Creating groups for users and operators

In AWS, the management of permissions is done through the creation of security policies. Those policies can then be assigned to service roles as we have seen throughout the book, to users, and user groups. Managing security policies at the user group level, as opposed to the individual user level, offers some benefits. By managing permissions at the group level, you can easily make sure that all users from a given team have the same permissions and that if a change is needed, you don't need to repeat the change for every user in that team.

The management of users and groups can be driven either natively in AWS or, if you have an Active Directory server (either on-premises or through the AWS Directory Service) through the AD Connector.

In our case, we will use the native AWS interface and, with the help of CloudFormation, manage our groups. For the purpose of this book, we will only create one group and call it Admins but, as you can imagine, in a real-world scenario, you will probably want to have multiple groups with specific permissions.

We will create a new script in our EffectiveDevOpsTemplates repository and call it iam-groups-cf-template.py. We will start with our usual boilerplate:

"""Generating CloudFormation template.""" 
 
from troposphere import ( 
    Template, 
) 
 
from troposphere.iam import ( 
    Group, 
) 
 
t = Template() 
 
t.add_description("Effective DevOps in AWS: User Groups")

We will now create a new source of type Group, as shown in the following code snippet. We will give it the name Admins and assign the managed policy AdministratorAccess that we used previously with the user we created in Chapter 2, Deploying Your First Web Application:

t.add_resource(Group( 
    "Admins", 
    GroupName="Admins", 
    ManagedPolicyArns=[ 
        "arn:aws:iam::aws:policy/AdministratorAccess" 
    ], 
))

Finally, we will end our script by printing the resulting JSON output:

print t.to_json()

Our script is now complete; it should look like this: http://bit.ly/2v1oO2o.

We can save it, commit it, and execute it as follows:

$ git add iam-groups-cf-template.py
$ git commit -m "Adding template to managage user groups"
$ git push
$ python iam-groups-cf-template.py > iam-groups-cf.template
$ aws cloudformation create-stack 
      --stack-name iam-groups 
      --template-body file://iam-groups-cf.template 
      --capabilities CAPABILITY_NAMED_IAM
{
    "StackId": "arn:aws:cloudformation:us-east-1:511912822958:stack/iam-groups/9ac717f0-0214-11e7-90a5-50fae9826c99"
}

This will create a new IAM group called Admins:

$ aws iam list-groups
{
    "Groups": [
        {
            "Path": "/",
            "CreateDate": "2017-03-06T02:32:47Z",
            "GroupId": "AGPAI352HLJMPCFQRWNQA",
            "Arn": "arn:aws:iam::511912822958:group/Admins",
            "GroupName": "Admins"
        }
    ]
}

We will now move our existing user to that group:

$ aws iam add-user-to-group --user-name johndoe --group-name Admins

And finally, because the user is now getting its access permission through the group policies, we should detach the policy attached to the user:

$ aws iam detach-user-policy 
      --user-name johndoe 
      --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

We successfully created an Admin group with administrator permission and moved our user into that group. Obviously, this group is a bit particular and should be restricted to just a handful of users. In the next section, we will create a more generic group that any user should be part of to be able to manage their account.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset