Can I create AWS Keys for each user that expire every 2 weeks?Can an AWS CloudFormation create a KeyPair to subsequently use when starting instances?Multiple identical GPG Keys. What can cause that?AWS: Can we enable MFA for Command Line access?start-instances working from console but not from AWS CLIIAM role switching on an EC2 host without using “source_profile”IAM policy that can delete snapshot on AWSRecovering or regenerating lost AWS EC2 Key PairsAWS Emails Sender-Verification Limit - An Email for each UserHow can I protect groups from each other in AWS?
What can we do about our 9 month old putting fingers down his throat?
Matlab fmincon for a problem with many nonlinear constraints
How do I delete cookies from a specific site?
What are the map units that WGS84 uses?
Friend is very nit picky about side comments I don't intend to be taken too seriously
What is the purpose of the rotating plate in front of the lock?
What do English-speaking kids call ice-cream on a stick?
What's the connection between a spoon (匕) and the old age (⺹)? (Kanji: 老)
Do 643,000 Americans go bankrupt every year due to medical bills?
Who's this voice acting performer?
Project Euler Problem 45
Balm of the Summer Court fey energy dice usage limits
Do I need to declare engagement ring bought in UK when flying on holiday to US?
convenient Vector3f class
How to calculate the power level of a Commander deck?
What would happen if you robbed the momentum from a falling object?
Looking for a big fantasy novel about scholarly monks that sort of worship math?
How do German speakers decide what should be on the left side of the verb?
Golfball Dimples on spaceships (and planes)?
Does the Giant Toad's Swallow acid damage take effect only at the start of its next turn?
First Number to Contain Each Letter
Why doesn't an NVMe connection on an SSD make non-sequential access faster?
Professor refuses to write a recommendation letter to students who haven't written a research paper with him
What are some countries where you can be imprisoned for reading or owning a Bible?
Can I create AWS Keys for each user that expire every 2 weeks?
Can an AWS CloudFormation create a KeyPair to subsequently use when starting instances?Multiple identical GPG Keys. What can cause that?AWS: Can we enable MFA for Command Line access?start-instances working from console but not from AWS CLIIAM role switching on an EC2 host without using “source_profile”IAM policy that can delete snapshot on AWSRecovering or regenerating lost AWS EC2 Key PairsAWS Emails Sender-Verification Limit - An Email for each UserHow can I protect groups from each other in AWS?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
My company uses AWS for compute, storage, databases and more. However, they use the root key for access to everything and I'm trying to move away from that for security purposes. Any leak could result in catastrphic data leaks, or crippling bills from AWS. I'd like to prevent that as much as possible by permissioning keys (I know how to do that) and having keys auto expire after x weeks.
I've done a bit of exploration and haven't found something perfect. the closest I've found is the following. (We use Azure to authorize users to AWS) it's a tool that allows the aws cli access to aws by authorizing through azure: https://github.com/dtjohnson/aws-azure-login
The above gives us a daily authorization through the cli to access certain parts of AWS. However, that isn't exactly what we want. Management prefers longer expiry periods for convenience and we need actual keys to be able to use a tool like Cyberduck and to spin up instances in AWS, etc.
Is it possible to create keys by user that expire every X weeks and require a new request for a key?
amazon-web-services keys
asked 8 hours ago
Joe BJoe B
1266 bronze badges
add a comment |
My company uses AWS for compute, storage, databases and more. However, they use the root key for access to everything and I'm trying to move away from that for security purposes. Any leak could result in catastrphic data leaks, or crippling bills from AWS. I'd like to prevent that as much as possible by permissioning keys (I know how to do that) and having keys auto expire after x weeks.
I've done a bit of exploration and haven't found something perfect. the closest I've found is the following. (We use Azure to authorize users to AWS) it's a tool that allows the aws cli access to aws by authorizing through azure: https://github.com/dtjohnson/aws-azure-login
The above gives us a daily authorization through the cli to access certain parts of AWS. However, that isn't exactly what we want. Management prefers longer expiry periods for convenience and we need actual keys to be able to use a tool like Cyberduck and to spin up instances in AWS, etc.
Is it possible to create keys by user that expire every X weeks and require a new request for a key?
amazon-web-services keys
asked 8 hours ago
Joe BJoe B
1266 bronze badges
1
Hey Joe, rather than proposing a solution and asking if it works, you'd probably be better off telling us your environment, telling us the problem, and asking for suggestions. You question doesn't clearly describe a problem or what you're trying to achieve, so I don't think you're going to get much useful feedback. Edit your question and you'll probably get more useful help :)
– Tim
7 hours ago
1
@Tim I added some context. Hope it makes sense. Lmk if I should add more
– Joe B
6 hours ago
1
When you say "root key" do you mean everyone logs in as the root user? Are you talking about KMS? It's still not clear what problem you're trying to solve. If you're using the root user at all that's really poor practice even with MFA. Federate with your central directory or set up IAM users and IAM groups with MFA mandatory, with IAM policies that limit what each user can do and that require MFA. You can also use SCP to prevent the use of services you don't need, which further reduces the risk of bill shock. We use SCP to limit regions as well. AWS Config is useful for monitoring.
– Tim
6 hours ago
@Tim yes they are using the root user. They've been doing it for years and I just got here recently. In the process of making changes.
– Joe B
6 hours ago
add a comment |
My company uses AWS for compute, storage, databases and more. However, they use the root key for access to everything and I'm trying to move away from that for security purposes. Any leak could result in catastrphic data leaks, or crippling bills from AWS. I'd like to prevent that as much as possible by permissioning keys (I know how to do that) and having keys auto expire after x weeks.
I've done a bit of exploration and haven't found something perfect. the closest I've found is the following. (We use Azure to authorize users to AWS) it's a tool that allows the aws cli access to aws by authorizing through azure: https://github.com/dtjohnson/aws-azure-login
The above gives us a daily authorization through the cli to access certain parts of AWS. However, that isn't exactly what we want. Management prefers longer expiry periods for convenience and we need actual keys to be able to use a tool like Cyberduck and to spin up instances in AWS, etc.
Is it possible to create keys by user that expire every X weeks and require a new request for a key?
amazon-web-services keys
asked 8 hours ago
Joe BJoe B
1266 bronze badges
My company uses AWS for compute, storage, databases and more. However, they use the root key for access to everything and I'm trying to move away from that for security purposes. Any leak could result in catastrphic data leaks, or crippling bills from AWS. I'd like to prevent that as much as possible by permissioning keys (I know how to do that) and having keys auto expire after x weeks.
I've done a bit of exploration and haven't found something perfect. the closest I've found is the following. (We use Azure to authorize users to AWS) it's a tool that allows the aws cli access to aws by authorizing through azure: https://github.com/dtjohnson/aws-azure-login
The above gives us a daily authorization through the cli to access certain parts of AWS. However, that isn't exactly what we want. Management prefers longer expiry periods for convenience and we need actual keys to be able to use a tool like Cyberduck and to spin up instances in AWS, etc.
Is it possible to create keys by user that expire every X weeks and require a new request for a key?
amazon-web-services keys
amazon-web-services keys
asked 8 hours ago
Joe BJoe B
1266 bronze badges
asked 8 hours ago
Joe BJoe B
1266 bronze badges
edited 6 hours ago
Joe B
asked 8 hours ago
Joe BJoe B
1266 bronze badges
asked 8 hours ago
Joe BJoe B
1266 bronze badges
asked 8 hours ago
Joe BJoe B
1266 bronze badges
1266 bronze badges
1
Hey Joe, rather than proposing a solution and asking if it works, you'd probably be better off telling us your environment, telling us the problem, and asking for suggestions. You question doesn't clearly describe a problem or what you're trying to achieve, so I don't think you're going to get much useful feedback. Edit your question and you'll probably get more useful help :)
– Tim
7 hours ago
1
@Tim I added some context. Hope it makes sense. Lmk if I should add more
– Joe B
6 hours ago
1
When you say "root key" do you mean everyone logs in as the root user? Are you talking about KMS? It's still not clear what problem you're trying to solve. If you're using the root user at all that's really poor practice even with MFA. Federate with your central directory or set up IAM users and IAM groups with MFA mandatory, with IAM policies that limit what each user can do and that require MFA. You can also use SCP to prevent the use of services you don't need, which further reduces the risk of bill shock. We use SCP to limit regions as well. AWS Config is useful for monitoring.
– Tim
6 hours ago
@Tim yes they are using the root user. They've been doing it for years and I just got here recently. In the process of making changes.
