#GroundUp: Mastering IAM User Creation and MFA Setup
Hello everyone and welcome again to #GroundUp series where I am sharing on some basic topics that would help you as you start off on your journey in AWS Cloud. If there is a specific topic or tutorial, you would like to see, please feel free to put that in the comment as well.
An IAM user forms part of the main principals that have access to your AWS Account. Other principals include federated users, IAM roles, and other AWS Services. Our focus in this post will be on setting up the IAM user and subsequently activating MFA.
Why should you have an IAM User
AWS Amazon Web Services (AWS) Identity and Access Management (IAM) plays a crucial role in securing your AWS resources. It is generally a best practice to have an IAM User because with an IAM user, you can assign limited permissions as compared to using your AWS root account. This ensures that the privilege of ‘least privileges’ is adhered to within your AWS Infrastructure.
Why should you setup Multi-Factor Authentication (MFA)
Another key thing to have is setting an MFA for your IAM user. Multi-factor authentication is an additional authentication method you introduce in addition to your primary authentication method. For most people, the primary authentication method used is the user password. You can have an added authentication (multi-factor) setup to ensure that in the unlikely case of an attacker gaining access to your password for example they cannot exploit your account but would need that extra layer of authentication.
AWS supports virtual MFA device like Google Authenticator or you can use a physical device like the YubiKey.
With that said we can now look at how we can setup an IAM User
Part 1: Creating an IAM User
Step 1: Accessing IAM in the AWS Console
1. Sign into your root account here.
2. In the AWS Management Console, navigate to the IAM dashboard by clicking on “Services” and then selecting “IAM” under the “Security, Identity, & Compliance” section.
Step 2: Creating a New IAM User
1. In the IAM dashboard, click on “Users” in the left-hand navigation pane. Another option is to look under the ‘IAM resources’ segment you will see a number of options from which you can select the number under “Users”
2. Click the “Create user” button.
3. Enter a username for your new IAM user.
4. Choose the type of access for the user -“Provide user access to the AWS Management Console” and for the options choose “I want to create an IAM user”
5. You have the option to autogenerate a password or provide a custom password.
6. We’d go ahead and tick the option for “Users must create a new password at next sign-in”
7. Click next and for the “Permissions options” select “Attach policies directly”.
We have the option of using permissions for an existing policy from another user or group or we can add the user to a group and inherit permissions from the group.
8. For the policy permissions, you can choose from a wide range of permissions, in our case type “S3” in the search box and from the options select “AmazonS3FullAccess”
a. Programmatic access: Enables the user to interact with AWS services through the AWS CLI, SDKs, and other tools.
9. Review your selections and click “Create user”
10. Once that is done you can go ahead and send sign-in instructions to the user or download the details in a .csv file.
11. Click “Return to users list” to return to the Users Dashboard.
Step 3: Creating Access Key and Secret Access Key
1. On the Users Dashboard select the User name you created.
2. Under the “Summary” heading select the ”Create access key” option.
3. For the Use Case you can pick an option that best suits your need. In our case, we can go ahead and select “Command Line Interface (CLI)”. You will need to confirm your choice before you can proceed and then click “Next”.
4. You can add an optional Description tag for the access key and select “Create access key”
5. This will present you with the Access Key and Secret Access Key. You can go ahead and download the .csv file for containing your keys for safekeeping.
Take note of the Access key best practices provided by AWS. Also if you do not download your secret access key or store it somewhere you would not be able to retrieve it in future.
Part 2: Setting Up Multi-Factor Authentication (MFA)
Step 1: Enabling MFA for an IAM User
1. In the IAM dashboard, select “Users” from the left-hand navigation pane.
2. Click on the username for the IAM user for which you want to enable MFA.
3. In the “Security credentials” tab, find the “Multi-Factor Authentication (MFA)” section and click “Assign MFA device”
4. Type a name to identify the MFA device.
5. Choose the MFA device type (either “Virtual MFA device” or “Hardware MFA device”).
a. For Virtual MFA device: Scan the QR code with an MFA app (such as Google Authenticator or Authy) or enter the secret key manually.
b. For Hardware MFA device: Follow the instructions for your specific hardware device.
6. In our case we will select the “Authenticator app” and select “Next”
7. Follow the instructions to setup your MFA authenticator up and fill and enter the authentication code provided by the MFA device to complete the setup.
8. And click “Add MFA”
Step 2: Testing MFA
1. Once MFA is enabled, sign out of the AWS Management Console.
2. Sign in again with the IAM user’s credentials.
3. You will be prompted to enter the MFA code from your authenticator app or hardware device.
4. After successful authentication, you will gain access to the AWS Management Console.
Best Practices and Considerations
- Rotate Access Keys: Regularly rotate access keys for IAM users to enhance security.
- Use IAM Roles: Employ IAM roles when working with applications and services to give temporary access to some AWS services.
- Monitor IAM Activity: Ensure that you setup CloudTrail to monitor all API activities.
- Adhere to the Principle of Least Privilege: Only grant access to a principal when needed.
By following the steps above, you can easily create IAM users with added security using Multi-Factor Authentication. Let me state that it is of paramount importance to set up your MFA as it stops attackers from easily gaining access to your resources. In the next post, we will look at gaining programmatic access to AWS and setting up the AWS CLI.
Thanks for reading and see you soon.
References
· IAM User Guide — https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
· Setting up MFA — https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
· IAM Users — https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
· IAM roles — https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
· Best Practices for managing AWS access keys — https://docs.aws.amazon.com/console/general/access-keys-best-practices