A few hours ago, Amazon launched a public preview of AWS Identity and Access Management (IAM) which is a powerful feature if you have a number of developers who need to access and to manage resources for an AWS account. A unique IAM user can be created for each developer and specific permissions can be doled out as needed.
You can also create IAM users for system functions, dramatically increasing the security of your AWS account in the event a server is compromised. That benefit is the focus of this article using an example frequently cited by EC2 users: Automating EBS snapshots on a local EC2 instance without putting the keys to your AWS kingdom on the file system.
Before the release of AWS IAM, if you wanted to create EBS snapshots in a local cron job on an EC2 instance, you needed to put the master AWS credentials in the file system on that instance. If those AWS credentials were compromised, the attacker could perform all sorts of havoc with resources in your AWS account and charges to your credit card.
With the launch of AWS IAM, we can create a system IAM user with its own AWS keys and all it is allowed to do is… create EBS snapshots! These keys are placed on the instance and used in the snapshot cron job. Now, an attacker can do very little damage with those keys if they are compromised, and we all feel much safer.
The AWS IAM documentation is required reading and a great reference. This article is only intended to serve as a practical introduction to one simple application of IAM.
These instructions assume you are running Ubuntu 10.04 (Lucid) on both your local system and on Amazon EC2. Adjust as appropriate for other distributions and releases.
IAM Installation
Ubuntu does not yet have an official software package for AWS IAM, so we need to download the IAM command line toolkit from Amazon. This can be done on any machine including your local desktop. The IAM command line tools require Java so we need to make sure that is installed as well.
Eventually, you’ll want to install this software somewhere more permanent, but for this demo, we’ll just use it from a subdirectory.
sudo apt-get install openjdk-6-jre unzip
export JAVA_HOME=/usr/lib/jvm/java-6-openjdk
wget http://awsiammedia.s3.amazonaws.com/public/tools/cli/latest/IAMCli.zip
unzip IAMCli.zip
export AWS_IAM_HOME=$(echo $(pwd)/IAMCli-*)
export PATH=$PATH:$AWS_IAM_HOME/bin
The AWS IAM tools require you to save your AWS account’s main access
key id and AWS secret access key in yet another file format. Create
this AWS credential file as, say, $HOME/.aws-credentials-master.txt in
the following format (replacing the values with your own credentials):
AWSAccessKeyId=YOURACCESSKEYIDHERE
AWSSecretKey=YOURSECRETKEYHERE
Note: The above is the sample content of a file you are creating, and not shell commands to run.
Protect the above file and set an environment variable to tell IAM where to find it:
export AWS_CREDENTIAL_FILE=$HOME/.aws-credentials-master.txt
chmod 600 $AWS_CREDENTIAL_FILE
We can now use the iam-* command line tools to create and manage AWS IAM users, groups, and policies.
Create IAM User
How you manage your users and groups is sure to be a personal preference that is fine tuned over time, but for the purposes of this demo, I’ll propose that for tracking purposes we put non-human users into a new group named “system”.
iam-groupcreate -g system
Create the snapshotter system user, saving the keys to a file:
user=snapshotter
iam-usercreate -u $user -g system -k |
tee $HOME/.aws-keys-$user.txt
chmod 600 $HOME/.aws-keys-$user.txt
You will want to have this snapshotter keys file on the EC2 instance, so copy it there:
rsync -Paz $HOME/.aws-keys-$user.txt REMOTEUSER@REMOTESYSTEM:
Allow IAM user snapshotter to create EBS snapshots of any EBS volume:
iam-useraddpolicy -p allow-create-snapshot -e Allow -u $user -a ec2:CreateSnapshot -r '*'
There’s a lot of preparatory and other commands in this article, but
take a second to focus on the fact that the core, functional steps
are simply the iam-usercreate and iam-useraddpolicy commands
above. Two commands and you have a new AWS IAM user with restricted
access to your AWS account.
Create EBS Snapshot
For the purposes of this demo, we’ll assume you’re using the
ec2-consistent-snapshot tool to create
EBS snapshots with a consistent file system and perhaps a consistent
MySQL database. (If you’re not using this tool, then you could have
simply used ec2-create-snapshot from any computer without having to go
through the trouble of creating a new IAM user.)
Make sure you have the latest ec2-consistent-snapshot software
installed on the EC2 instance:
sudo add-apt-repository ppa:alestic/ppa
sudo apt-get install ec2-consistent-snapshot
Create the snapshot on the EC2 instance. Adjust options to fit your local EBS volume mount points and MySQL database setup.
sudo ec2-consistent-snapshot --aws-credentials-file $HOME/.aws-keys-snapshotter.txt --xfs-filesystem /YOURMOUNTPOINT YOURVOLUMEID
Follow similar steps to create users and set policies for other system activities you perform on your EC2 instances. IAM can control access to many different AWS resource types, API calls, specific resources, and has even more fine tuned control parameters including time-based restrictions.
The release of AWS Identity and Access Management alleviates one of the biggest concerns security-conscious folks used to have when they started using AWS with a single key that gave complete access and control over all resources. Now the control is entirely in your hands.
Cleanup
If you have followed the steps in this demo and you wish to undo most of what was done, here are some steps for reference.
Delete the IAM user and the IAM group:
iam-userdel -u $user -r
iam-groupdel -g system
Wipe the credentials and keys files and remove the downloaded and unzipped IAM command line toolkit:
sudo apt-get install wipe
wipe $HOME/.aws-credentials-master.txt $HOME/.aws-keys-$user.txt
rm IAMCli.zip
rm -r $AWS_IAM_HOME
Make sure to wipe the snapshotter key file on the remote EC2 instance as well.
Support
If you’re looking for help with AWS IAM, there is a new AWS IAM forum dedicated to the topic.
[Update 2010-11-19: Fix path where new zip file is expanded]
Thanks for the tutorial. Quick question for you.
I have a cron script that calls ec2-consistent-snapshot, and I used the info in this tutorial to switch to restricted user credentials.
I have a second script that automatically deletes old snapshots, and I went to check the IAM documentation to see if there was a corresponding ec2:DeleteSnapshot action to add to the policy. The only list of actions I found didn't even list your ec2:CreateSnapshot action:
http://docs.amazonwebservices.com/IAM/2010-05-08/APIReference/index.html?API_Operations.html
I'm missing something - any suggestions?
Ben: The list you reference are actions for using the IAM API. You'll want to look at the corresponding API actions for EC2: http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/index.html?query-apis.html