No more AWS keys for you…

A post about AWS Access keys with security in mind

Hint: AWS Access Keys protect the same level of access as your username and password

Firstly, why is an AWS account worth protecting?

So how can we protect our accounts?

AWS User Management Basics

A base AWS account setup

Users

Policies

Groups

Groups are used to organise Users with similar access needs so you generally see groups created for developers, testers and admin users

Roles

Roles are collections of policies that can be assumed by users that are authenticated by another service
The two main ways to manage multiple users in AWS, Groups or Roles

Corporate AWS User Management

Option 1

Option 1: Manually creating and assigning users to configured groups

Option 2

Option 2: Set up identity federation between AWS Roles and corporate active directory groups

Federated User Access

Illustrating the key terms for Federated User Access for a User wanting to access Medium

How The LEGO Group does it

1. Establish a trust relationship

1. Establish a trust relationship

2. Initiate a login attempt

2. The User sends their login details to the IdP

3. Successful authentication

3. The IdP sends back the requested User Data

4. Send it all to the SP

4. Send it all to the SP

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

5. You’re in!

5. SP Allows the client access to their service

From a user’s perspective

Our CLI Tool

What it looks like

octan cli output

How it works

The main flow of the octan cli

Summary

Here is the talk I gave on this subject at AWS Community Day Nordics

Engineering Manager in the LEGO.com team at The LEGO Group. @Pelicanpie88

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store