Getting Started with AWS (Part 5)

By /

If you would like to read the other parts in this article series please go to:

Introduction

In the previous article of this series we examined AWS Identity and Access Management (IAM), a web service that enables you to create and manage users and assign user permissions for your AWS cloud environment. IAM allows you to create users and groups and make users members of groups. You can then assign permissions to groups (and thus to users) through policies in order to control the level of access that users can have to various kinds of AWS resources. On the face of it, this model for managing user access to resources is similar to the familiar Active Directory service used in Windows Server environments. However, here we are talking specifically about users, groups and resources in the AWS cloud and not in an Active Directory environment whether on-premises, Azure-based, or hybrid.

The best way to understand how to use IAM to manage user access to resources is through an example, so this article and the next several in this series will talk you through the various steps involved in setting up a typical IAM infrastructure for your AWS environment. But before we begin creating IAM users and groups, we first need to familiarize ourselves with the features of the IAM Console.

Using the IAM Console

Begin by logging on to AWS using your default Amazon AWS credentials which you created when you first signed up for using the AWS Free Tier (see Getting Started with AWS – Part 1). Once you’re logged in and the AWS Management Console is open, click the item on the menu bar where your Amazon user name or business name is displayed (the blurred item in the figure below) and select the Security Credentials option as shown here:

Image
Figure 1: Accessing the Security Credentials page of the AWS Management Console.

When you do this, the Your Security Credentials page will be displayed grayed-out with a dialog superimposed on it like this:

Image
Figure 2: Dialog displayed when you try to open the Your Security Credentials page for the first time.

Clicking the Continue To Security Credentials option dismisses the dialog and opens the Your Security Credentials page for your AWS environment. The Your Security Credentials page is where you can:

  • Change the password for your default Amazon AWS account.
  • Activate Multi-Factor Authentication (MFA) to increase the security of your AWS environment. With MFA enabled, when you try to sign into an AWS web site you will need to provide a user name, password, and an authentication code from an AWS MFA device.
  • Create new access keys which allow you to sign requests you make using the AWS command-line interface (CLI) or using the AWS SDKs or direct API calls.
  • Create new CloudFront key pairs which you can then use in Amazon CloudFront to create signed URLs for launching and accessing Amazon EC2 instances.
  • Create new X.509 digital certificates so you can make secure SOAP-protocol requests to AWS services that support such requests including Amazon S3 and Amazon Mechanical Turk.
  • View your 12-digit account ID which is used for programmatically referencing your account and in certain other contexts.
  • View your canonical user ID which is used to configure Amazon S3 access control lists (ACLs).

We’ll learn more about some of the above security credentials in future articles on this site. In the meantime, click the IAM Console link at the end of the first sentenced on the Your Security Credentials page shown above. Doing this takes you to the Welcome To Identity And Access Management page shown next:

Image
Figure 3: The Welcome To Identity And Access Management page.

The above page of the IAM Console is also called the Dashboard. On the left side in the navigation pane under Details are links for accessing the various pages available in the IAM Console. The functions of these pages are as follows:

  • Groups – Lets you create and manage groups, for example to add members to a group.
  • Users – Lets you create and manage users, for example change the password for a user.
  • Roles – Lets you create and manage roles, for example to grant a user in one AWS account access to resources in another account.
  • Identity Providers – Lets you create identity providers which allow you to manage user identities outside of AWS and give them permissions to use your AWS resources.
  • Password Policy – Lets you configure your password policy which is a set of rules that define the type of password an IAM user can set.
  • Credential Report – Lets you download a report that lists all your account’s users and the status of their various credentials.
  • Encryption Keys – Lets you access the AWS Key Management Service (KMS), a managed service that allows you to create and control encryption keys used to encrypt your data.

Creating an alias for your account ID

Referring back to Figure 3 above you can see your IAM users sign-in link near the top of this figure. This sign-in link is of the following form:

https://<your 12-digit account ID>.signin.aws.amazon.com/console

The account ID has been blurred out in this figure as it’s important that you keep it confidential. You can create an alias (a friendly name) for your AWS account ID to make it easier for you to remember your AWS sign-on URL. Your alias could be your company name or some other descriptive name. To create an alias for your account ID, click the Customize link to the right of your account ID as shown previously in Figure 3. Doing this opens a Create Account Alias dialog as shown here:

Image
Figure 4: How to create an alias for your AWS account ID.

Fill in the textbox with your alias and click Yes Create. Note that your alias can only contain lowercase letters, numbers, and hyphens in it. Once you create your alias it will be displayed in your IAM users sign-in link on the Dashboard of the IAM Console. Your IAM users sign-in link will now have the following form:

https://.signin.aws.amazon.com/console

Here are a few more notes concerning aliases:

You can only create one alias for your AWS account ID. If you try to create a second alias, your first alias will be overwritten.

If you’ve created an alias and need to find out what your 12-digit account ID is again, you can do this easily as follows:

  1. Open the AWS Management Console
  2. Click Support at the right of the toolbar
  3. Click Support Center in the drop down menu that appears
  4. Look for your Account Number on the right under the toolbar

You can also use the AWS CLI to display, create or delete an alias from the command line. For example, the list-account-aliases command will display any alias associated with your AWS account ID.

Securing your root account access keys

Referring back to Figure 3 again we can see that initially we have zero users, zero groups, zero roles and zero identity providers configured for our AWS free tier environment. Under the Security Status heading on this page we can see five tasks that can (or ideally, should) be performed when you are first using IAM to secure your AWS environment. The first of these tasks, deleting your AWS root account access keys, is important because these keys provide unrestricted access to your AWS resources.

As mentioned previously, access keys are used to sign any requests you make using the CLI or APIs. Since your root account (the account you used to sign up for AWS) is all-powerful, anyone who has the access keys for this account has unrestricted access to all of your AWS resources and to your billing information as well. This means if someone got hold of your root account access keys then they could take over control of your AWS environment and use it for their own nefarious purposes–and you will be the one who gets billed for it!

It’s important therefore that you don’t generate access keys for your root account. If you have generated one, you should delete it. Fortunately by default AWS doesn’t generate an access key for any new accounts including your root account. So the first item under Security Status in Figure 3 is a bit misleading–your root account access keys haven’t been deleted, they simply haven’t been created.

Instead of generating access keys for your root account you instead should create at least one new user using IAM and then give that user the necessary permissions that will allow you to use that user, not your root account, for administering your AWS environment. We’ll see how do to this in the next article of our series.

If you would like to read the other parts in this article series please go to:

About The Author

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top