Skip to content

Instantly share code, notes, and snippets.

@tom-butler

tom-butler/aws-config

Last active May 31, 2019 00:52
Show Gist options
  • Save tom-butler/8cd908bf2ec616662439f70fd2ccdcf6 to your computer and use it in GitHub Desktop.
Save tom-butler/8cd908bf2ec616662439f70fd2ccdcf6 to your computer and use it in GitHub Desktop.
Download ZIP
AWS CLI MFA
Raw
aws-config
[default]
region = ap-southeast-2
[profile prod-admin]
source_profile = default
role_arn = arn:aws:iam::123456789012:role/write
mfa_serial = arn:aws:iam::0987654321098:mfa/uname
[profile prod-read]
source_profile = default
role_arn = arn:aws:iam::123456789012:role/read
mfa_serial = arn:aws:iam::0987654321098:mfa/uname
Raw
bastion-assume-role-policy.json
{
"Statement": [
{
"Effect": "Allow",
"Action": [ "sts:AssumeRole" ],
"Resource": [
"arn:aws:iam::123456789012:role/read",
"arn:aws:iam::123456789012:role/write"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true",
"aws:SecureTransport": "true"
},
"NumericLessThan": {
"aws:MultiFactorAuthAge": "14400"
}
}
}
]
}
Raw
production-trust-relationship.json
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0987654321098:user/uname"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:SecureTransport": "true",
"aws:MultiFactorAuthPresent": "true"
},
"NumericLessThan": {
"aws:MultiFactorAuthAge": "14400"
}
}
}
]
}
@tom-butler
Copy link
Author

tom-butler commented Nov 2, 2018
edited
Loading

This will enable you to assume-role x-account and requiring MFA

Prod account: 123456789012
Bastion account: 0987654321098

  1. Install aws-vault brew cask install aws-vault

  2. In your bastion account create a policy with the value of bastion-assume-role-policy.json create a group called assume-role.

  3. In your Bastion account, create an IAM user for your individual use.

    • Configure an MFA device for this user and note its Amazon Resource Name (ARN).
    • Add it to the group Bastion-assume-role-policy (and nothing else).
    • Generate an access key for the user and save the access key ID and secret key to aws-vault using aws-vault add default.

  4. In your production account create a Role that trusts Another AWS Account, enter your bastion account id and force mfa.

    • After creation open the trust relationships tab and replace the default trust relationship with production-trust-relationship.json
    • Update expiration time from 1 to 4 hours.

  5. Update your ~/.aws/config file with aws-config, you will need to configure the ARNs of roles and MFA

  6. Test it out aws-vault exec prod-admin -- you will be asked for the password (maybe twice) and the MFA token you created in step 3.

Notes:

  • By using a single bastion account you only have 1 set of keys and 1 MFA token, no matter how many accounts you have.
  • AWS Keys are encrypted by aws-vault and password protected.
  • MFA is required for all activities (if your keys are compromised they are useless without MFA)
  • For tools that don't work well with STS tokens use aws-vault exec prod-admin --no-session --
  • By looking at the trust role you can easily see which users have access to a role.
  • By default this will work for 4 hours, but it can be increased.

References:
https://www.worklogapp.com/jp/updates/35
https://github.com/coinbase/assume-role
https://github.com/99designs/aws-vault

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment