Choose AWS Account for the type, This Account for the account, and check the Require MFA checkbox.This is the role that we will assume from the CLI and will grant us the AdministratorAccess policy for managing our AWS resources. The first step is creating an admin role. I assume you have practical experience with AWS and will limit steps to short pointers of what to do. We will configure our local CLI such that running aws_assume admin will automatically grant administrator access to our AWS resources for a predetermined time. An IAM user with MFA enabled and who has been added to the group.An IAM group configured with access to assume the role.An IAM role configured with the AdministratorAccess policy.This solution involves creating the following resources: This led me down a long rabbit hole, and I've emerged with an alternative solution that makes me feel a lot better. Especially not ones that grant AdministratorAccess. This is where I had issues: I don't particularly appreciate having long-lived credentials on my local filesystem. My first step was creating a new IAM user for myself and granting it the AdministratorAccess policy.Īt this point, Amazon recommends creating API credentials and configuring a named profile for automatically authenticating the CLI with an IAM account. The root account has unmitigated access to create, modify, and destroy all AWS resources. The first bit of advice I came across is pretty straightforward: lockdown the AWS root account and only use IAM accounts for interacting with the AWS console/API. I'm always looking for the crossroads of ease of use and a small blast radius. One of the first things I look at optimizing is the security of how I am authenticating against AWS. I've recently been skilling up on AWS and have been setting up my local environment for building various labs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |