Using AWS Service Accounts with Access Keys for Applications


Applications running in AWS often require access to use AWS services, for example a server needs access to write to DynamoDB tables. While IAM Service Roles are preferred, sometimes an AWS IAM User with an access & secret key pair is required.

In Turbot, these custom IAM Users are called Service Accounts.

Guardrails for Service Accounts

Turbot automatically detects, checks and locks down IAM Service Accounts - keeping your account safely in control. Specifically, Turbot will lockdown the IAM permissions ensuring Service Accounts are limited to the same permissions as other users in the account.

Creating an IAM User (Service Account)

IAM Users (Service Accounts) can be created in Turbot managed AWS accounts by any user with Owner level permissions. Owner level access is required since roles are delegated access to the AWS account, so careful control is required.

Turbot considers these application level IAM Roles to be Service Roles. They are a cloud equivalent of Service Accounts.

IAM Users can be created directly in AWS through the Console or API.

Granting Permissions to Service Accounts

After creating a Service Account, it has no permissions to use AWS services. Owners should be sure to add appropriate access permissions to the role for use by their application and services.

Permissions may be granted to Service Accounts by:

  1. Using Turbot’s predefined IAM Groups.
  2. Using AWS Managed Policies.
  3. Creating custom IAM policies.

Under a least privilege approach, Owners should grant roles only the specific permissions and access it requires. Turbot safely allows direct editing of role permissions since the IAM Lockdown policies are enforced. Be aware that the explicit deny rules created by Turbot will take precedence over any allow policies granted to the role.

Managing Access & Secret Key Pairs

Owners can create, manage and delete access and secret key pairs for Service Accounts directly in the AWS Console.

Was this article helpful?
0 out of 0 found this helpful