06 - CLI Demo Flashcards
Least Privilege
Least Privilege
- Always give your users the minimum amount of access required
Create Groups
Create Groups
- Assign your users to groups
- Your users will automatically inherit the permissions of the group
- The groups permissions are assigned using policy documents
Secret Access Key
- You will see this only once
- If you do not save it, you can delete the Key Pair (Access Key ID and Secret Access Key) and regenerate it
- You will need to run “aws configure” again
Do not use just one access key
Do not use just one access key
- Do not create just one access key and share that with all your developers
- If someone leaves the company on bad terms, then you will need to delete the key and create a new one causing every developer to need to update their keys
- Instead, create one key pair per developer
You can use the AWS CLI on your local laptop
Obtaining Command Line Tools on Laptop
Download / Install Python: https://www.python.org/downloads/
$ which python
$ ls -al /usr/bin/python
$ curl -O https://bootstrap.pypa.io/get-pip.py
$ python3 get-pip.py –user
$ pip –version
pip 9.0.1 from /Library/Python/2.7/site-packages/pip-9.0.1-py2.7.egg (python 2.7)
$ pip3 install awscli
$ aws –version
aws-cli/1.14.32 Python/3.6.4 Darwin/17.4.0 botocore/1.8.36
Configure Laptop to Use Access Key ID and Secret Access Key
$ aws configure
User: User Access Key ID: AKIAJRZM5PW6RABWXK5A
Pass: Secret Access Key: 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
Default Region: us-east-1
SSH to EC2 Instance
$ cd ‘/Users/mmarkl00/Google Drive/ssh-aws-2019’
$ ls -l
$ ssh ec2-user@3.85.20.192 -i MyEC2keyPair-2019.pem
$ sudo su -
aws configure
User: User Access Key ID: AKIAJRZM5PW6RABWXK5A
Pass: Secret Access Key: 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
Default Region: us-east-1
Risks of Storing Credentials on EC2 Instance
Risks of Storing Credentials on EC2 Instance
- If port 22 is open
- Someone obtains your private MyEC2keyPair.pem
- They would be able to obtain the AWS CLI credentials from the EC2 instance
- And install command line tools on their laptop and access your account
- Credentials are not secure, the move secure way to access is via Roles