– Joe B
6 hours ago
add a comment |
1
Hey Joe, rather than proposing a solution and asking if it works, you'd probably be better off telling us your environment, telling us the problem, and asking for suggestions. You question doesn't clearly describe a problem or what you're trying to achieve, so I don't think you're going to get much useful feedback. Edit your question and you'll probably get more useful help :)
– Tim
7 hours ago
1
@Tim I added some context. Hope it makes sense. Lmk if I should add more
– Joe B
6 hours ago
1
When you say "root key" do you mean everyone logs in as the root user? Are you talking about KMS? It's still not clear what problem you're trying to solve. If you're using the root user at all that's really poor practice even with MFA. Federate with your central directory or set up IAM users and IAM groups with MFA mandatory, with IAM policies that limit what each user can do and that require MFA. You can also use SCP to prevent the use of services you don't need, which further reduces the risk of bill shock. We use SCP to limit regions as well. AWS Config is useful for monitoring.
– Tim
6 hours ago
@Tim yes they are using the root user. They've been doing it for years and I just got here recently. In the process of making changes.
– Joe B
6 hours ago
1
1
Hey Joe, rather than proposing a solution and asking if it works, you'd probably be better off telling us your environment, telling us the problem, and asking for suggestions. You question doesn't clearly describe a problem or what you're trying to achieve, so I don't think you're going to get much useful feedback. Edit your question and you'll probably get more useful help :)
– Tim
7 hours ago
Hey Joe, rather than proposing a solution and asking if it works, you'd probably be better off telling us your environment, telling us the problem, and asking for suggestions. You question doesn't clearly describe a problem or what you're trying to achieve, so I don't think you're going to get much useful feedback. Edit your question and you'll probably get more useful help :)
– Tim
7 hours ago
1
1
@Tim I added some context. Hope it makes sense. Lmk if I should add more
– Joe B
6 hours ago
@Tim I added some context. Hope it makes sense. Lmk if I should add more
– Joe B
6 hours ago
1
1
When you say "root key" do you mean everyone logs in as the root user? Are you talking about KMS? It's still not clear what problem you're trying to solve. If you're using the root user at all that's really poor practice even with MFA. Federate with your central directory or set up IAM users and IAM groups with MFA mandatory, with IAM policies that limit what each user can do and that require MFA. You can also use SCP to prevent the use of services you don't need, which further reduces the risk of bill shock. We use SCP to limit regions as well. AWS Config is useful for monitoring.
– Tim
6 hours ago
When you say "root key" do you mean everyone logs in as the root user? Are you talking about KMS? It's still not clear what problem you're trying to solve. If you're using the root user at all that's really poor practice even with MFA. Federate with your central directory or set up IAM users and IAM groups with MFA mandatory, with IAM policies that limit what each user can do and that require MFA. You can also use SCP to prevent the use of services you don't need, which further reduces the risk of bill shock. We use SCP to limit regions as well. AWS Config is useful for monitoring.
– Tim
6 hours ago
@Tim yes they are using the root user. They've been doing it for years and I just got here recently. In the process of making changes.
– Joe B
6 hours ago
@Tim yes they are using the root user. They've been doing it for years and I just got here recently. In the process of making changes.
– Joe B
6 hours ago
add a comment |
2 Answers
2
active
oldest
votes
DO NOT use an access key for your AWS account root user. Use IAM users for everyday interaction with AWS. Now that is out of the way...
Use Temporary Security Credentials
You can create IAM roles rather than users and generate temporary security credentials. These have an access key ID, a secret access key, and a security token that indicates when the credentials expire.
Normally access keys remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time.
In your example talking about Instances or CLI scripts rather than passing or embedding an access key to the application, define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can in turn use to make calls. The CLI can get temporary credentials from the role automatically.
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My understanding, which may not be correct, is that you need to have a principle that can assume a role. That can be an on-premise federated user, an IAM user, etc. Can you edit your post to give a bit more detail?
– Tim
1 hour ago
add a comment |
Root User
The root user should have MFA enabled, then have it locked away and never used. Never create access keys for the root user.
IAM Administrator
Create an IAM administrator user with MFA required that has full rights, including billing.
IAM Policy and Groups
Next create an IAM policy that gives users access to the services and functions they're allowed to use. The policy should mandate MFA has been used for all functions, other than being allowed into IAM to set up MFA. Attach this policy to a group. You can create as many policies and groups as you need. You can further lock things down with Service Control Policies if you see any benefit. You can do things like region enforcement and preventing use of expensive resources (e.g. GPU instances or RedShift / RDS) in either IAM or SCP.
Federation or IAM Users
Now either federate your account(s) to on-premise active directory, or create IAM users and add them to a group. Don't add policies to the users directly. These users can have access keys, but these are subject to MFA as well.
