AWS DevOps — Configuring IAM for DevOps Role with Restricted Access

Introduction

IAM (Identity and Access Management) is a service by Amazon Web Services (AWS) that helps in managing users and their access to various resources within the AWS environment. With IAM, organizations can define and control who has access to which AWS resources, and at what level of permission.

IAM plays a critical role in the overall security of an AWS environment. It allows organizations to implement the principle of least privilege, which is a security best practice that limits user access to only the resources they need to perform their job. This means that users are only given the minimum permissions necessary to carry out their tasks, reducing the risk of unauthorized access and potential misuse of sensitive resources.

The importance of implementing least privilege principles for security cannot be overstated. It ensures that users only have access to the resources they require, reducing the potential for accidental or intentional access to sensitive data. This also helps in compliance with regulations and standards, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS).

IAM allows organizations to manage access to AWS resources in a centralized manner, making it easier to enforce security policies, monitor access, and revoke permissions as needed. This makes it an essential tool for organizations that need to manage multiple users and their access to various AWS services.

In addition to managing user access, IAM also offers features such as multi-factor authentication (MFA) and integration with other AWS services for enhanced security. MFA requires users to provide an additional form of authentication, such as a code sent to their phone, in order to access AWS resources. This adds an extra layer of security and reduces the risk of unauthorized access, even in the event of a compromised password.

Creating a New IAM User for DevOps Role

1. Accessing the AWS Management Console: Open a web browser and navigate to the AWS Management Console. Log in to your account using your username and password.

2. Navigating to the IAM Dashboard: In the AWS Management Console, click on the “Services” tab at the top and type “IAM” in the search bar. Click on “ IAM” from the search results to go to the IAM dashboard.

3. Creating a New User with the username “DevOps”: In the IAM dashboard, click on the “Users” tab on the left-hand side menu. Then, click on the “Add user” button.

4. Assigning Programmatic Access and AWS Management Console Access: In the “Set user details” screen, enter “DevOps” in the “User name” field. Under “Select AWS access type”, check the box next to “Programmatic access” and “AWS Management Console access”. This will allow the new user to access AWS resources both through the API and the AWS Management Console.

5. Setting Permissions for the User: In the next screen, assign permissions to the new user. You can either add the user to an existing group with pre-defined permissions or attach policies directly. For a DevOps role, you might want to attach the “AdministratorAccess” policy to the user.

6. Review and Create the User: The final step is to review the user’s settings and click on the “Create user” button. This will create the new user with the username “DevOps” and assign the necessary permissions.

7. Generating and Saving Access Key ID and Secret Access Key: Once the user is created, a pop-up will appear with the newly generated Access Key ID and Secret Access Key. Click “Show” next to the Secret Access Key and copy and save both the Access Key ID and the Secret Access Key in a secure location. This information is required to access AWS resources programmatically.

Congratulations! You have now successfully created a new IAM user with the username “DevOps” and assigned the necessary permissions for a DevOps role. You can now use these credentials to access AWS resources through the AWS Management Console or programmatically through the API.

Creating a Custom Policy for Restricted Access

IAM (Identity and Access Management) is a service provided by AWS to manage permissions and access to AWS resources. Using IAM, you can control who has access to your AWS account and what actions they can perform on your resources.

One of the key features of IAM is policies, which define permissions for various AWS services and resources. These policies can be attached to IAM users, groups, and roles to grant them the necessary permissions to perform specific tasks.

Mastering Essential DevOps Tools and Practices

To create a custom policy for restricted access, you need to first understand IAM policies and permissions, specifically for the services you want to restrict access to — EC2, Load Balancer, and RDS.

