionRolePolicy

Permissions boundary: Permissions boundary is not set

Create Role.

Create an API Gateway Role to Allow Pushing Logs to CloudWatch

IAM Console -> Roles -> Create Role -> Trusted Entity: AWS Service -> API Gateway -> Use case: API Gateway Allows API Gateway to push logs to CloudWatch Logs -> Next Permissions: "AmazonAPIGatewayPushToCloudWatchLogs" policy.

Create an EC2 Service Role

This procedure can be used to create an EC2 service role.

IAM Console → Create Role

Select type of trusted entity: "AWS service"

Choose the service that will use this role: "EC2"

Select your use case: "EC2: Allows EC2 instances to call AWS services on your behalf."

Next: Permissions

Select: AmazonEC2FullAccess

Set permissions boundary: Create role without permissions boundary

Next: Tags

Next: Review

Role name: blue-ec2-service-role

Description: Allows EC2 instances to call AWS services on user behalf.

Trusted entities: AWS service: ec2.amazonaws.com

Policies: AmazonEC2FullAccess

Permissions boundary: Permissions boundary is not set

Create Role.

Managing IAM Policies

Managing IAM Policies

Create an IAM Policy

Creating IAM Policies

An IAM Policy can be created in various ways: at the console, with AWS CLI, with CloudFormation, with Terraform.

Create an IAM Policy with AWS Console

Creating IAM Policies (Console)

Create an IAM Policy with AWS CLI

Creating IAM Policies (AWS CLI)
create-policy
create-policy --policy-name infra-playground-kubernetes-master --policy-document file://my-policy.json --description 

where the JSON file contains a declaration similar to the one available as example.

Create an IAM Policy with CloudFormation

Create an IAM Policy with Terraform

Edit an IAM Policy

Editing IAM Policies

Organizatorium

Grant an AWS Account Permissions on a S3 Bucket

Grant an AWS Account Permissions on a S3 Bucket