In the last part we raced through the basic architecture and the basic AWS building blocks we need to host our applications. What we didn't discuss was how to secure all of these services and make sure no one unauthorized can access or use them.
In the AWS cloud responsibility for the security is shared between AWS and you as a user. AWS will take full responsibility for security of the cloud. That means they secure the building (data center), the physical hardware and the hypervisors.
As a user you have full responsibility of security in the cloud; your account, applications and user data. AWS will assist wherever possible by providing services, tools, documentation and training, but they will take zero responsibility for that part.
In this part we will make sure that our account is setup in a safe and secure way. When opening your AWS account, by default you're logged in as the root user. This means you can access and delete everything. To secure your root account, just follow the steps AWS recommends on the IAM dashboard. We'll highlight a few below.
You can always go back to your console by Googling for AWS console
and logging in or by clicking the AWS logo in the top left corner.
We don't want anybody else then ourselves ever accessing this account, so we're using a very strong password and enable multi-factor authentication (MFA). To help me store and "remember" these passwords I use a password manager: Bitwarden.
To get to the IAM dashboard, search for IAM
in the AWS console (the page you get right after logging in). Click on your user name in the top right corner and select My Security Credentials.
Click on Manage MFA
Click Activate MFA
Choose Virtual MFA device
Scan QR code and enter two consecutive codes. You can use any MFA or 2FA authenticator you like. There are multiple apps from, for example Google, Microsoft, LastPass, and more. Recently I discovered Authy.
When you are first asked you can click a link on the IAM dashboard to change your password policy. Alternatively you can click Account settings in the menu on the left.
Click the Change password policy button
Click Save changes. And while we're in the "Account settings" screen, we'll also deactivate all endpoints we're not using.
If you're working on your own and don't plan to add other people, you can skip making groups. We however did make a start with creating some groups. I have no idea what groups you'd normally have, but we'll learn. For now I created:
admins
developer
finance
sysadmin
Creating a group is really straight forward, but let's do one.
Click Create New Group on the top of the screen
Give the group a name
Add one or multiple policies
Click Create Group
Users can be real people or programmatic entities like computers or applications. AWS also has roles. I still can't put the difference into my own words, so for now I'll point you to this Stack Overflow topic.
We need to make at least one "real" or console user. This user gets admin rights to be able to create new users and groups and assign login credentials.
Click Add user
Enter the User name and choose AWS Management Console access as the access type.
Add user to a group or, if you don't have groups, choose to attach policies directly. We choose our admins
group.
Add tags if you want (I don't)
Review and Create user
AWS will create the initial credentials for this user. Store them somewhere safe.
When you're logging in as a non-root user, AWS needs to know to which account the user belongs. So you have to add the Account ID of your root account. As this is a 12 digit number, I'd write it down somewhere. You can find it by clicking your user/business name in the top right corner. Log out of your root account and log back in with your Account ID as login and your admin account credentials. Change your password and enable MFA. Once successful you can delete the auto-generated credentials.
Now that we have secured our account, we need to do one more thing in the IAM dashboard. In the next part we want our EC2 instances to be able to communicate with other AWS services. We do that by attaching a role to the EC2. Let's create those roles; one for our .NET applications and one for WordPress.
Click Roles in the menu on the left and click Create role.
As we are going to use this role for EC2, we can choose the common use case EC2. Who would've guessed.
Now we're going to add permissions. For the .NET role, we need three policies:
AmazonEC2ReadOnlyAccess
AmazonSSMManagedInstanceCore
CloudWatchAgentServerPolicy
Click Next: Tags and add tags if you like. I didn't add any tags.
Click Next: Review and give your role a name. E.g. EC2-jodibooks-dotnetapps
.
Now create another role, but name it EC2-jodibooks-WordPress
.
That's it for the user part. In the next part we will setup our EC2 instances.