AWS Access Keys, CLI and SDK

How can users access AWS?

• To access AWS, you have the 3 optioins:
  1. AWS Management Console(password + MFA)
  2. AWS Command Line Interface(CLI): protected by access keys
  3. AWS Software Developer Kit(SDK) - for code: protected by access keys
• Access Keys are generated through the AWS Console
• Users manage their own access keys
  • Access Key ID ~= username
  • Secret Access Key ~= password

What`s the AWS CLI

• A tool that enables you to interact with AWS services using commands in your command-line shell
• Direct access to the public APIs of AWS services
• You can develop scripts to manage your resources
• It`s open-source https://github.com/aws/aws-cli
• Alternative to using AWS Management Console

What`s AWS SDK

• AWS Software Development Kit(AWS SDK)
• Language-specific APIs (set of libirarys)
• Enables you to access and manage AWS services programmatically
• Embedded within your application
• Supports
  • SDKs (Python, JAvaScript...)
  • Mobile SDKs (Android, iOS, ...)
  • IoT Device SDKs (Embedded C, Arduino, ... )
• Example: AWS CLI is built on AWS SDK for Python

AWS CloudShell

IAM Roles for Services

• Some AWS service will need to perform actions on your behalf
• To do so, we will assign permissions to AWS services with IAM Roles
• Common roles:
  • EC2 Instance Roles
  • Lambda Function Roles
  • Roles for CloudFormation

IAM Security Tools

• IAM Credentials Report (account-level)
  • a report that lists all your account`s users and the status of their various crendetials
• IAM Access Advisor (user-level)
  • Access advisor shows the service permissions granted to a user and when those services were last accessed.
  • You can user this information to revise your policies.

IAM Guidelines & Best Practices

• Don`t use the root account except for AWS account setup
• One pyisical user = One AWS user
• Assign users to groups and assign permissions to groups
• Create a strong password policy and MFA
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI/ SDK)
• Audit permission of your account using IAM Credentials Report & IAM Access Advisor