[object Object]
AWSIAMSECURITY

Hosting ASP.NET apps on AWS Part 4 - Users and roles with IAM

How-to written and screenshots taken on 2020 January 31

In the last part we raced through the basic architecture and the basic AWS building blocks we need to host our applications. What we didn't discuss was how to secure all of these services and make sure no one unauthorized can access or use them.

1. Responsibility model

In the AWS cloud responsibility for the security is shared between AWS and you as a user. AWS will take full responsibility for security of the cloud. That means they secure the building (data center), the physical hardware and the hypervisors.

As a user you have full responsibility of security in the cloud; your account, applications and user data. AWS will assist wherever possible by providing services, tools, documentation and training, but they will take zero responsibility for that part.

2. Securing your account

In this part we will make sure that our account is setup in a safe and secure way. When opening your AWS account, by default you're logged in as the root user. This means you can access and delete everything. To secure your root account, just follow the steps AWS recommends on the IAM dashboard. We'll highlight a few below.

You can always go back to your console by Googling for AWS console and logging in or by clicking the AWS logo in the top left corner.

![IAM dashboard with 5 best practice advice](iam-0-1.png)

2.1 Enable MFA

We don't want anybody else then ourselves ever accessing this account, so we're using a very strong password and enable multi-factor authentication (MFA). To help me store and "remember" these passwords I use a password manager: Bitwarden.

  1. To get to the IAM dashboard, search for IAM in the AWS console (the page you get right after logging in). Click on your user name in the top right corner and select My Security Credentials.

    Click on your user name and select "My Security Credentials"

  2. Click on Manage MFA

    Manage MFA button on IAM dashboard

  3. Click Activate MFA

    Activate MFA button

  4. Choose Virtual MFA device

    Choose MFA device type

  5. Scan QR code and enter two consecutive codes. You can use any MFA or 2FA authenticator you like. There are multiple apps from, for example Google, Microsoft, LastPass, and more. Recently I discovered Authy.

    qr code

2.2 Enable password policy

  1. When you are first asked you can click a link on the IAM dashboard to change your password policy. Alternatively you can click Account settings in the menu on the left.

    account settings screen

  2. Click the Change password policy button

    password policy settings

  3. Click Save changes. And while we're in the "Account settings" screen, we'll also deactivate all endpoints we're not using.

    active and deactivated endpoints

2.3 Creating groups

If you're working on your own and don't plan to add other people, you can skip making groups. We however did make a start with creating some groups. I have no idea what groups you'd normally have, but we'll learn. For now I created:

  • admins
  • developer
  • finance
  • sysadmin

Creating a group is really straight forward, but let's do one.

  1. Click Create New Group on the top of the screen

    Groups in IAM

  2. Give the group a name

    Add a group name

  3. Add one or multiple policies

    Add policies

  4. Click Create Group

    review group

2.4 Creating users

Users can be real people or programmatic entities like computers or applications. AWS also has roles. I still can't put the difference into my own words, so for now I'll point you to this Stack Overflow topic.

We need to make at least one "real" or console user. This user gets admin rights to be able to create new users and groups and assign login credentials.

  1. Click Add user

    users overview screen

  2. Enter the User name and choose AWS Management Console access as the access type.

    enter user name and type

  3. Add user to a group or, if you don't have groups, choose to attach policies directly. We choose our admins group.

    choose group or policies

  4. Add tags if you want (I don't)

  5. Review and Create user

    review and create user

  6. AWS will create the initial credentials for this user. Store them somewhere safe.

    download credentials

  7. When you're logging in as a non-root user, AWS needs to know to which account the user belongs. So you have to add the Account ID of your root account. As this is a 12 digit number, I'd write it down somewhere. You can find it by clicking your user/business name in the top right corner. Log out of your root account and log back in with your Account ID as login and your admin account credentials. Change your password and enable MFA. Once successful you can delete the auto-generated credentials.

3. Roles

Now that we have secured our account, we need to do one more thing in the IAM dashboard. In the next part we want our EC2 instances to be able to communicate with other AWS services. We do that by attaching a role to the EC2. Let's create those roles; one for our .NET applications and one for WordPress.

  1. Click Roles in the menu on the left and click Create role.

    Roles in IAM

  2. As we are going to use this role for EC2, we can choose the common use case EC2. Who would've guessed.

    Choose the EC2 use case

  3. Now we're going to add permissions. For the .NET role, we need three policies:

    1. AmazonEC2ReadOnlyAccess
    2. AmazonSSMManagedInstanceCore
    3. CloudWatchAgentServerPolicy

    Create a policy first

  4. Click Next: Tags and add tags if you like. I didn't add any tags.

  5. Click Next: Review and give your role a name. E.g. EC2-jodibooks-dotnetapps.

    Choose a role name

  6. Now create another role, but name it EC2-jodibooks-WordPress.

4. Next: EC2

That's it for the user part. In the next part we will setup our EC2 instances.