Installing AWS CLI & Some IAM Security (AWS)

EC2 Amazon Linux AMI Banner

The AWS (Amazon Web Services) CLI (Command Line Interface) offers a faster approach to interacting with AWS, especially if you are already use to CLIs like the Linux or Mac OS X terminal.

Installing AWS CLI

The AWS CLI can be installed on Linux or Mac OS X by entering:

pip install awscli

A pre-requisite is that Python 2.6.5 or high is installed. For more information on the install check out https://aws.amazon.com/cli/

But Wait…

Before using the AWS CLI it is highly recommended to make sure your AWS account has some security in place, which I’ll run through now.

The security settings for your AWS account are set in the IAM (Identity and Access Management) section of AWS, found under the Security, Identity & Compliance section of Services.

geektechstuff_AWS_IAM_1
AWS Services menu

If you have not changed any settings via IAM and you are logged in using the account you signed up to AWS with, then you will probably be greeted with the following screen showing that only 1 out of 5 security options have been enabled.

geektechstuff_AWS_IAM_4
1 out of 5 security actions completed

First, I recommend setting up Multi-Factor Authentication (MFA) on your account asap. Then it’s time to create an individual IAM user. This may sound a little crazy as you already have a user account, but your primary AWS account has root powers and should not be used unless it really really really needs to be. In fact, AWS will give you a similar warning if you expand the “Create individual IAM users” drop down.

geektechstuff_AWS_IAM_6
AWS root should not be used for day-to-day AWS use

Click the “Manage Users” button and it will give you the option to create a new AWS user account. AWS will ask for a username and what type of access the account needs.

Adding a user to AWS
Adding a user to AWS

Programmatic access – provides an access key and a secret access key for use with AWS API (Application Program Interface), SDK (Software Development Kit) and CLI (Command Line Interface). This is the option I’m choosing as I want to use the account with the AWS CLI.

AWS Management Console access – if the account is for use with the AWS web management console then choose this option, and it will allow for a password to be used.

AWS will then ask what permissions the user account should have.

geektechstuff_AWS_IAM_5
Permissions, Permissions, Permissions

Add user to group – if you are going to be adding multiple users with similar permissions then it may be easier to create a group (or groups), give the permissions to the groups and then add the users to the groups.

Copy permissions from existing user – already got a user that has the permissions, then you can copy them from that user to your new user.

Attach existing policies directly – AWS has already created a lot of policies that give lots of different permissions, I would recommend expanding a few and having a read.

With some permissions chosen AWS will ask you to tag the account.

Tag, your it!
Tag, your it!

In my previous blog I hinted at how important tagging is and I’ll write it again – tagging is important. Decide on the tags you want to use within AWS and implement them. Tagging makes identifying resources easier, makes reporting easier and helps with security.

After tagging the account AWS will confirm what the settings chosen.

geektechstuff_AWS_IAM_8
Confirmation of new AWS IAM user

For this account I’ve given it the AdministratorAccess policy and tagged it as User-Role:Admin. For best security procedures: Don’t do this. Start with least privilege (lowest permissions) and only grant what is needed. 

AWS will then show you the accounts account access ID and secret access key. Please make sure to note these down, or download them to a safe location. If the secret access key is lost then it cannot be recovered but can be regenerated (i.e. a new key is made).

Back to AWS CLI

With all that sorted, back to the AWS CLI.  After using PIP to install awscli and within the terminal (Linux or Mac OS X) type:

aws configure

geektechstuff_AWS_IAM_9
aws configure

awscli will now ask for:

Once those have been entered awscli will create a hidden folder (.aws) in the root of your home directory containing two files, “config” and “credentials“.

geektechstuff_AWS_IAM_10
.aws folder

These can be read using cat filename (e.g. cat config), with the config file containing the default region and output settings entered in configuration and the credentials file containing the credential keys entered in configuration.

geektechstuff_AWS_IAM_11
aws cli cat config file

But what if you have multiple AWS accounts to access (i.e. a personal one, a work one and one where you help out)? AWS CLI allows for multiple profiles to be set up, to create a second (or third, fourth, etc…) just type:

aws configure –profile NAME_FOR_NEW_PROFILE

geektechstuff_aws_new_profile
aws cli create a 2nd profile

The details for the 2nd (or 3rd, 4th, etc…) profile will be stored in the same config / credentials files discussed above.

Running A Command

I am going to look at a future blog post to cover some AWS CLI commands but the syntax for commands is:

aws options command parameters

For example, to list all S3 buckets:

aws s3 ls

To run the same command from a different profile:

aws –profile NAME_FOR_NEW_PROFILE s3 ls

Help is available via aws help.

Posted in AWS

2 thoughts on “Installing AWS CLI & Some IAM Security (AWS)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.