AWS IAM

Sun 12th Nov 2017 / Tags: #AWS

Also see: AWS CLI setup

Create an account alias

This makes it easier to log in, by using a memorable alias instead of an account ID:

aws iam create-account-alias --account-alias davejamesmiller

Set up a password policy

To ensure all passwords are strong:

aws iam update-account-password-policy --minimum-password-length 20 --require-numbers --require-uppercase-characters --require-lowercase-characters --allow-users-to-change-password --max-password-age 365

Set up an IAM admin user

aws iam create-group --group-name admins

aws iam attach-group-policy --group-name admins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam list-attached-group-policies --group-name admins

aws iam create-user --user-name dave
aws iam add-user-to-group --user-name dave --group-name admins
aws iam create-login-profile --user-name dave --password MyTemporaryPassword1 --password-reset-required

Go to AWS Console (log out if needed) and enter the account alias set above instead of an email address, then log in with the username and password set above.

It will prompt to change the password. Do that.

Then go to Services > IAM > Users > dave > Security credentials > Assigned MFA device > Edit and follow the wizard.

Switch users in the CLI

First revoke the access key for the root user:

aws iam list-access-keys
aws iam delete-access-key --access-key-id AKIAIVEMCHMV42VQA7QA
aws iam get-user

The last command should fail (InvalidClientTokenId) - though for me it took a few attempts until it did.

Then go to AWS Console > Services > IAM > Users > dave > Security credentials > Access keys > Create access key. Press Show.

aws configure

Update the Access Key ID and Secret Access Key.

aws iam get-user

Enforce multi-factor authentication

The following instructions configure IAM so that:

  1. If the admin user logs in without MFA, all they can do is enable MFA
  2. If the admin user logs in with MFA, they have full admin rights (without needing to switch role)
  3. The aws CLI automatically prompts for MFA credentials

First, make sure MFA is enabled for the admin account created above.

Create admin-role-policy.json with this content:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::956547487034:user/dave"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": "true"
            }
        }
    }
}

Replace arn:aws:iam::956547487034:user/dave with the admins group Arn output from aws iam get-user above.

Create a role that grants full administrator permissions, for use in the CLI:

aws iam create-role --role-name admin --assume-role-policy-document file://admin-role-policy.json
aws iam attach-role-policy --role-name admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Source

(Note: This isn't technically required, but as far as I can work out the CLI can't be configured to automatically prompt for MFA unless a role is used.)

Create require-mfa-policy.json with this content:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            },
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ListUsers",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Effect": "Deny"
        },
        {
            "Sid": "BlockAccessToOtherUsersUnlessSignedInWithMFA",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            },
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "sts:GetSessionToken"
            ],
            "NotResource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ],
            "Effect": "Deny"
        }
    ]
}

Create a policy to ensure multi-factor authentication is required for all administrators:

aws iam create-policy --policy-name RequireMFA --description "Requires users to authenticate with MFA to do anything other than set up MFA." --policy-document file://require-mfa-policy.json
aws iam attach-group-policy --group-name admins --policy-arn arn:aws:iam::956547487034:policy/RequireMFA

(Based on this tutorial but more restrictive.)

(Note: You may need to log out of and back into the web console, if you haven't done so since enabling MFA.)

# Without MFA it should deny access:
$ aws iam get-user --user-name=dave
An error occurred (AccessDenied) when calling the GetUser operation ...

Configure the CLI to prompt for multi-factor authentication:

aws iam list-mfa-devices
vim ~/.aws/config

Add this to the [default] section to enable automatic MFA prompt:

source_profile = default
role_arn = arn:aws:iam::956547487034:role/admin
mfa_serial = arn:aws:iam::956547487034:mfa/dave

Source

Test it:

$ aws iam get-user --user-name=dave
Enter MFA code:
# Outputs the user details

$ aws iam get-user --user-name=dave
# MFA credentials are stored for 1 hour so it will not prompt again
# Outputs the user details

# To clear the MFA cache:
$ rm -rf ~/.aws/cli/cache

Known issues

Revert everything

To revert everything set up above and start over:

rm -rf ~/.aws
aws configure

Enter the root user credentials again - see AWS CLI setup.

# Users
aws iam list-users

aws iam list-groups-for-user --user-name dave
aws iam remove-user-from-group --user-name dave --group-name admins

aws iam list-access-keys --user-name dave
aws iam delete-access-key --user-name dave --access-key-id AKIAJX36SHYAL4QL7Z2Q

aws iam list-mfa-devices --user-name dave
aws iam deactivate-mfa-device --user-name dave --serial-number arn:aws:iam::956547487034:mfa/dave
aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::956547487034:mfa/dave

aws iam delete-login-profile --user-name dave
aws iam delete-user --user-name dave

# Groups
aws iam list-groups

aws iam list-attached-group-policies --group-name admins
aws iam detach-group-policy --group-name admins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam detach-group-policy --group-name admins --policy-arn arn:aws:iam::956547487034:policy/RequireMFA

aws iam delete-group --group-name admins

# Policies
aws iam list-policies --scope Local
aws iam delete-policy --policy-arn arn:aws:iam::956547487034:policy/RequireMFA

# Roles
aws iam list-roles

aws iam list-attached-role-policies --role-name admin
aws iam detach-role-policy --role-name admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

aws iam delete-role --role-name admin