Amazon AWS Security Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
(Created page with "=Internal= * Amazon AWS Security")
 
No edit summary
Line 2: Line 2:


* [[Amazon AWS Security#Subjects|Amazon AWS Security]]
* [[Amazon AWS Security#Subjects|Amazon AWS Security]]
=AWS User=
AWS services require that you provide credentials when you access them. The console requires your password. You can create access keys for your AWS account to access the command line interface or API. However, it is not recommended to access AWS using the credentials for your AWS account. Use [[#IAM_.28AWS_Identity_and_Access_Management.29|IAM]] instead.
To create an AWS account, go to http://aws.amazon.com, and then click Sign Up.
For more details see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html.
=IAM (AWS Identity and Access Management)=
AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.
Without IAM, organizations with multiple users and systems must either create multiple AWS accounts, each with its own billing and subscriptions to AWS products, or employees must all share the security credentials of a single AWS account. Also, without IAM, you have no control over the tasks a particular user or system can do and what AWS resources they might use.
IAM addresses this issue by enabling organizations to create multiple ''IAM users''.
=IAM User=
An ''IAM user'' is a person, system, or application who can use AWS products, each with individual security credentials, all controlled by and billed to a single AWS account. With IAM, each user is allowed to do only what they need to do as part of the user's job.
<font color=red>TODO, continue with IAM concepts http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Concepts.html</font>
<pre>
AWS root Account (ovidiu@novaordis.com)
    |
    +---- IAM Users
                |
                +-- ofeodorov
</pre>
=API Access Keys=
Each [[#IAM_User|IAM user]] has a set of API access keys. These keys are needed when the user attempts to make programmatic calls to AWS or EC2, using [[Amazon EC2 CLI]] tools for example. The user can create, modify, view and rotate these access keys.
There are two types of access keys:
# '''Access key ID''' (example <tt>AKIAIOSFODNN7EXAMPLE)</tt>)
# '''Secret access key''' (example: <tt>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</tt>)
When creating an access key, IAM returns the access key id and the secret access key. The secret access key is only accessible at the time it was created. If the secret access key is lost, the corresponding access key must be deleted and recreated.
<font color=red>Relationship between Access Key ID and Secret Key?</font>
The access keys can be managed here: https://console.aws.amazon.com/iam/home?#security_credential by navigating to Users -> username -> Security Credentials -> Access Credentials.
More about access keys for IAM users: http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingCredentials.html
For details on how access keys can be set in the local environment, see [[Amazon EC2 CLI Installation#Set_the_Access_Keys|Setting the Access Keys during Amazon EC2 CLI Installation]].

Revision as of 18:11, 11 February 2016

Internal

AWS User

AWS services require that you provide credentials when you access them. The console requires your password. You can create access keys for your AWS account to access the command line interface or API. However, it is not recommended to access AWS using the credentials for your AWS account. Use IAM instead.

To create an AWS account, go to http://aws.amazon.com, and then click Sign Up.

For more details see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html.

IAM (AWS Identity and Access Management)

AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.

Without IAM, organizations with multiple users and systems must either create multiple AWS accounts, each with its own billing and subscriptions to AWS products, or employees must all share the security credentials of a single AWS account. Also, without IAM, you have no control over the tasks a particular user or system can do and what AWS resources they might use.

IAM addresses this issue by enabling organizations to create multiple IAM users.

IAM User

An IAM user is a person, system, or application who can use AWS products, each with individual security credentials, all controlled by and billed to a single AWS account. With IAM, each user is allowed to do only what they need to do as part of the user's job.

TODO, continue with IAM concepts http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Concepts.html

AWS root Account (ovidiu@novaordis.com)
     |
     +---- IAM Users
                |
                +-- ofeodorov

API Access Keys

Each IAM user has a set of API access keys. These keys are needed when the user attempts to make programmatic calls to AWS or EC2, using Amazon EC2 CLI tools for example. The user can create, modify, view and rotate these access keys.

There are two types of access keys:

  1. Access key ID (example AKIAIOSFODNN7EXAMPLE))
  2. Secret access key (example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY)

When creating an access key, IAM returns the access key id and the secret access key. The secret access key is only accessible at the time it was created. If the secret access key is lost, the corresponding access key must be deleted and recreated.

Relationship between Access Key ID and Secret Key?

The access keys can be managed here: https://console.aws.amazon.com/iam/home?#security_credential by navigating to Users -> username -> Security Credentials -> Access Credentials.

More about access keys for IAM users: http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingCredentials.html

For details on how access keys can be set in the local environment, see Setting the Access Keys during Amazon EC2 CLI Installation.