This site requires JavaScript to be enabled
Welcome Guest|
Recent searches
IE BUMPER
KB0017178

Day Two: Getting started with your DLT AWS account

Number of views : 14
Article Number : KB0017178
Published on : 2019-10-21
Last modified : 2019-10-21 17:43:51
Knowledge Base : ESM External

Day Two: Getting started with DLT AWS account

Configuring a new AWS account

 

Overview:

This wiki will walk you through the steps to audit and setup up Identity and Access Management (IAM) Users, Groups, Policies and implementing Amazon Web Services IAM best practices to secure your cloud infrastructure.

 

Topics covered

· Access AWS management console using root account.

· Setup CloudWatch billing alerts

· Choosing your Region

· Customize sign-in link and account number

· IAM security best practices

· Create new IAM Users and manage their access

· Create new IAM Groups and manage their access

· Add IAM User to Group with Administrator Access

 

Requirements

Requires an existing AWS account that was included in the email address from DLT administrator (DLT Operations Center <opscenter@dlt.com>).

 

1.      Access AWS management console using root account.

· Sign in to the AWS Management Console at https://console.aws.amazon.com/console/home using your root account credentials.

· The AWS Management Console is a graphical interface for accessing a wide range of AWS Cloud services and managing compute, storage, and other cloud resources.

C:\729b11ccd6add144b5ce12ad07bde661

 

2.      Sign up for CloudWatch billing alerts

· Billing alerts are managed by DLT under Consolidated Billing. Review this Document and submit a usage billing alert request with DLT.

· You can monitor your estimated AWS charges using Amazon CloudWatch. When you enable the monitoring of estimated charges for your AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data.

· Billing metric data is stored in the US East (N. Virginia) region and represents worldwide charges. This data includes the estimated charges for every service in AWS that you use, in addition to the estimated overall total of your AWS charges.

· The alarm triggers when your account billing exceeds the threshold you specify. It triggers only when actual billing exceeds the threshold. It does not use projections based on your usage so far in the month.

· If you create a billing alarm at a time when your charges have already exceeded the threshold, the alarm goes to the ALARM state immediately.

 

3.      Choosing a Region

· For many services, you can choose a Region that specifies where your resources are managed. Regions are dispersed and located in separate geographical areas (US, EU, etc.). Availability Zones are distinct locations within a region that are engineered to be isolated from failures in other Availability Zones to provide inexpensive, low-latency network connectivity to other Availability Zones in the same region

· By launching services in separate regions, you can design your application to be closer to specific customers or to meet legal or other requirements. By launching resources in separate Availability Zone, you can protect your applications from localized regional failures.

· The AWS region name is always listed in the upper-right corner of the AWS Management Console, in the navigation bar.

C:\d394c8c53ca4169632b81a1614254131

 

4.      Customize sign-in link and account number for easy user-friendly portal access

· Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

· In the navigation pane, choose Dashboard.

· Find the “IAM users sign-in link”, and choose Customize to the right of the link.

· Type the name you want to use for your alias, then choose Yes, Create.

· To remove the alias, choose Customize, and then choose Yes, Delete. The sign-in URL reverts to using your AWS account ID.

 

5.      IAM security best practices

You can use AWS IAM to securely control individual and Group access to your AWS resources. You can create and manage User identities ("IAM users") and grant permissions for those IAM Users to access your resources. You can also grant permissions for Users outside of AWS (federated users).

 

· Delete your root access keys: A root account is one that has unrestricted access to all AWS resources in your account. It is recommended that you delete access keys, access key IDs, and the secret access key for the root account so that they cannot be misused. Instead, create a user with the desired permissions and carry on tasks with this user.

· Enforce MFA: Add an additional layer of security by enforcing MFA for all privileged users having access to critical or sensitive resources and APIs having a high blast radius.

