Open in app

Sign in

Write

Sign in

Securing AWS Infrastructure Deployment with Terraform and IAM Guidelines (part 1/3)

Securing Access Management with AWS IAM Identity Center

Jessada.Srm
5 min readApr 22, 2024
Photo by rc.xyz NFT gallery on Unsplash

To manage AWS resources effectively, it is recommended to avoid using the root account for daily tasks. Instead, create a dedicated user for specific tasks. We will use AWS IAM Identity Center to create a user with appropriate permissions. AWS IAM Identity Center is preferable to regular AWS IAM because it eliminates the need to manually store access keys securely. IAM Identity Center provides a temporary access key each time a user signs in and limits the session duration to enhance security.

Objectives

  • Demonstrate the application of AWS IAM Identity Center’s security features in your work.

Agenda

  • Create DevOps User in Your AWS Project.
  • Set DevOps User Credential on Local Machine.

Create DevOps User in Your AWS Project

I recommend creating a dedicated user account for specific tasks, such as a ‘DevOps’ role. AWS IAM Identity Center is preferable to regular AWS IAM as it eliminates the need to manage access keys, thus reducing the risk of credential exposure. Additionally, it allows for the imposition of stricter session time limits, enhancing security.

Create Permission sets

  • Navigate to AWS IAM Identity Center.
  • Under Enable IAM Identity Center, select Enable.
  • Go to Permission sets, and click Create permission set.
  • Under Select permission set type , at Types choose Predefined permission set.
  • Under Policy for predefined permission set, select NetworkAdministrator.
  • Click Next.
  • Under Specify permission set details, on Permission set name , name it NetworkAdministrator
  • Set session duration to 8 hours to enhance security.

This strengthens security by not allowing users to remain logged in indefinitely, thereby reducing the risk of credential exposure.

  • Click Next.
  • Click Create.

You will be redirected to the Permission sets table. Next, we’ll attach EC2FullAccess to the NetworkAdministrator permission set to allow users to create, terminate and start instances.

  • Click NetworkAdministrator.
Permission sets table
  • Click Attach policies.
  • Search for AmazonEC2FullAccess.
  • Click Attach policies.

Create Groups

We will use Groups to centrally manage user permissions, because it’s less stressful to manage.

  • Go to Groups.
  • Click Create group.
Create group panel
  • Group name: devops
  • Click Create group.

You will be redirected to Groups table.

Groups table

Add devops group into your org

Now we will add the devops group into organization to allow this group to access the NetworkAdministrator permission set in your organization that was created previously.

  • Go to AWS accounts.
  • Select your organization, click Assign users or groups.
  • Under Groups, select devops group.
  • Click Next.
  • Under Permission sets, Select NetworkAdministrator.
  • Click Next.
  • Click Submit.

Now devops group can access to NetworkAdministrator permission.

Add Users

  • Go to Users.
  • Click Add user.
  • Username: you-desired, this is a username to login.
  • Password: check Send an email to this user with password setup instructions.

AWS will send instruction how to activate account within your organization.

  • Email address: desired-email.
  • Confirm email address : retype-desired-email.
  • First name and Last name: your-desired.
  • Click Next.
  • On Add user to groups — optional, select devops.
  • Click Add user.

Then, you need to check your email inbox and follow the instructions to activate the user.

Set DevOps User Credential on Local Machine

To authenticate your local terminal for AWS CLI access, you need to set up AWS credentials on your machine. These are typically stored in the directory ~/.aws/credentials.

  • log in to your IAM Identity Center using AWS access portal URL (Note: user in IAM Identity Center must login via this link, they can not login through the regular AWS console login)
IAM Identity Center Dashboard
  • Log in to AWS via AWS access portal URL.
  • On AWS access portal , click Access keys of NetworkAdministrator
Permission Sets Upon Successful Sign-In
  • Click Copy for Option 2.
  • Open your terminal.
  • Type the following command:
vi ~/.aws/credentials
  • Press i to enter insert mode and paste your AWS credentials into this file.
  • Then, press esc and type :wq to save and exit.

Now that your IAM user credentials are configured, you can execute AWS CLI commands from your local machine based on your assigned permission sets.

Note: Every time your session expires, you’ll need to update this file with new credentials.

Thank you for reading! Your feedback is valuable to me. Please feel free to leave comments, I appreciate any suggestions for improving my blog.

If your AWS credentials are set up on your local machine, you can proceed to the next step.

Aws Iam Best Practices
Cloud Security
Aws Restart
Aws Credentials

--

--

Jessada.Srm

Written by Jessada.Srm

51 Followers

Ex-Mechanical Engineer, now a Software Engineer. Passionate about cloud and software development. Blogging to document and share my projects.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams