Docker on Amazon Web Services
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Creating a Users group

The other group I typically recommend creating is a Users group, which every human user accessing your AWS account should belong to, including your administrators (who will also be members of the Administrators group).  The core function of the Users group is to ensure that with the exception of a very small set of permissions, all actions performed by any member of the users group must be MFA authenticated, regardless of the permissions that may be granted to that user via other groups. This is essentially a force MFA policy, which you can read more about at https://www.trek10.com/blog/improving-the-aws-force-mfa-policy-for-IAM-users/, and implementing this approach adds to the overall security protections you put in place for access to your AWS accounts. Note that the policy does allow the user to perform a minimal set of operations without requiring MFA, which includes logging in, changing the user's password, and most importantly allowing the user to register an MFA device. This allows new users to log in with a temporary password, change their password, and self-enroll their MFA device, and once the user has logged out and logged back in with MFA, the policy does permit the user to create an AWS access key for API and CLI access.

To implement the Users group, we first need to create a managed IAM policy, which is a more scalable and reusable mechanism for assigning policies to groups and roles when compared with the inline approach we took in the preceding screenshot. To create a new managed policy, select Policies from the right hand menu and click on the Create policy button, which opens the Create policy screen. The policy you need to create is quite extensive and is published in a GitHub gist at https://bit.ly/2KfNfAz, which is based upon the policy discussed in the blog post referenced previously, adding a few additional security enhancements.

Note that the gist includes a placeholder called PASTE_ACCOUNT_NUMBER within the policy document, so you will need to replace this with your actual AWS account ID:

Creating an IAM managed policy

After clicking the Review policy button, you need to configure a name for the policy, which we will call RequireMFAPolicy, and, after clicking Create policy to create the policy, you need to create a Users group using the same instructions you followed earlier in this chapter when you created the Administrators group.

When you get to the Attach Policy screen while you are creating the Users group, you can type in the first few letters of the RequireMFAPolicy managed policy you just created, which you need to attach to the group:

Attaching the RequireMFAPolicy to the Users group

After completing the wizard for creating the Users group, you should now have an Administrators group and Users group in your IAM console.

上一章目录下一章