Home > Enterprise >  Best practice AWS access key and secret for applications
Best practice AWS access key and secret for applications

Time:01-02

What is the best practice for using the AWS and secret access keys when setting up the AWS application?

To get the access key and access secret, create an IAM account, but the IAM account is associated with a user, not with an application. What is the best to get an access key and access secret that is specific to an application (or different application environments, production, staging, etc.?) if the IAM users are meant to be for actual users and not for applications?

CodePudding user response:

You wouldn't assign an IAM user to an application, typically you use an IAM Role.

To understand the difference, let us go through IAM basic knowledge

IAM controls: Who (authentication) can do What (authorization) in your AWS account. Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.

Here the term

  • User - End user think about people

  • Groups- a set of users under one set of permission(policies)

  • Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be authenticated by AWS or some trusted external system.

User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.

Answer the following questions and you will differentiate between a user and a role:

  • Can have a password? Yes-> user, No-> role
  • Can have an access key? Yes-> user, No-> role
  • Can belong to a group? Yes-> user, No -> role
  • Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role

AWS supports 3 Role Types for different scenarios

  • AWS service roles (for example: EC2, Lambda, Redshift,...)
  • Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not.
  • Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active Directory, LDAP.

To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

Hope it helps.

  • Related