AWS Security Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 130: Line 130:
====Create a Role to Delegate Permission to an IAM User====
====Create a Role to Delegate Permission to an IAM User====
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html Creating a Role to Delegate Permissions to an IAM User]}}
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html Creating a Role to Delegate Permissions to an IAM User]}}
This pattern is appropriate when we need to allow multiple users access to a resource. Instead of configuring each user to access the resource, we create an IAM role authorized to access the resource, and we configure the role to be assumable by the users in question, by updating the role's trust policy to allow "AssumeRole" to select users, as described here: [[#Enable_an_IAM_User_to_Assume_an_IAM_Role|Enable an IAM User to Assume an IAM Role]].
Console → IAM → Roles → Create Role → Another AWS Account → Account ID: use the account ID in which this role will be used → Next: Permissions → Attach permission policies: none, this role will be only assumed → Add tags → Review →  Choose a role name → Create the role →  Trust relationship → Use JSON similar to the one described here: [[#Enable_an_IAM_User_to_Assume_an_IAM_Role|Enable an IAM User to Assume an IAM Role]].


=====With AWS CLI=====
=====With AWS CLI=====
Line 348: Line 352:
}
}
</syntaxhighlight>
</syntaxhighlight>
This command can also be used as a test whether a specific role can be assumed or not - if a role cannot be assumed, the output is similar to: <font color=darkgray>TODO - I am assuming the command fails in some obvious way.</font>


This command does not actually change anything in the local environment, in order to use the new identity, the AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN must be setup in the environment.
This command does not actually change anything in the local environment, in order to use the new identity, the AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN must be setup in the environment.
Line 394: Line 402:
       "Effect": "Allow",
       "Effect": "Allow",
       "Principal": {
       "Principal": {
         "AWS": "arn:aws:iam::999999999999:user/some.user",
         "AWS": [
          "arn:aws:iam::999999999999:user/some.user",
          "arn:aws:iam::999999999999:user/some.otheruser"
        ],
         "Service": "eks.amazonaws.com"
         "Service": "eks.amazonaws.com"
       },
       },

Latest revision as of 23:36, 2 February 2021

Internal

Setting AWS Credentials

Setting AWS Credentials

Create a Key Pair

Amazon AWS instance access key pairs are explained here.

External reference for the procedures to create (or import) a key pair: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-key-pair

This procedure describes how to create the em provisioning key pair:

Go to the EC2 console https://us-west-2.console.aws.amazon.com/ec2/v2/home.

Left tab -> Network and Security -> Key Pairs -> Create Key Pair

The key is created and the file containing the private key is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is .pem. Save the private key file in a safe place.

Create a Security Group

Create a Security Group http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-base-security-group

Create a Security Group with CloudFormation

AWS::EC2::SecurityGroup
Resources:
  InternalALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub ${EnvironmentName}-alb-security-group
      VpcId: !Ref VpcID
      GroupDescription: |
        The security group protecting access to the environment ALB. Only the internal
        traffic is allowed
      SecurityGroupIngress:
        - IpProtocol: -1
          CidrIp: 10.7.0.0/16

List the Security Groups

EC2 Console -> Resources -> Security Groups.

IAM Operations

IAM Information

aws sts get-caller-identity

The command returns details about the IAM user or role whose credentials are used to call: the User ID, the AWS Account and the IAM identity.

AWS Account Operations

List AWS Account Aliases

aws iam list-account-aliases

List IAM Users

aws iam list-users

Get more Information about my IAM User

aws iam get-login-profile --user-name someuser
{
    "LoginProfile": {
        "UserName": "someuser",
        "CreateDate": "2017-07-31T22:32:53+00:00",
        "PasswordResetRequired": false
    }
}
aws iam get-account-summary
aws iam list-access-keys
aws iam list-groups-for-user --user-name someuser
aws iam list-ssh-public-keys

Create an IAM User

Creating an IAM User in Your AWS Account
Create an IAM User using the AWS CLI

Creating an IAM user:

aws iam create-user --user-name test-user

Give the User Access to the AWS Management Console

aws iam create-login-profile --user-name <username> --password <password>

Grant a User Permission to Switch Roles

Granting a User Permissions to Switch Roles

Create an IAM Group

Creating an IAM group:

Creating IAM Groups

IAM Role Operations

This section documents IAM Role operations.

Create an IAM Role

Creating IAM Role

An IAM role can be created in several ways:

From AWS Management Console

Console → IAM → Roles → Create Role → AWS service → EKS → Select your use case → "EKS - Cluster" → Next: Permissions → Next: Tags → Create.