Outcome
All of this gives you good control of your account, lets you trace who did what (make sure Cloud Trail is enabled and the bucket is protected), reduces exposure to hackers increasing the bill, and probably other benefits too.
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f982078%2fcan-i-create-aws-keys-for-each-user-that-expire-every-2-weeks%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
DO NOT use an access key for your AWS account root user. Use IAM users for everyday interaction with AWS. Now that is out of the way...
Use Temporary Security Credentials
You can create IAM roles rather than users and generate temporary security credentials. These have an access key ID, a secret access key, and a security token that indicates when the credentials expire.
Normally access keys remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time.
In your example talking about Instances or CLI scripts rather than passing or embedding an access key to the application, define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can in turn use to make calls. The CLI can get temporary credentials from the role automatically.
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My understanding, which may not be correct, is that you need to have a principle that can assume a role. That can be an on-premise federated user, an IAM user, etc. Can you edit your post to give a bit more detail?
– Tim
1 hour ago
add a comment |
DO NOT use an access key for your AWS account root user. Use IAM users for everyday interaction with AWS. Now that is out of the way...
Use Temporary Security Credentials
You can create IAM roles rather than users and generate temporary security credentials. These have an access key ID, a secret access key, and a security token that indicates when the credentials expire.
Normally access keys remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time.
In your example talking about Instances or CLI scripts rather than passing or embedding an access key to the application, define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can in turn use to make calls. The CLI can get temporary credentials from the role automatically.
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My understanding, which may not be correct, is that you need to have a principle that can assume a role. That can be an on-premise federated user, an IAM user, etc. Can you edit your post to give a bit more detail?
– Tim
1 hour ago
add a comment |
DO NOT use an access key for your AWS account root user. Use IAM users for everyday interaction with AWS. Now that is out of the way...
Use Temporary Security Credentials
You can create IAM roles rather than users and generate temporary security credentials. These have an access key ID, a secret access key, and a security token that indicates when the credentials expire.
Normally access keys remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time.
In your example talking about Instances or CLI scripts rather than passing or embedding an access key to the application, define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can in turn use to make calls. The CLI can get temporary credentials from the role automatically.
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
DO NOT use an access key for your AWS account root user. Use IAM users for everyday interaction with AWS. Now that is out of the way...
Use Temporary Security Credentials
You can create IAM roles rather than users and generate temporary security credentials. These have an access key ID, a secret access key, and a security token that indicates when the credentials expire.
Normally access keys remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time.
In your example talking about Instances or CLI scripts rather than passing or embedding an access key to the application, define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can in turn use to make calls. The CLI can get temporary credentials from the role automatically.
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
answered 6 hours ago
LTPCGOLTPCGO
1666 bronze badges
1666 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My understanding, which may not be correct, is that you need to have a principle that can assume a role. That can be an on-premise federated user, an IAM user, etc. Can you edit your post to give a bit more detail?
– Tim
1 hour ago
add a comment |
My understanding, which may not be correct, is that you need to have a principle that can assume a role. That can be an on-premise federated user, an IAM user, etc. Can you edit your post to give a bit more detail?
– Tim
1 hour ago
My understanding, which may not be correct, is that you need to have a principle that can assume a role. That can be an on-premise federated user, an IAM user, etc. Can you edit your post to give a bit more detail?
– Tim
1 hour ago
My understanding, which may not be correct, is that you need to have a principle that can assume a role. That can be an on-premise federated user, an IAM user, etc. Can you edit your post to give a bit more detail?
– Tim
1 hour ago
add a comment |
Root User
The root user should have MFA enabled, then have it locked away and never used. Never create access keys for the root user.
IAM Administrator
Create an IAM administrator user with MFA required that has full rights, including billing.
IAM Policy and Groups
Next create an IAM policy that gives users access to the services and functions they're allowed to use. The policy should mandate MFA has been used for all functions, other than being allowed into IAM to set up MFA. Attach this policy to a group. You can create as many policies and groups as you need. You can further lock things down with Service Control Policies if you see any benefit. You can do things like region enforcement and preventing use of expensive resources (e.g. GPU instances or RedShift / RDS) in either IAM or SCP.
Federation or IAM Users
Now either federate your account(s) to on-premise active directory, or create IAM users and add them to a group. Don't add policies to the users directly. These users can have access keys, but these are subject to MFA as well.
