How-To: Creating Advanced AWS Credentials with IAM

810x430-aws-spot-instancesIn a previous post I explained how to create basic AWS Credentials with IAM.

In this post, I explain how to create Advanced AWS Credentials with IAM. As sample, I choose to use our solution Elastic Detector for Continuous Monitoring that required an advanced IAM user for enabling AWS connector.

Understanding IAM Policy for Elastic Detector
Elastic Detector uses AWS API to interact with your AWS infrastructure on AWS EC2 and VPC.
In order to do so, the different functionalities of Elastic Detector require different permissions.

AWS Auto-Discovery: In order to be able to list your assets on AWS EC2 and VPC, the following permissions are required on EC2 service:

  • DescribeInstances, DescribeInstanceStatus, DescribeInstanceAttribute
  • DescribeSecurityGroups
  • DescribeRouteTables, DescribeNetworkAcls, DescribeRouteTables, DescribeSubnets

AWS Continuous Auto-Check: In order to be able to automatically configure checks on your assets and monitor them, the following permissions are required on AWS CloudWatch service:

  • GetMetricStatistics

AWS Clone&Scan: In order to be able to clone and to seclud any instance you want to scan on AWS EC2 and VPC, the following permissions are required EC2 service:

  • CreateSecurityGroup, AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress
  • CreateTags
  • CreateImage, DescribeImages, DeregisterImage, DeleteSnapshot
  • RunInstances, StartInstances, StopInstances, TerminateInstances, GetPasswordData
  • DescribeKeyPairs, ImportKeyPair, DeleteKeyPair

Elastic Detector requires an AWS user/credentials to connect to your AWS infrastructure, automatically discover your assets and perform vulnerability assessment on clones. This can be configured via AWS IAM.

If you want to know more about Elastic Detector, “Security Assessment solution” for AWS, please follow this link.

This document describes how to create an IAM user, an IAM group and an IAM policy (that contains all required actions) according to current AWS best practices for IAM usage.
In this case the following best practice applies:

  • Create Individual IAM Users
  • Use groups to assign permissions to IAM users
  • Grant least privilege

Create an IAM Group
Login to AWS console and enter IAM Service.
Click on Groups on the left of the AWS console and then click on the “Create New Group” button. This will open a page where you can create a new IAM group.

AWS IAM Group Creation

Click on “Next Step” button until you reach “Create Group” button.

AWS IAM Group Created
This is an empty group without any IAM policy. This will be set later.

Create an IAM User
Click on Users on the left of the AWS console and then click on the “Create New Users” button. This will open a page where you can create a new IAM user.
AWS IAM User Creation
After clicking on the “Create” button, pay attention to save the user security credentials by clicking on “Download Credentials” button or on “Show User Security Credentials”.

AWS IAM User Created

Then select your newly created user and add it to the group you created during previous step.

AWS IAM User&Group Linking

AWS IAM User&Group Linked

Create an IAM Policy for Elastic Detector
Click on Policies on the left of the AWS console and then click on the “Create Policy” button. This will open a page where you can create a new IAM policy.

Screen-7

Click on the select button for “Create Your Own Policy”. This will open a IAM policy editor where you have to insert your policy.

The policy for Elastic-Detector is explained later in this document and can be found in the annexe.

Screen-8

Then click on the “Validate Policy” button and fix “Policy Name” and “Description” if your policy is not valid. To validate your policy, click on the “Create Policy” button.

Screen-9

Then select the newly created policy, and attach it the IAM group previously created.

Screen-10Screen-11Select the group and attach policy by clicking on the “Attach Policy” button.

You now have a user that is in a group with a specific policy.

Screen-12Screen-13

Checking Policy using AWS Policy Simulator

Enter IAM Policy simulator, and select your user on the left pane and select an AWS service and all its available actions

Screen-14 Screen-15Screen-16

Then click on the “Run Simulation Button” on the top right corner.

Screen-17

You will then be able to view the AWS permissions for the user.

Hope this helps.
/Fred

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s