Automated user migration and management of AWS Identity and Access Management (IAM) resources
Introduction
In this real-world cloud endeavor, I assumed the role of a Cloud Specialist and successfully accomplished our mission to migrate 250 users seamlessly while enhancing security through Multi-Factor Authentication (MFA) on their accounts.
By implementing MFA, we significantly bolstered security, ensuring robust protection for user accounts, which is paramount in today’s digital landscape.
This achievement was made possible through the strategic application of automation, which eliminated repetitive and error-prone manual tasks within the AWS console. This approach not only saved time but also improved the overall efficiency of our cloud management processes.
This Medium post will provide an in-depth guide on how I automated user migration and managed AWS IAM resources effectively, with AWS CLI and Shell Script.
Step 1: Study and Prepare User Database
Before diving into automation, it’s crucial to thoroughly understand the user database and prepare it for seamless integration into AWS CLI and your migration script. The database should include variables such as user names, groups, and passwords, all stored in .csv format.
Step 2: Create User Groups
Organize your users by creating distinct user groups with specific permissions. Here are the five groups we established:
CloudAdmin: This group serves as the AWS Admin, possessing full administrative rights.
LinuxAdmin: Users in this group manage EC2 instances with full EC2 admin rights.
DBA (Database Administrators): Grant them full EBS admin rights.
NetworkAdmin: This group consists of VPC admins with full VPC privileges.
Trainee: Designed for trainees who require specialized permissions.
Step 3: Install dos2unix on AWS Cloud Shell
To ensure seamless execution of scripts, install `dos2unix` on AWS Cloud Shell. This is a crucial step to avoid compatibility issues.
Step 4: Automate User Creation and Permission Assignment
The heart of the automation lies in creating a script that streamlines user creation and assigns them to their respective groups. This script should also enforce a policy mandating users to change their default passwords upon login. The beauty of automation is that users will inherit permissions from policies assigned to their respective groups, saving you time and effort.
#!/bin/bash
# Purpose: Automated user creation in the AWS
# How to: ./aws-iam-create-user.sh <entry file format .csv>
# Entry file column name: user, group, password
# Author: Blaise
# ------------------------------------------INPUT=$1
OLDIFS=$IFS
IFS=',;'# Test to see that user file is available.
[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
# Test to see that dos2unix tool is installed in AWS CLI and request installation.command -v dos2unix >/dev/null || { echo "dos2unix tool not found. Please, install dos2unix tools before running the script."; exit 1$dos2unix $INPUT# read user file into the script.
while read -r user group password || [ -n "$user" ]
do
if [ "$user" != "user" ]; then
aws iam create-user --user-name $user
aws iam create-login-profile --password-reset-required --user-name $user --password $password
aws iam add-user-to-group --group-name $group --user-name $user
fidone < $INPUTIFS=$OLDIFS
Step 5: Upload the script into AWS CLI and give it executable permission.
After crafting our automation script, we will upload it into the AWS CLI and grant it proper execution permissions. This step ensures that the script can seamlessly interact with AWS resources.
Step 6: Upload the User Database into AWS CLI
Upload the previously prepared user database to the AWS CLI.
step 7: Run the script against the user file
Execute the script, and watch as IAM users are automatically created and assigned to their respective groups.
step 8: Enforce MFA
Enhance security by enforcing Multi-Factor Authentication (MFA) for all users. Create a new policy that mandates MFA and attach it to all user groups. This adds an additional layer of security to your AWS environment.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": "iam:ListVirtualMFADevices",
"Resource": "*"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:ListUsers",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"iam:ChangePassword",
"iam:CreateUser",
"iam:CreateLoginProfile",
"iam:AddUserToGroup",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}Step 9: Strengthen Password Policies
Password security is paramount. Change the default password policy to align with your organization’s security standards. Configure a custom password policy for all IAM users, setting a minimum password length of 13 characters, requiring a combination of uppercase and lowercase letters, numbers, and special characters.
Step 10: Enable MFA for All Users
Make sure MFA is enabled for all users, enhancing the overall security posture of your AWS environment.
Step 11: Test the Migration
Finally, login and rigorously test your project to ensure that all users have been successfully migrated to the new platform. This step confirms that your automation efforts have yielded the desired results.
Conclusion
Automating user migration and IAM resource management in AWS not only saves time but also enhances security by enforcing best practices like MFA and robust password policies. By following these steps, you can confidently navigate the complexities of AWS IAM, streamline user management, and bolster security, making your cloud environment more efficient and secure.
