Security As Code— Secure AWS Access Using Terraform Managed IAM Groups/Users

What Is AWS IAM?

AWS IAM stands for “Identity and Access Management”, it is a AWS web service that helps you securely control access to your AWS resources. When you first create an AWS account, you begin the root user and is accessed by signing in with the email address and password that you used to create the account. I strongly recommend you do not use root user for your AWS tasks. Instead, you should use IAM Groups to define different type/category of access, and assign IAM users to each different groups.

IAM Group

Like any other groups, IAM Group is just a collection of users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. It is important for you to create different groups for your organization, to best secure and manage your AWS resources.

Security as Code: Use Terraform for IAM Groups/Users Management

Created by HashiCorp, Terraform allows you to use Infrastructure as Code to provision and manage any cloud, infrastructure, or services. In this blog, I will show you how to use Terraform to create a IAM Group and two IAM Users , to control your application developers’ access to AWS resources.

Background

You have an application called “testapp”, it runs on EC2 instance and has data stored in AWS s3 buckets. As the app owner, you only want to grant developer accesses to the EC2 instance and s3 bucket.

Steps

  • Create iam_policy.tf file
data "aws_iam_policy_document" "testapp_developer" {

# s3 full access
statement {
effect = "Allow"
actions = ["s3:*"]
resources = [
"arn:aws:s3:::${var.s3_bucket_name}",
"arn:aws:s3:::${var.s3_bucket_name}/*"
]
}

# EC2 restricted access
statement {
effect = "Allow"
actions = ["ec2:*"]
resources = ["arn:aws:ec2:${var.region}:${var.account}:instance/*"]
condition {
test = "StringLike"
values = ["testapp"]
variable = "ec2:ResourceTag/App"
}
}
}

resource "aws_iam_policy" "testapp_developer" {
name = "testapp_developer_policy"
description = "Policy for develop testapp"
policy = data.aws_iam_policy_document.testapp_developer.json
}
  • Create variables.tf file, which defines all the variables
variable "account" {
default = "xxxxxxx" # Replace with your account ID
}

variable "region" {
default = "us-east-1"
}

variable "prefix" {
default = "testapp-prefix"
}

variable "s3_bucket_name" {
default = "testapp-bucket"
}
  • Create iam_groups.tf file, which defines the group and users
provider "aws" {
profile = "profile" # Replace with your profile
region = "us-east-1"
}

resource "aws_iam_group" "testapp_developer" {
name = "TestappDeveloper"
}

resource "aws_iam_group_policy_attachment" "custom_policy" {
group = aws_iam_group.testapp_developer.name
policy_arn = aws_iam_policy.testapp_developer.arn
}

resource "aws_iam_group_membership" "developer" {
group = aws_iam_group.testapp_developer.name
name = "testapp-developers"
users = [
aws_iam_user.testapp_developer_user_one.name,
aws_iam_user.testapp_developer_user_two.name
]
}

resource "aws_iam_user" "testapp_developer_user_one" {
name = "testapp-dev1"
}

resource "aws_iam_user" "testapp_developer_user_two" {
name = "testapp-dev2"
}

Test and Run

  • Initialize the terraform working directory
$ terraform init
  • Rewrite all configuration files to a canonical format and style
$ terraform fmt
  • Validate the syntax
$ terraform validate
Success! The configuration is valid.
  • Actual deploy
$ terraform apply....
Plan: 6 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes

You can see once deployed, you will have a “TestappDeveloper” group in your AWS IAM and two users created and assigned to this group.

--

--

--

Senior Cloud Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Schedule Netlify builds with GitHub Actions

The Collab.Land Command Center is Here!

TryHackMe-Learn_Linux_Walkthrough

https://www.tryhackme.com/room/zthlinux

Amazon SQS

Performance testing for beginners part 1: First step to the chaos world

Tutorial: How to use Composer in Scriptcase

What is DevOps?

How to start Activity from Dynamic Feature Module on Android.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tony

Tony

Senior Cloud Engineer

More from Medium

IaC with Terraform and AWS: Overview

Using AWS Session Manager With Ansible To Execute Playbook On EC2

Learn Docker: Containers (2/6)

How to deploy a Kubernetes cluster on AWS with Terraform & kops