Making Your AWS Account More Secure By Restricting Access Key Permissions
2020-10-25 17:50:24 |
- Linux Ubuntu 20.04
- Windows 10
- macOS Catalina
If you've never visited your AWS IAM console, chances are, your root user has an access key that has full permissions. While convenient, this is a security risk and gives hackers full access to your account, should the keys ever get compromised. All it takes is one developer to accidently hard code the keys into live code or a public git repository for your services to come crashing down.
One of three things will happen. AWS will discover the public access key leak first, and revoke that root user's permissions, handicapping all of your services that rely on those keys. A hacker will use the keys to hijack your AWS resources, directly. Or a hacker will use the keys to access your databases, encrypt all of the records, and send you a random letter to pay up in bitcoin in exchange for your data.
Trust me when I say you need to stop using your root user's default access keys as soon as possible. The following steps will guide you through the process of setting up new, appropriate, limited-access keys you can use for the task at hand. For API tasks, at minimum, you should have a separate api user with temporary, API-only permissions. Once there are no API tasks left to carry out, there's no reason to even have these permissions, in place. Same for a user that would be in charge of deployments.
While it's up to every business owner to balance security with convenience, sacrificing too much security pose legal and ethical issues. Full access keys give you the most convenience, with the least amount of security. You'll get more tasks done, but a single breach can be magnitudes more costly than preventative measures. The ramifications of a security breach involving PII (Personally Identifiable Information), financial or patient information, cannot be undone. Always err on the side of caution, and expect to budget in the cost of security measures. If you're ready to get started, proceed to the next section.
Navigating to the AWS IAM Console
Navigate to your IAM console, log in, hover over the "Services" dropdown menu in the top left corder, and select "IAM". If you're having trouble finding it, type "IAM" into the search console like so:
Creating a New AWS IAM User
Select "Users" from the left sidebar, under "Access Management". If this is the first time you're visiting this page, there should only be one user—the root user you use to sign in with. Create a new user by clicking the "Add User" button towards the top of the screen. Give this user a username like "api" or "deploy" and check the "Programmatic access" box. Then, click the "Next: Permissions" button at the bottom of the screen.
Click the "Next" buttons all the way through, until you get a "Create user" button and a prompt indicating your user has no permissions. Ignore this for now, and click the "Create user" button. On the following screen, copy your "Access Key ID" and "Secret access key". You also have the option to "Download .csv".
Granting Limited API Access to an IAM User
Once you hit the "Close" button, you'll be taken back to the Users lists. Click into your new user and you click the "Add permissions" button. From there, click the "Attach existing policies directly" button. Filter through the list for the necessary permissions, and click the checkbox for the required policies. When you're ready, click "Next: Review" and then "Add Permissions".
You can now use this user's access keys for AWS-related operations.
Feel free to create as many users and key pairs as necessary. And don't forget to revoke the permissions when they are no longer needed. That's the end of this tutorial. We hope you found it helpful. Make sure to check out our other tutorials, as well.