How-To: Creating AWS EC2 ReadOnly Credentials with IAM

In order to retrieve and list your assets (Instances, Security Groups) from your Amazon Web Services EC2 account through API, Elastic Detector need ReadOnly credentials. Here is how to create such credentials using Amazon Web Services Identity and Access Management (IAM).

Step 0:

Login to your Amazon Web Services account through AWS Console, and open IAM service.

Step 1: Set EC2ReadOnly Group

In IAM Management Console, create a EC2ReadOnlyGroup Group, by clicking on the “Create a New Group of Users” button.
IAM Management Console
IAM Create Groupe Wizard

Step 2: Set EC2ReadOnly Policy

Select Amazon EC2 Read Only Access during Permissions step.
IAM Create Group Wizard - Policy

Step 3: Set EC2ReadOnly User

Create a specific EC2readOnlyUser during Users step.
IAM Create Group Wizard - User

Step 4: Generate Group, Policy, User and Credentials

Review and confirm the creation of the Group and User, and the generation of the EC2 Credentials for this user.
IAM Create Group Wizard - Review
IAM Create Group Wizard - Credentials

Step 5: Save Credentials

Save you credentials by clicking on the “Download Credentials” button and start using them.

NB: Pay attention that if you do not download those credentials or use the show option to register them, you won’t be able to retrieve them and you will have to regenerate new credentials.

Step 6: To go Further and finely tune your Policy

During Permission step, you can use the Policy Generator to create the policy with the minimal requirement for your needs. As a security guy, I strongly advise to follow the principle of least privilege.
IAM Create Group Wizard - Policy Generator - Min EC2

For example, in Elastic Detector, the minimal policy is as follow:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1389202027000",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
}
]
}

You can read more on IAM (Best Practices documentation) and its Top 10 Best Practices.

Hope this helps.
/Fred

2 thoughts on “How-To: Creating AWS EC2 ReadOnly Credentials with IAM

  1. Pingback: How-To: Creating Advanced AWS Credentials with IAM | Elastic Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s