Create a Role to Delegate Permission to an IAM User

Creating a Role to Delegate Permissions to an IAM User

This pattern is appropriate when we need to allow multiple users access to a resource. Instead of configuring each user to access the resource, we create an IAM role authorized to access the resource, and we configure the role to be assumable by the users in question, by updating the role's trust policy to allow "AssumeRole" to select users, as described here: Enable an IAM User to Assume an IAM Role.


Console → IAM → Roles → Create Role → Another AWS Account → Account ID: use the account ID in which this role will be used → Next: Permissions → Attach permission policies: none, this role will be only assumed → Add tags → Review → Choose a role name → Create the role → Trust relationship → Use JSON similar to the one described here: Enable an IAM User to Assume an IAM Role.

With AWS CLI
create-role

Creating an IAM role with CLI is a two-step operation: creating the role and the associated trust policy, then associating the permission policy.

This how the role is created:

aws iam create-role \
  --role-name test-role \
  --assume-role-policy-document file://trust-policy-file.json

--assume-role-policy-document specifies the trust policy document that grants an entity permission to assume the role. The user executing the command must have the "iam:CreateRole" permission.

This is how a permission policy is attached:

aws iam attach-role-policy \
  --role-name test-role \
  --policy-arn "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"

The permission policy can be created as described here.

With Terraform
Create an IAM Role with Terraform

Create an ECS Task Role

This is the procedure to create an ECS task definition task role.

IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role

Select type of trusted entity: "AWS service"

Choose the service that will use this role: "Elastic Container Service"

Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."

Next: Permissions

Select: AmazonECS_FullAccess ("Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks").

The role cannot be created with only AmazonECSServiceRolePolicy.

Set permissions boundary: Create role without permissions boundary

Next: Tags

Next: Review

Role name: playground-task-role

Description: A generic task role. Allows ECS tasks to call AWS services on the IAM user behalf.

Trusted entities: AWS service: ecs-tasks.amazonaws.com


Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task Role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"

Policies: AmazonECS_FullAccess

Permissions boundary: Permissions boundary is not set

Create Role.

Create an ECS Task Execution Role

This is the procedure to create an ECS task definition task execution role.

IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role

Select type of trusted entity: "AWS service"

Choose the service that will use this role: "Elastic Container Service"

Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."

Next: Permissions

Select: AmazonECSTaskExecutionRolePolicy ("Provides access to other AWS service resources that are required to run Amazon ECS tasks")

Set permissions boundary: Create role without permissions boundary

Next: Tags

Next: Review

Role name: playground-task-execution-role

Description: A generic task execution role.

Trusted entities: AWS service: ecs-tasks.amazonaws.com


Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task execution role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"

Policies: AmazonECSTaskExecutionRolePolicy

Permissions boundary: Permissions boundary is not set

Create Role.

Create an API Gateway Role to Allow Pushing Logs to CloudWatch

IAM Console -> Roles -> Create Role -> Trusted Entity: AWS Service -> API Gateway -> Use case: API Gateway Allows API Gateway to push logs to CloudWatch Logs -> Next Permissions: "AmazonAPIGatewayPushToCloudWatchLogs" policy.

Create an EC2 Service Role

This procedure can be used to create an EC2 service role.

IAM Console → Create Role

Select type of trusted entity: "AWS service"

Choose the service that will use this role: "EC2"

Select your use case: "EC2: Allows EC2 instances to call AWS services on your behalf."

Next: Permissions

Select: AmazonEC2FullAccess

Set permissions boundary: Create role without permissions boundary

Next: Tags

Next: Review

Role name: blue-ec2-service-role

Description: Allows EC2 instances to call AWS services on user behalf.

Trusted entities: AWS service: ec2.amazonaws.com

Policies: AmazonEC2FullAccess

Permissions boundary: Permissions boundary is not set

Create Role.

Permission Policy Operations

Create a permission policy:

Create a policy file similar to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:CreateRole"],
      "Resource": ["*"]
    }
  ]
}

Create the policy:

aws iam create-policy --policy-name infra-allow-iam-operations-to-workers --policy-document file://infra-allow-iam-operations-to-workers.json

Keep the ARN, you will need it in subsequent operations.

