AWS – IAM User and Role

 

Define a user with specific policies in order to manage and run a SwissPKI instance on AWS.

Create Policy for Accessing Secrets

 

Open the Amazon Identity and Access Management (IAM) console and select Policies on the left panel.

Click on button Create policy, select tab JSON and copy-paste the following definition:

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:*:*:secret:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "kms:ListKeys",
                "kms:GenerateRandom",
                "kms:ListAliases",
                "kms:CreateKey",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "kms:*",
            "Resource": [
                "arn:aws:kms:*:*:alias/*",
                "arn:aws:kms:*:*:key/*"
            ]
        }
    ]
}

 

Then click on button Review policy and enter a policy name, e.g. SwissPKI-Decrypt-Secrets

Finally, click on Create policy.

Create SwissPKI Admin Group

 

Step 1 – Group Name

Select Groups on the left panel and click on Create new group. Enter name SwissPKI-Admin-Group.

Step 2 – Attach Policy

Select the following policies from the list:

 

  • AWSMarketplaceFullAccess
  • AmazonRDSFullAccess
  • AmazonEC2FullAccess
  • SecretsManagerReadWrite
  • IAMFullAccess
  • ElasticLoadBalancingFullAccess
  • AWSConfigUserAccess
  • AWSKeyManagementServicePowerUser
  • SwissPKI-Decrypt-Secrets
Step 3 – Review

Review the settings and create the group.

Create SwissPKI User

 

This user will be used for managing and configuring the different AWS services.

 

Step 1 – User Details and Access Type

Select Users on the left panel, click on button Add user, and enter a user name, e.g. SwissPKI-Admin. For access type, select Programmatic access as well as AWS Management Console access, and enter a new password. Click next.

Step 2 – Permissions

Choose option Add user to group and select SwissPKI-Admin-Group.

Step 3-5

Click next to the end of the wizard.

Create SwissPKI Role

 

This role will be used by the SwissPKI AMI instance to access the secrets.

 

Step 1 – Trusted Entity

Select Roles on the left panel, click on button Create role, and enter a user name, e.g. SwissPKI-Admin. For access type, select Programmatic access as well as AWS Management Console access, and enter a new password. Click next.

Step 2 – Permissions

Search and select the policy SwissPKI-Admin-Group we have previously created.

Step 3 – Tags

No tag to add, just click Next.

Step 4 – Review

Finally give the role the name Swisspki-Decrypt-Secrets and finish the wizard.

Sign in Again

 

Important

To avoid using the root account or an account with too much rights, log out your current user from the Amazon Management Console and log in again with the newly created user SwissPKI-Admin.