Defining Permissions for EC2:

The first part of the policy would be to grant permissions for managing EC2 instances. This would include the ability to launch, stop, and start EC2 instances. The following permissions can be added to the custom policy:

1. “ec2:RunInstances” — To allow launching EC2 instances

2. “ec2:StopInstances” — To allow stopping EC2 instances

3. “ec2:StartInstances” — To allow starting EC2 instances

Defining Permissions for Load Balancer:

Next, you will need to define permissions for configuring Load Balancers. These permissions would allow users to manage the settings and configurations of load balancers, without granting them access to the underlying EC2 instances. The following permissions can be added to the custom policy:

1. “elasticloadbalancing:ConfigureListeners” — To allow configuring listeners for load balancers

2. “elasticloadbalancing:CreateListener” — To allow creating new listeners for load balancers

3. “elasticloadbalancing:CreateLoadBalancer” — To allow creating new load balancers

Defining Permissions for RDS Setup:

Additionally, you may want to grant permissions for setting up and managing RDS instances. This would include permissions for launching RDS instances, configuring security groups, and managing backups. The following permissions can be added to the custom policy:

1. “rds:CreateDBInstance” — To allow creating new RDS instances

2. “rds:ModifyDBInstance” — To allow modifying existing RDS instances

3. “rds:CreateDBSecurityGroup” — To allow creating security groups for RDS instances

4. “rds:ModifyDBSecurityGroup” — To allow modifying existing security groups for RDS instances

5. “rds:CreateDBSnapshot” — To allow creating backups of RDS instances

6. “rds:DeleteDBSnapshot” — To prevent the deletion of backups

Restricting Permissions to Prevent Instance Deletion:

Finally, to restrict permissions and prevent accidental deletion of resources, you can add a condition to the policy that checks for the “Delete*” action and denies it. This will ensure that users with this policy cannot delete any instances or resources. The following conditions can be added to the policy:

“Condition”: {“StringNotEquals”: {“smartring.InstanceId”: “Delete*”}}

This condition uses a wildcard (*) to ensure that any action that starts with “Delete” will be denied. You can also specify specific resources or instances to restrict access to if needed.

Attaching the Custom Policy to the DevOps User

1. Sign in to the AWS Management Console and navigate to the IAM service.

2. In the left navigation menu, click on “Users” and select the DevOps user from the list.

3. In the “Permissions” tab, click on “Add permissions”.

4. In the “Attach existing policies directly” section, search for the custom policy that you created earlier and select it from the list.

5. Click on “Next: Review” and then “Add permissions” to confirm the attachment of the policy to the DevOps user.

6. To verify the policy attachment, go to the “Permissions” tab of the DevOps user. You should now see the custom policy listed under the “Attached permissions” section.

7. You can also click on the custom policy and view the policy document to ensure that it is the correct policy that you created.

Congratulations, you have now successfully attached the custom policy to the DevOps user. This policy will now apply to any actions performed by the user, ensuring that only the necessary permissions are granted for your DevOps tasks.

Testing the Setup

1. Login to the AWS console as the DevOps user.

2. Navigate to the EC2 service by clicking on “Services” at the top of the page and selecting “EC2” from the dropdown menu.

3. Check that you have access to all the necessary actions for setup, such as creating and managing instances, volumes, and security groups. If you have the necessary permissions, you should see the “Create” button highlighted on the EC2 Dashboard.

4. Next, navigate to the Load Balancer service by clicking on “Services” and selecting “Load Balancers” from the dropdown menu.

5. Verify that you have access to create and manage load balancers, including adding and removing instances from the load balancer. You should see the “Create Load Balancer” button highlighted on the Load Balancer Dashboard.

6. Finally, navigate to the RDS service by clicking on “Services” and selecting “RDS” from the dropdown menu.

7. Check that you have access to create and manage RDS instances, including creating and deleting databases and managing security groups. You should see the “Create database” button highlighted on the RDS Dashboard.

8. As an additional test, try to delete an instance in any of the services. If you receive an error or are unable to perform the action, it means that your access is restricted from deleting instances, which is a good security measure.

9. Once you have completed these tests, you have verified that your setup for the DevOps user is working correctly and has the necessary permissions for the setup and management of instances, load balancers, and RDS databases on AWS.