Outcome
All of this gives you good control of your account, lets you trace who did what (make sure Cloud Trail is enabled and the bucket is protected), reduces exposure to hackers increasing the bill, and probably other benefits too.
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
add a comment |
Root User
The root user should have MFA enabled, then have it locked away and never used. Never create access keys for the root user.
IAM Administrator
Create an IAM administrator user with MFA required that has full rights, including billing.
IAM Policy and Groups
Next create an IAM policy that gives users access to the services and functions they're allowed to use. The policy should mandate MFA has been used for all functions, other than being allowed into IAM to set up MFA. Attach this policy to a group. You can create as many policies and groups as you need. You can further lock things down with Service Control Policies if you see any benefit. You can do things like region enforcement and preventing use of expensive resources (e.g. GPU instances or RedShift / RDS) in either IAM or SCP.
Federation or IAM Users
Now either federate your account(s) to on-premise active directory, or create IAM users and add them to a group. Don't add policies to the users directly. These users can have access keys, but these are subject to MFA as well.
Outcome
All of this gives you good control of your account, lets you trace who did what (make sure Cloud Trail is enabled and the bucket is protected), reduces exposure to hackers increasing the bill, and probably other benefits too.
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
add a comment |
Root User
The root user should have MFA enabled, then have it locked away and never used. Never create access keys for the root user.
IAM Administrator
Create an IAM administrator user with MFA required that has full rights, including billing.
IAM Policy and Groups
Next create an IAM policy that gives users access to the services and functions they're allowed to use. The policy should mandate MFA has been used for all functions, other than being allowed into IAM to set up MFA. Attach this policy to a group. You can create as many policies and groups as you need. You can further lock things down with Service Control Policies if you see any benefit. You can do things like region enforcement and preventing use of expensive resources (e.g. GPU instances or RedShift / RDS) in either IAM or SCP.
Federation or IAM Users
Now either federate your account(s) to on-premise active directory, or create IAM users and add them to a group. Don't add policies to the users directly. These users can have access keys, but these are subject to MFA as well.
Outcome
All of this gives you good control of your account, lets you trace who did what (make sure Cloud Trail is enabled and the bucket is protected), reduces exposure to hackers increasing the bill, and probably other benefits too.
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
Root User
The root user should have MFA enabled, then have it locked away and never used. Never create access keys for the root user.
IAM Administrator
Create an IAM administrator user with MFA required that has full rights, including billing.
IAM Policy and Groups
Next create an IAM policy that gives users access to the services and functions they're allowed to use. The policy should mandate MFA has been used for all functions, other than being allowed into IAM to set up MFA. Attach this policy to a group. You can create as many policies and groups as you need. You can further lock things down with Service Control Policies if you see any benefit. You can do things like region enforcement and preventing use of expensive resources (e.g. GPU instances or RedShift / RDS) in either IAM or SCP.
Federation or IAM Users
Now either federate your account(s) to on-premise active directory, or create IAM users and add them to a group. Don't add policies to the users directly. These users can have access keys, but these are subject to MFA as well.
Outcome
All of this gives you good control of your account, lets you trace who did what (make sure Cloud Trail is enabled and the bucket is protected), reduces exposure to hackers increasing the bill, and probably other benefits too.
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
answered 1 hour ago
TimTim
19.5k4 gold badges23 silver badges52 bronze badges
19.5k4 gold badges23 silver badges52 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f982078%2fcan-i-create-aws-keys-for-each-user-that-expire-every-2-weeks%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Hey Joe, rather than proposing a solution and asking if it works, you'd probably be better off telling us your environment, telling us the problem, and asking for suggestions. You question doesn't clearly describe a problem or what you're trying to achieve, so I don't think you're going to get much useful feedback. Edit your question and you'll probably get more useful help :)
– Tim
7 hours ago
1
@Tim I added some context. Hope it makes sense. Lmk if I should add more
– Joe B
6 hours ago
1
When you say "root key" do you mean everyone logs in as the root user? Are you talking about KMS? It's still not clear what problem you're trying to solve. If you're using the root user at all that's really poor practice even with MFA. Federate with your central directory or set up IAM users and IAM groups with MFA mandatory, with IAM policies that limit what each user can do and that require MFA. You can also use SCP to prevent the use of services you don't need, which further reduces the risk of bill shock. We use SCP to limit regions as well. AWS Config is useful for monitoring.
– Tim
6 hours ago
@Tim yes they are using the root user. They've been doing it for years and I just got here recently. In the process of making changes.
– Joe B
6 hours ago