AWS Security Operations
Internal
Setting AWS Credentials
Create a Key Pair
Amazon AWS instance access key pairs are explained here.
External reference for the procedures to create (or import) a key pair: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-key-pair
This procedure describes how to create the em provisioning key pair:
Go to the EC2 console https://us-west-2.console.aws.amazon.com/ec2/v2/home.
Left tab -> Network and Security -> Key Pairs -> Create Key Pair
The key is created and the file containing the private key is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is .pem. Save the private key file in a safe place.
Create a Security Group
Create a Security Group http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-base-security-group
Create a Security Group with CloudFormation
Resources: InternalALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${EnvironmentName}-alb-security-group VpcId: !Ref VpcID GroupDescription: | The security group protecting access to the environment ALB. Only the internal traffic is allowed SecurityGroupIngress: - IpProtocol: -1 CidrIp: 10.7.0.0/16
List the Security Groups
EC2 Console -> Resources -> Security Groups.
IAM Operations
Create an IAM User
Creating an IAM user:
Grant a User Permission to Switch Roles
Create an IAM Group
Creating an IAM group:
Create an IAM Role
An IAM role can be created in several ways:
Create a Role to Delegate Permission to an IAM User
With AWS CLI
Creating an IAM role with CLI is a two-step operation: creating the role and the associated trust policy, then associating the permission policy:
aws iam create-role --role-name <name> --assume-role-policy-document file://<trust-policy-file.json>
--assume-role-policy-document
specifies the trust policy document that grants an entity permission to assume the role. The user executing the command must have the "iam:CreateRole" permission.
aws iam attach-role-policy --role-name <name> --policy-arn <policy-arn>
The permission policy can be created as described here.
Create an ECS Task Role
This is the procedure to create an ECS task definition task role.
IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role
Select type of trusted entity: "AWS service"
Choose the service that will use this role: "Elastic Container Service"
Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."
Next: Permissions
Select: AmazonECS_FullAccess ("Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks").
The role cannot be created with only AmazonECSServiceRolePolicy.
Set permissions boundary: Create role without permissions boundary
Next: Tags
Next: Review
Role name: playground-task-role
Description: A generic task role. Allows ECS tasks to call AWS services on the IAM user behalf.
Trusted entities: AWS service: ecs-tasks.amazonaws.com
Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task Role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"
Policies: AmazonECS_FullAccess
Permissions boundary: Permissions boundary is not set
Create Role.
Create an ECS Task Execution Role
This is the procedure to create an ECS task definition task execution role.
IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role
Select type of trusted entity: "AWS service"
Choose the service that will use this role: "Elastic Container Service"
Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."
Next: Permissions
Select: AmazonECSTaskExecutionRolePolicy ("Provides access to other AWS service resources that are required to run Amazon ECS tasks")
Set permissions boundary: Create role without permissions boundary
Next: Tags
Next: Review
Role name: playground-task-execution-role
Description: A generic task execution role.
Trusted entities: AWS service: ecs-tasks.amazonaws.com
Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task execution role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"
Policies: AmazonECSTaskExecutionRolePolicy
Permissions boundary: Permissions boundary is not set
Create Role.
Create an API Gateway Role to Allow Pushing Logs to CloudWatch
IAM Console -> Roles -> Create Role -> Trusted Entity: AWS Service -> API Gateway -> Use case: API Gateway Allows API Gateway to push logs to CloudWatch Logs -> Next Permissions: "AmazonAPIGatewayPushToCloudWatchLogs" policy.
Create an EC2 Service Role
This procedure can be used to create an EC2 service role.
IAM Console → Create Role
Select type of trusted entity: "AWS service"
Choose the service that will use this role: "EC2"
Select your use case: "EC2: Allows EC2 instances to call AWS services on your behalf."
Next: Permissions
Select: AmazonEC2FullAccess
Set permissions boundary: Create role without permissions boundary
Next: Tags
Next: Review
Role name: blue-ec2-service-role
Description: Allows EC2 instances to call AWS services on user behalf.
Trusted entities: AWS service: ec2.amazonaws.com
Policies: AmazonEC2FullAccess
Permissions boundary: Permissions boundary is not set
Create Role.
Trust Policy Operations
Edit in Console
Select the Role → Summary → Trust Relationship → Edit trust relationship.
Switching to an IAM Role
Managing IAM Policies
Create an IAM Policy
An IAM Policy can be created in several ways: at the console, with AWS CLI, with CloudFormation, with Terraform.
Create an IAM Policy with AWS Console
Create an IAM Policy with AWS CLI
aws iam create-policy --policy-name infra-playground-kubernetes-master --policy-document file://kubernetes-master-policy.json --description "Kubernetes master node policy"
where the JSON file contains a declaration similar to the one available as example.
The identity executing the command must have the "iam:CreatePolicy" permission.