A few hours ago, Amazon launched a public preview of AWS Identity and Access Management (IAM) which is a powerful feature if you have a number of developers who need to access and to manage resources for an AWS account. A unique
IAM user can be created for each developer and specific permissions
can be doled out as needed.
You can also create IAM users for system functions, dramatically
increasing the security of your AWS account in the event a server is
compromised. That benefit is the focus of this article using an
example frequently cited by EC2 users: Automating EBS snapshots on a
local EC2 instance without putting the keys to your AWS kingdom on the
Before the release of AWS IAM, if you wanted to create EBS snapshots
in a local cron job on an EC2 instance, you needed to put the master
AWS credentials in the file system on that instance. If those AWS
credentials were compromised, the attacker could perform all sorts of
havoc with resources in your AWS account and charges to your credit
With the launch of AWS IAM, we can create a system IAM user with its
own AWS keys and all it is allowed to do is… create EBS snapshots!
These keys are placed on the instance and used in the snapshot cron
job. Now, an attacker can do very little damage with those keys if
they are compromised, and we all feel much safer.
The AWS IAM documentation is required reading and a great
reference. This article is only intended to serve as a practical introduction to one simple application of IAM.
These instructions assume you are running Ubuntu 10.04 (Lucid) on both
your local system and on Amazon EC2. Adjust as appropriate for other
distributions and releases.
Ubuntu does not yet have an official software package for AWS IAM, so
we need to download the IAM command line toolkit from
Amazon. This can be done on any machine including your local desktop.
The IAM command line tools require Java so we need to make sure that
is installed as well.
Eventually, you’ll want to install this software somewhere more
permanent, but for this demo, we’ll just use it from a subdirectory.
sudo apt-get install openjdk-6-jre unzip
export AWS_IAM_HOME=$(echo $(pwd)/IAMCli-*)
The AWS IAM tools require you to save your AWS account’s main access
key id and AWS secret access key in yet another file format. Create
this AWS credential file as, say,
the following format (replacing the values with your own credentials):
Note: The above is the sample content of a file you are creating, and
not shell commands to run.
Protect the above file and set an environment variable to tell IAM
where to find it:
chmod 600 $AWS_CREDENTIAL_FILE
We can now use the iam-* command line tools to create and manage AWS
IAM users, groups, and policies.
Create IAM User
How you manage your users and groups is sure to be a personal
preference that is fine tuned over time, but for the purposes of this
demo, I’ll propose that for tracking purposes we put non-human users
into a new group named “system”.
iam-groupcreate -g system
snapshotter system user, saving the keys to a file:
iam-usercreate -u $user -g system -k |
chmod 600 $HOME/.aws-keys-$user.txt
You will want to have this snapshotter keys file on the EC2 instance,
so copy it there:
rsync -Paz $HOME/.aws-keys-$user.txt REMOTEUSER@REMOTESYSTEM:
Allow IAM user
snapshotter to create EBS snapshots of any EBS volume:
iam-useraddpolicy -p allow-create-snapshot -e Allow -u $user -a ec2:CreateSnapshot -r '*'
There’s a lot of preparatory and other commands in this article, but
take a second to focus on the fact that the core, functional steps
are simply the
above. Two commands and you have a new AWS IAM user with restricted
access to your AWS account.
Create EBS Snapshot
For the purposes of this demo, we’ll assume you’re using the
ec2-consistent-snapshot tool to create
EBS snapshots with a consistent file system and perhaps a consistent
MySQL database. (If you’re not using this tool, then you could have
simply used ec2-create-snapshot from any computer without having to go
through the trouble of creating a new IAM user.)
Make sure you have the latest
installed on the EC2 instance:
sudo add-apt-repository ppa:alestic/ppa
sudo apt-get install ec2-consistent-snapshot
Create the snapshot on the EC2 instance. Adjust options to fit your
local EBS volume mount points and MySQL database setup.
sudo ec2-consistent-snapshot --aws-credentials-file $HOME/.aws-keys-snapshotter.txt --xfs-filesystem /YOURMOUNTPOINT YOURVOLUMEID
Follow similar steps to create users and set policies for other system
activities you perform on your EC2 instances. IAM can control access
to many different AWS resource types, API calls, specific resources,
and has even more fine tuned control parameters including time-based
The release of AWS Identity and Access Management alleviates one of
the biggest concerns security-conscious folks used to have when they
started using AWS with a single key that gave complete access and
control over all resources. Now the control is entirely in your
If you have followed the steps in this demo and you wish to undo most
of what was done, here are some steps for reference.
Delete the IAM user and the IAM group:
iam-userdel -u $user -r
iam-groupdel -g system
Wipe the credentials and keys files and remove the downloaded and
unzipped IAM command line toolkit:
sudo apt-get install wipe
wipe $HOME/.aws-credentials-master.txt $HOME/.aws-keys-$user.txt
rm -r $AWS_IAM_HOME
Make sure to wipe the snapshotter key file on the remote EC2 instance
If you’re looking for help with AWS IAM, there is a new AWS IAM
forum dedicated to the topic.
[Update 2010-11-19: Fix path where new zip file is expanded]