· Use roles instead of users: Roles are managed by AWS; they are preferred over IAM users, as credentials for roles are managed by AWS. These credentials are rotated multiple times in a day and not stored locally on your AWS resource such as an EC2 instance.

· Create Individual IAM users: In addition to deleting the root account keys, you are discouraged from using the root account for day to day activities. The root account is the one you register with AWS when you signed on with your credit card. As a best practice, create at least one other user and designate the account with Admin privileges. You may create other accounts as the need arise but only give them the least privilege needed. You login to perform admin roles with the designated admin account. Linked to this is never to share your root account with anyone. As simply as it sounds, this is one of the top IAM Security Best Practices.

· Use Groups to Assign Permissions: Irrespective of the size of your company this is how your corporate account Access management is done with IAM. You create groups which may designate departments or job roles (administrators, developers, accounting), and then you create IAM user accounts assigned to those groups. Each group is given the least necessary permission to perform their required job functions. All the users in an IAM group inherit the permissions assigned to the group. IAM groups simplify managing and auditing permissions of IAM user accounts as group settings affect every user in that group. As users move within the corporations, their groups also change.

· Apply an IAM Password Policy: Use a password policy to require your IAM users to create strong passwords and to rotate their passwords regularly. You can use the password policy to define password requirements, such as minimum length, whether it requires non-alphabetic characters, how frequently it must be rotated, and so on. This will force the users to create strong passwords. Weak passwords are the reason for many data breaches! The following figure shows the security status as per AWS recommended IAM best practices in the AWS IAM Dashboard under Security Status:

C:\1aef7390fddc976ce6f958fcbef56aa2

 

 

6.      Create IAM User account

· Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

· In the left navigation pane, click Users

· Select Add User

· Enter a User name (Ex: Admin) and select the check box next to Programmatic access and AWS Management Console access

· Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.

· AWS Management Console access: If the user needs to access the AWS Management Console

· Select Custom password, and then type your new password in the text box. By default, AWS forces the new user to create a new password when first signing in. You can optionally clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

· Note: The password that you create must meet the account's password policy, if one is currently set.

· Choose Next: Permissions

· Choose Next: Review. When you are ready to proceed, choose Create user to create new user.

· You can view and download user security credentials. You can also email users instructions for signing in to the AWS Management Console. This is the last time these credentials will be available to download. However, you can create new credentials at any time.

· After you have assigned a password to a user, the user can sign in to the AWS Management Console using the sign-in URL for your account, which looks like this: https://12-digit-AWS-account-ID or alias.signin.aws.amazon.com/console

 

7.      Create new IAM Group and attach Administrator policy

· Groups are a collection of IAM users. Administrators use groups to specify permissions for a collection of users in order to manage those permissions easier. A group can contain many users and a user can belong to multiple groups. Groups can’t be nested; they can contain only users, not other groups.

· To create a new IAM Group.

· Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

· In the left navigation pane, click Groups.

· Select Create New Group, for Group name type Administrators and click Next Step

· Under Attach Policy, search for "AdministratorAccess", select the check box for "AdministratorAccess" Policy 

· Choose Next Step, When you are ready to proceed, choose Create Group to create new group with Administrator access.

C:\d9ad15595dd63da1a36fbe6760458314

8.     Add IAM User to Group with Administrator Access

· AWS strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User.

· Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

· In the navigation pane, Choose Groups

· Choose the name of the group.

· Select Group Actions, click Add Users to Group.

· In the Add Users to Group window, configure the following:

· Select USERNAME

· At the bottom of the screen, click Add Users.

· In the Users tab you will see that USERNAME has been added to the group

· In the navigation pane on the left, click Groups.

· The group you selected above to add the user, should have 1 in the Users column for the number of Users in Group.

· If you do not have a 1 beside group, revisit the above instructions above to ensure that user is assigned to a Group.

 

 

 

 

 

 

· Network 

· Compute

· Storage

Thank You! Your feedback has been submitted.

Feedback