List IAM Roles

aws iam list-roles

List a specific role:

aws iam list-roles --query "Roles[?RoleName == 'example-role'].[RoleName, Arn]"

The command returns something similar to:

[
    [
        "example-role",
        "arn:aws:iam::999999999999:role/example-role"
    ]
]

Get Details about a Specific Role

This command returns general information about a node, such as name, id, session duration, etc.

aws iam get-role --role-name infra-ec2-service

For permission policies, use:

aws iam list-role-policies --role-name infra-ec2-service

Assuming an IAM Role

Assuming an IAM Role using CLI

Switching to an IAM Role (AWS CLI)
aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/example-role" --role-session-name example-role-session

The output of the operation is similar to:

{
    "Credentials": {
        "AccessKeyId": "ASXXXXXXXXXXXXXXXXXX",
        "SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "SessionToken": "yyyy...yyyy==",
        "Expiration": "2020-06-11T20:44:12Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROXXXXXXXXXXXXXXXXXX:example-role",
        "Arn": "arn:aws:sts::999999999999:assumed-role/example-role/example-role-session"
    }
}

This command can also be used as a test whether a specific role can be assumed or not - if a role cannot be assumed, the output is similar to: TODO - I am assuming the command fails in some obvious way.


This command does not actually change anything in the local environment, in order to use the new identity, the AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN must be setup in the environment.

export AWS_ACCESS_KEY_ID="ASXXXXXXXXXXXXXXXXXX"
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export AWS_SESSION_TOKEN="yyyy...yyyy=="

To verify that these changes take, run:

aws sts get-caller-identity

You should get something similar to:

{
    "UserId": "AROXXXXXXXXXXXXXXXXXX:example-role-session",
    "Account": "999999999999",
    "Arn": "arn:aws:sts::999999999999:assumed-role/example-role/example-role-session"
}

Trust Policy Operations

This section document trust policy operations.

Edit in Console

Select the Role → Summary → Trust Relationship → Edit trust relationship.

Create a Trust Policy

Create a JSON file that describes the trust policy. An example of JSON trust policy is available here.

Enable an IAM User to Assume an IAM Role

Enabling a IAM User to assume a role implies updating Role's trust policy and adding the user. Navigate to the role in the AWS console, go to "Trust relationships", "Edit trust relationship" and edit JSON as follows, adding the IAM User ARN:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
           "arn:aws:iam::999999999999:user/some.user",
           "arn:aws:iam::999999999999:user/some.otheruser"
        ],
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Managing IAM Policies

Managing IAM Policies

This section documents various IAM Policy operations.

Create an IAM Policy

Creating IAM Policies

An IAM Policy can be created in several ways: at the console, with AWS CLI, with CloudFormation, with Terraform.

Create an IAM Policy with AWS Console

Creating IAM Policies (Console)

Create an IAM Policy with AWS CLI

Creating IAM Policies (AWS CLI)
create-policy
Example IAM Identity-Based Policies
IAM JSON Policy Reference
 aws iam create-policy \
   --policy-name infra-playground-kubernetes-master \
   --policy-document file://kubernetes-master-policy.json \
   --description "Kubernetes master node policy"

where the JSON file contains a declaration similar to the one available as example.

The identity executing the command must have the "iam:CreatePolicy" permission.

Create an IAM Policy with CloudFormation

Create an IAM Policy with Terraform

Create an IAM Role with Terraform

Edit an IAM Policy

Editing IAM Policies

Attaching a Policy to an IAM User

aws iam attach-user-policy \
  --user-name test-iam-user \
  --policy-arn "arn:aws:iam::999999999999:policy/test-policy"

Listing Attached Policies to an IAM Role

aws iam list-attached-role-policies --role-name example-iam-role

Listing Attached Policies to an IAM User

aws iam list-attached-user-policies --user-name exmple-iam-user

Removing Roles, Policies and Instance Profiles

aws iam remove-role-from-instance-profile --instance-profile-name infra-jenkins-run-kubernetes-master-profile --role-name infra-jenkins-run-kubernetes-master
aws iam remove-role-from-instance-profile --instance-profile-name infra-jenkins-run-kubernetes-worker-profile --role-name infra-jenkins-run-kubernetes-worker
aws iam list-role-policies  --role-name infra-jenkins-run-kubernetes-master
aws iam delete-role-policy --role-name infra-jenkins-run-kubernetes-master --policy-name infra-jenkins-run-kubernetes-master
aws iam delete-role-policy --role-name infra-jenkins-run-kubernetes-worker --policy-name infra-jenkins-run-kubernetes-worker
aws iam delete-role --role-name infra-jenkins-run-kubernetes-master
aws iam delete-role --role-name infra-jenkins-run-kubernetes-worker

Decode Authorization Error Message

aws sts decode-authorization-message --encoded-message "..."

Organizatorium

Grant an AWS Account Permissions on a S3 Bucket

Grant an AWS Account Permissions on a S3 Bucket