Saturday, 9 September 2023

IAM User creation and Credential Rotation

 IAM User creation and Credential Rotation


Objectives:

1. Learn to create an IAM User with Programmatic Access.

2. Learn to rotate IAM User credentials and test them.


Step 1: In this step we create a user. In AWS console go to IAM service. In Users click on Add User.

Provide following details in respective fields:

User name: RotateKeyUser

Check both the Access Types.

Proceed to Next: Permissions.

Select Attach existing policies directly.

In the Filter policies search bar search for a policy suitable for requirements. For this tutorial we select S3FullAccess.

Proceed to Next: Tags.

And give Name as UserForCredentials.

Go to next step. Review and Create User. In the success window, download the .csv file which contains the credentials needed to access subsequent AWS Services.

A similar file as given below is downloaded, which should be stored safely for further use.

Find the Global drop down on your AWS console top bar and copy the alias of region name. The region name is usually the name of region that you are operating from. E.g. ap-south-1 in this case.

Store it in a text file.


Step 2: Open Command Prompt, configure CLI with the help of our AWS CLI blog here. In the below screen we observe that the configuration of this user is successful and the S3 bucket is created.

The created bucket can be confirmed in AWS S3 Console.


Step 3: This key needs to be rotated as a best practice while using AWS. The key can be rotated as given below.

Go back to IAM -> Users. Select the key that we created.

In the Summary section go to Security Credentials tab.

Scroll down to Access keys. Click on Create access key.

In the Success pop-up window, download and securely store the new .csv file.

For further operations of this user, the new credentials should be used that are provided in the new csv file.

In the Access keys section itself, two keys are visible. Go to the first key and select the “Make inactive” option.

Further select Deactivate in the pop-up window.

The status of the old key is now inactive.

The Access key should not be immediately deleted because it may still be associated with some AWS services.


Step 4: Now try and configure AWS CLI as was did in Step 2 and provide the bucket creation command.

Thus, the key is now non-operational.

With the new access key, configure AWS CLI as shown in Step 2 using new Access Key Credentials given in the new csv file.

After a week or so, depending on the organizational policies, delete the Inactive Access Key.


Note: If you no longer need the user, you may delete it through the IAM console.