keys

GCP Monitor Service Account

February 24, 2022

You can monitor the success or failure of a service account in GCP.

gcloud policy-intelligence query-activity \
--activity-type=ACTIVITY_TYPE \ 
--project=PROJECT_ID \
--limit=LIMIT

The two options you can use for ACTIVITY_TYPE are:

serviceAccountKeyLastAuthentication
serviceAccountLastAuthentication

Saml2aws

February 14, 2022

Use Saml2Aws CLI as an alternative to SAML to AWS STS Key Conversion.

Install on Mac.

brew install saml2aws
saml2aws --version

Configure. Provide information.

saml2aws configure

It will create a ~/.saml2aws config file. Set session to 8 hours.

aws_session_duration    = 28800

saml2aws login

After authentication and/or MFA, your ~/.aws/credentials will be updated.

Here’s the permission needed for an AWS user to manage their own IAM account. The policy allows them to view their own account information, change their own passwords, rotate access keys and certificates, and manage their own git credentials.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetAccessKeyLastUsed", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }

EC2 Password Authentication

May 18, 2020

When you stand up an AWS instance, it’s only accessible via SSH key using the default user, typically ec2-user.

Add password to ec2-user, then enable password authentication to ‘yes’ in SSH.

# Add password to ec2-user
sudo passwd ec2-user
# edit ssh config
vim /etc/ssh/sshd_config
# enable password authentication
PasswordAuthentication yes
# save file and exit

Restart SSH service.

systemctl restart sshd.service

S3 Browser IAM Assume Role

April 12, 2020

S3 Browser is a free Windows client for accessing AWS S3 buckets. You can access S3 buckets with an interface similar to File Manager. A typical setup requires that you use access and secret keys to connect to the S3 browser. However, if the server is in the cloud, it’s better that use a machine profile with an assume role. The assume role gets temporary credentials until they expire. They are automatically rotated by AWS behind the scenes for you. This is much safer process than storing key credentials in the cloud. The good news is, S3 Browser support IAM assume roles. Here’s the setup instructions to get your S3 Browser configured using IAM assume role. Here’s IAM role explained.

IAM List Access Keys

January 14, 2020

Here’s how to list all the access keys in AWS via Python.

import logging
import boto3
from botocore.exceptions import ClientError
 
# set aws profile
session = boto3.Session(profile_name="default")
 
# get list of users
 
iam = session.client('iam')
users = iam.list_users()
 
# display results
print("{0:<20} {1:<25} {2:<15} {3:<10}".format('UserName', 'AccessKey', 'Status', 'CreateDate'))
print("----------------------------------------------------------------------------------------")
 
for a in users['Users']:
    user = a['UserName']
    # get keys
    keys = iam.list_access_keys(UserName=user)
    for b in keys['AccessKeyMetadata']:
        username = b['UserName']
        accesskeyid = b['AccessKeyId']
        status = b['Status']
        createdate = str(b['CreateDate'])
        print("{0:<20} {1:<25} {2:<15} {3:<10}".format(username, accesskeyid, status, createdate))

AWS CLI IAM Keys

December 20, 2019

Here’s a few commands to create, delete and disable AWS user keys.

List user keys.

aws iam list-access-keys --user-name john.doe

Create access key. Results are printed on screen in JSON format.

aws iam create-access-key --user-name john.doe

Disable a key. The real key id is obfuscated.

aws iam update-access-key \
--access-key-id ******************** \
--status Inactive \
--user-name john.doe

Delete a key. They real key id is obfuscated.

aws iam delete-access-key \
--access-key-id ******************** \
--user-name john.doe