Using AWS IAM Service Users for Applications and Automation

Introduction

AWS IAM Users allow you to create a user that can interact with AWS. By default, a user has no permissions. However, that user can be assigned permissions to perform required actions.

For example, you might create an IAM user for a temporary contractor that you have brought in to perform a specific task within your organization. That user can be assigned the required permissions for the specific task they are performing.

Users can access AWS using either a password, access key, SSH Key (for CodeCommit) or a Server certificate.

In Turbot, custom IAM Users created for applications are called Service Users.

Guardrails for Service Users

Turbot automatically detects, checks and locks down IAM Service Users - keeping your account safely in control. In particular, there is one main area of control:

  1. Lockdown IAM permissions, ensuring Service Users in the account are limited to the same permissions as other Turbot Directory users in the account.

Creating an IAM User (Service User)

Service Users can be created in Turbot managed AWS accounts by any user with Owner level permissions. This is also governed by additional Turbot policies.

AWS > IAM > Service User Management

This policy can be set to one of:

  • Disabled
  • Enabled
  • Enabled if AWS > IAM > Enabled (Default)

If Enabled, this policy will grant Allow permissions to Owners, allowing them to create and delete Service Users (but not under the protected Turbot user path).

If Disabled, this policy will apply a lockdown and grant Deny permissions to all users, preventing anyone from creating and deleting Service Users.

AWS > IAM > Service User Access Key Management

This policy can be set to one of:

  • Disabled
  • Enabled
  • Use AWS > IAM > Service User Management (Default)

If Enabled, this policy will grant Allow permissions to Owners, allowing them to manage access keys for Service Users (but not under the protected Turbot user path).

If Disabled, this policy will apply a lockdown and grant Deny permissions to all users, preventing anyone from managing access keys for Service Users.

AWS > IAM > Service User Password Management

This policy can be set to one of:

  • Disabled (Default)
  • Enabled
  • Use AWS > IAM > Service User Management

If Enabled, this policy will grant Allow permissions to Owners, allowing them to manage passwords for Service Users (but not under the protected Turbot user path).

If Disabled, this policy will apply a lockdown and grant Deny permissions to all users, preventing anyone from managing passwords for Service Users.

Through a combination of these policies, it is possible to allow users with Owner permissions to manage access keys and passwords for service users in a Turbot-managed account, without them being able to create or delete users.

Was this article helpful?
0 out of 0 found this helpful