Creating AWS Credentials Using IAM Access Keys

Note: Cloudcheckr strongly recommends you create credentials using a role for cross-account access because it is a more secure way of granting programmatic access to your AWS accounts. IAM access keys require periodic rotation and can be shared or stolen.


To analyze your Amazon Web Services (AWS) account, CloudCheckr needs credentials for the account. The preferred method for creating credentials is to create a role for cross-account access.

You can also create credentials using IAM access keys, which includes an AWS access key and a secret key. You can create IAM access keys using the Identity and Access Management (IAM) service in AWS.

This procedure focuses on how to create credentials using IAM access keys, and specifically, will show you how to:

  • create an IAM user group
  • attach the AWS Read-Only Access policy to the IAM user group
  • create an IAM user and add it to the IAM user group
  • add a secondary policy
  • attach the secondary policy to the IAM user group

 


CREATE AN IAM GROUP AND ATTACH THE AWS READ-ONLY ACCESS POLICY

Cloudcheckr recommends that all IAM users belong to IAM groups. This best practice allows you to quickly apply permissions changes at the group level, which are then automatically filtered down to the individual users within that group.

After you create the IAM group, we recommend that you attach the default AWS Read-Only policy so that Cloudcheckr can query your AWS account.

Step 1:

Log in to the Amazon Web Services Management Console.

Step 2:

From the AWS Services screen, select Security, Identity & ComplianceIAM.

Step 3:

Click the Groups link on the left side of the console.

Step 4:

Click the Create Group button.

Step 5:

Type a group name. We recommend naming the group CloudCheckr for easy identification. Click Next Step.

Step 6:

Navigate to and select the ReadOnlyAccess policy from the list of policies. Click Next Step.

Step 7:

Review the details of the new group and click Create Group.


CREATE AN IAM USER AND ADD TO IAM GROUP

Now you need to create an IAM user and generate an access key and secret key that will enable you to connect CloudCheckr to your AWS account. You will then add the IAM user to the IAM user group you created earlier.

 

Step 1:

Click the Users link on the left side of the console.

iam users

 

Step 2:

Click the Add user button.

 

Step 3:

On the Add user screen:

  • Type the user name. We recommend CloudCheckr for easy identification.
  • Select the Programmatic access check box to generate an access key and secrete key ID.
  • Click Next: Permissions.

Step 4:

Click Add user to group and select the Cloudcheckr group you just created in the previous procedure.

Step 6:

Click Next: Review.

Step 7:

Review your choices and click Create user.

Step 8: Click Download .csv to save the security credentials as a CSV export.

Step 9: Click Close.

 


ADDING A SECONDARY POLICY

Now you will need to add a secondary policy.

You do not have to update your secondary policy every time CloudCheckr adds support for additional services and features already be covered by the default AWS Read-Only Access policy. However, if a new feature is not supported by the default AWS Read-Only Access policy, CloudCheckr will notify you and recommend that you add the permission(s) to the secondary policy.

Step 1:

Click the Policies link on the left side of the console.

iam policies

 

Step 2:

Click Create Policy.

 

Step 3:

In the Create Your Own Policy section, click Select.

 

Step 4:

Type a name for your policy. We recommend you name your policy CloudCheckr for easy identification.

Step 5:

Type a description for your policy.

Step 6:

Copy the secondary policy into the Policy Document text box.

You can download the secondary IAM policy here, or copy below.
Updated 2015-12-28

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdditionalPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetStackPolicy",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "glacier:List*",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "sdb:DomainMetadata",
                "support:*",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaces"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogsSpecific",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

Step 7:

Click Validate Policy.

 

Step 8:

A message, This policy is valid, will display at the top of the screen. Click Create Policy.

A message will display at the top of the screen, indicating that the secondary policy has been created successfully.

Note:

For information on how to modify a secondary policy, go to Creating A Role For Cross-Account Access.

 


ATTACH SECONDARY POLICY TO IAM USER GROUP

Now that you have added the secondary policy, you need to attach that policy to the new IAM user group.

Step 1:

Click the Policies link on the left side of the console.

 

Step 2:

From the list of policies, select the secondary policy you created earlier.

You can click the Filter drop-down menu and select Customer Managed Policies to narrow the list of policies to those that you have created.

 

Step 3:

From the Policy actions drop-down menu, select Attach.

Step 4:

On the Attach Policy screen, select the CloudCheckr group you created earlier and click Attach Policy.

The CloudCheckr IAM user created is now properly assigned to the CloudCheckr group, which contains both the default AWS Read-Only Access policy and the secondary policy. Next, take the AWS access key and secret key that are saved in the CSV file and add those as your AWS credentials to your CloudCheckr account.