Posts

Showing posts from October, 2023

AWS - STS Security Token Service

-
Image
  AWS Security Token Service (STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users). AWS STS has these specific properties when assigning temporary access. ·          It can range from a few minutes to a few hours. ·          Once the AWS STS provided temporary token expires, it cannot be reused at any point. ·          You can invoke AWS STS only through  AWS SDKs or AWS CLIs. Let's see with an example. We are going to create a user and set up to access the S3 bucket using STS. I created a user called "s3demouser" with no permission attached to it. Created an S3 bucket with NO policy attached to it. Let's try to list the bucket with users's Access and Secret keys. We are getting "Access Denied" which is expected. Let's create a policy that provides S3 Read Only Access - The policy name is s3-readonly. Now...
Post a Comment
Read more

AWS Organizations - Part I

-
Image
  AWS Organization – Manage multiple accounts. Central account to manage multiple accounts. Billing is managed on a central account (Management/Master/root Account) instead of multiple accounts. Consolidate billing – One bill for all the accounts in the organization. Management account is the root of the hierarchy. Grouping of accounts into OU (Organization Units). Login with your root account to create an Organization. Your root account is called "Management Account". 1) We can add a new AWS account - Need a unique email ID not used in AWS before. 2) Add an existing AWS account - Send mail invitation. Let's see how to add a new account: I am creating an account by the name “Development”. Email ID should be unique and must not be mapped to any other AWS Account. IAM role for this account. NOTE: The IAM role that is created will have FULL ACCESS on the new account. I repeated the same process to create a DEVELOPMENT and PRODUCTION account. So, I have 3 accounts: 1) Man...
Post a Comment
Read more

AWS Permission Boundaries

-
Image
  AWS Permission Boundaries sets the maximum permission that an entity can have, Permission Boundaries are attached to a USER and ROLE. Let's say a user called admin_a has full IAM Access but cannot create any other resources (Let's take EC2 for instance). So, admin_a can create another user called admin_b and granting admin_b will full access to EC2 resources. Now, admin_a can log in using admin_b credentials and create EC2 resources.  Let's see that: Now, I logged in as admin_a user.  As an admin_a user, I cannot access EC2 resources. But, I have IAM full access. So, creating another user admin_b with EC2 full access. Now, I logged in with the admin_b credential and spun an EC2 instance.  This poses a security risk. So, to mitigate this issue we are going to set "Permission Boundaries" for the user " admin_a ". So, admin_a can have the same or fewer permissions than what he has. I created a policy called " Permission_Boundary_Demo "...
Post a Comment
Read more