AWS Identity and Access Management - 2021
AWS Identity and Access Management (IAM) permits you to have numerous clients in your AWS account. On the off chance that you utilized Amazon Web Services (AWS), the best way to deal with your substance on AWS is to give a username and secret key or access keys. This is a genuine security issue for the greater part of us. IAM doesn't need to share passwords and access keys.
Continually changing the principle AWS secret word or producing another vital when a representative leaves our group is only a chaotic arrangement. AWS Identity and Access Management (IAM) was a decent beginning, permitting individual client accounts with individual keys. In any case, since we are S3/CloudFront clients, CloudFront was added to IAM to watch in the event that it happened last. The executives (IAM) support CloudFront. IAM began in 2010 and incorporates S3 support
I discovered the documentation for this help somewhat dispersed. There are a few outsider items that offer extensions for help for character and access to the executives (IAM). In any case, engineers are by and large economical, so they searched for a free answer for overseeing IAM with the Amazon S3 administration.
This article strolls you through the most common way of setting up an order line interface with IAM backing and setting up gatherings/clients with S3 access. Before you begin designing Identity and Access Management (IAM), you need to set up your Amazon AWS S3 account. My article, Amazon Simple Storage Service (S3), will direct you bit by bit through setting up an AWS S3 account.
Here are the steps to set up and implement users in
IAM. This is for Windows but can be adapted for use on Linux, UNIX, and/or
Mac OSX.
- Command-line interface (CLI) installation and configuration
- Create a group
- Granting Group Access to S3 Bucket and CloudFront
- Create a user and add it to a group
- Create login profile and create key
- access test
Command-line interface (CLI) installation and configuration
- AWS_IAM_HOME: Set this variable to the directory where you
unzipped the CLI toolkit. If you run Windows and unzip it from the
root of drive C, the variable will be C: IAMCli-1.2.0.
- JAVA_HOME: Set this variable to the
directory where Java is installed. This is the location of the
java.exe file. On a typical Windows 7 Java installation, C:Program
Files (x86) Java is similar to jre6.
- AWS_CREDENTIAL_FILE: Set this variable to the path and file name of
the aws-credential. the template you updated above. If you run Windows and
unzip it in the root of drive C, the variable will be C:IAMCli-1.2.0
aws-credential.template.
- CLIENT_CONFIG_FILE: You should add this environment variable only
if you need a proxy server. If you run Windows and unzip it from the
root of drive C, the variable is C: IAMCli-1.2.0
client-config.template. Don't add this variable unless you need it
- Test the installation by going
to a command prompt and typing iam-userlistbypath. It should go as
long as you don't get an error.
All
IAM commands can be run from the command prompt. All commands start with
"iam-".
Create a group
You
can create up to 100 groups for each AWS account. You can set permissions
in IAM at the user level, but it's best to use groups. The following is
the process of creating a group in IAM.
- The group creation syntax is
iam-groupcreate -g GROUPNAME -p PATH -v where -p and -v are
optional. Full documentation for the command line interface is
available in the AWS documentation.
- To create a group called
"awesomeusers", type iam-groupcreate -g awesomeusers at the
command prompt.
- You can verify that the group
was created correctly by typing iam-grouplistbypath at the command
prompt. Only if you created this group will you get something like
"arn:aws:iam::123456789012:group/awesomeusers". where
number is your AWS account number.
Granting Group Access to S3 Bucket and CloudFront
Policies control what a group can do in S3 or
CloudFront. By default, groups don't have access to anything in AWS. I
found the documentation for the policies to be fine, but creating a handful of
policies I did by trial and error to get them to work the way I wanted them to
work.
There are several options for writing a policy. One option
is that you can type directly into the command prompt. It seemed easier to
add the policy to a text file and then use the iam-groupuploadpolicy command to
upload the text file as a parameter, since you can also create and tweak the
policy. Here is the process of using a text file and uploading it to IAM.
Use
something like Notepad, type the following text and save the file.
- {
- "statement":{
- "Effect":
"Allow",
- "action": "s3:
*",
- "will":
- "arn:aws:s3:::BUCKETNAME",
- "arn:aws:s3 :::BUCKETNAME
/*"
- },
- {
- "Effect":
"Allow",
- "Action":
"s3:ListAllMyBuckets",
- "resource":
"arn:aws:s3:::*"
- },
- {
- "Effect":
"Allow",
- "action":
"cloudfront: *",
- "will":"*"
- }
- }
- This policy has three
sections. This effect is used to allow or deny some types of
access. Actions are specific things a group can do. Resources
are used to access individual bucket
- You can limit work
individually. In this example, the groups "Action":
"s3 : GetObject", "s3 : ListBucket", "s3 :
GetObjectVersion" can list the contents of a bucket and download
objects.
- The first section
"allows" the group to perform any S3 operation on the
"bucket name" bucket.
- The second section
"allows" the group to list all buckets in S3. You can
actually see the bucket list using something like the AWS Console.
- The third section gives the
group full access to CloudFront.
IAM policies have many options. Amazon has a useful tool
called the AWS Policy Generator. This tool provides a GUI where you can
write policies and generate the actual code needed to implement the
policies. You can also check the Access Policy Languages ​​section of the
Using AWS Identity and Access Management online documentation.
Create user and add to group
- Creating a new user and adding them to a group to give
them access is a two-step process.
The user-generated syntax
is: iam-usercreate -u USERNAME -p PATH -g GROUPS … -k -v where
-p, -g, -k, and -v are optional. Full documentation for the command
line interface is available in the AWS documentation.
- To create user "bob",
type iam-usercreate -u bob -g awesomeusers at the command prompt.
- You can verify that the user is
created correctly by typing iam-grouplistusers -g awesomeusers at the
command prompt. If you only created this user, you will see output
like "arn:aws:iam::123456789012:user/bob". where number is
your AWS account number.
Create a logon profile and create a key
At this point we have created a user, but we need to provide
the user with a way to actually add or remove objects in S3. There are two
options you can use to give your users access to S3 using IAM. You can
create a login profile and give the user a password. They can use their
credentials to log into the Amazon AWS Console. Another option is to
provide the user with an access key and a secret key. You can use this key
in third-party tools like S3 Fox, CloudBerry S3 Explorer, or S3 Browser.
Create a login profile
When
you create a login profile for your S3 users, you provide a username and
password that you can use to log in to the Amazon AWS Console.
- The syntax for creating a login
profile is iam-useraddloginprofile -u USERNAME -p PASSWORD. Full
documentation for the command line interface is available in the AWS documentation.
- To create a login profile for
user "bob", type iam-useraddloginprofile -u bob -p PASSWORD at
the command prompt.
- You can verify that the login
profile was created correctly by typing iam-usergetloginprofile -u bob at
the command prompt. If you created a login profile for bob, you will
get output like "A login profile exists for your user profile".
create key
Once
you have created an AWS Secret Access Key and a corresponding AWS Access Key
ID, you can use third-party software such as those mentioned
previously. As a security measure, keep in mind that you can only obtain
the key during the user profile addition process. Copy and paste the
output from the command prompt and save it to a text file. You can send
files to users.
- The syntax for adding a key for
a user is iam-useraddkey -u USERNAME. Full documentation for the
command line interface is available in the AWS documentation.
- To create a key for user
"bob", type iam-useraddkey -u bob at the command prompt.
- This command will output the
following keys:
- AKIACOOB5BQVEXAMPLE
- bidirectional
- The first line is the access
key ID and the second line is the secret key. Third-party software
requires both.
access test
Now that we have created an IAM group/user and have access to
the group using the policy, we need to test access.
Console access
Users can log in to the AWS Console using their username and
password. However, this is not the normal console login page used for your
default AWS account. You can use a special URL that provides a login form
only for Amazon AWS accounts. Here is the URL to log in to S3 for IAM
users.
https://AWS-ACCOUNT-NUMBER.signin.aws.amazon.com/console/s3
AWS-ACCOUNT-NUMBER is your typical AWS account number. You
can get this information by logging into the Amazon Web Service login
form. Log in and click Account | account activity. Your account
number is in the upper right corner. Make sure you remove the
dash. The URL should look something like
https://123456789012.signin.aws.amazon.com/console/s3.
Use access key
You can download and install the third-party tools already
mentioned in this article. Enter your access key ID and secret key
according to the third-party tool documentation.
It is strongly recommended that you create an initial user and
fully test that that user can do everything you need to do in S3. Once
you've identified one of your users, you can set up all of your S3 users.
No comments:
Post a Comment