How To: Create an Amazon Web Services (AWS) Identity and Access Management (IAM) Policy That Lets Users Manage Their Own Credentials and Multi-Factor Authentication (MFA)

June 12, 2019

I've been digging into Amazon Web Services (AWS)1 user administration. One of my first goals was to create a user, send them their password, and let them manage the rest of their credentials without me.

The various credential types are located under the "My Security Credentials2" section for each user. They are:

  1. IAM Password for console access
  2. Access keys for CLI, SDK, & API access
  3. Multi-factor authentication (MFA)
  4. X.509 certificate
  5. SSH Keys
  6. HTTPS Git credentials for AWS CodeCommit

Amazon provides five built-in IAM policies that provide access to the credential sets. The first one, IAMFullAccess, provides full admin control over the Identity and Access Management (IAM) service. Not only does it allow users to manage their own details, it allows them to create, delete, and otherwise mess with any other user, group, policy, role, etc… Not something to give a non-admin user.

A second built-in AWS policy is IAMReadOnlyAccess. It does just what it says on the tin, providing read-only access to the various parts of the IAM dashboard. So, no help there when it comes to letting users set their credentials.

The last three built-in policies (and what they correspond to) are:

  1. IAMSelfManageServiceSpecificCredentials - allows users to update their HTTPS Git credentials for AWS CodeCommit
  2. IAMUserChangePassword - allows users to update their IAM Password for console access
  3. IAMUserSSHKeys - allows users to update their SSH Keys

Half way there, but we're still left without the ability to manage "Access keys for CLI, SDK, & API access", "Multi-factor authentication (MFA)", and "X.509 certificate". Since what I was looking for wasn't built-in, I went about building a custom policy myself.

After referencing a half dozen web pages, IAM docs3 and just as many StackOverflow4 pages, I came up with the following policy definition. It provides users with control of all six sets of credentials. It also required Multi-Factor Authentication (MFA)5 and locks users out of all AWS services until it's set up.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:ListVirtualMFADevices"],
      "Resource": "*"
    },
    {
      "Sid": "AllowUsersToManageCoreCredentials",
      "Effect": "Allow",
      "Action": [
        "iam:*AccessKey*",
        "iam:ChangePassword",
        "iam:GetUser",
        "iam:*ServiceSpecificCredential*",
        "iam:*SigningCertificate*"
      ],
      "Resource": ["arn:aws:iam::*:user/${aws:username}"]
    },
    {
      "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
      "Effect": "Allow",
      "Action": ["iam:ListMFADevices"],
      "Resource": [
        "arn:aws:iam::*:mfa/*",
        "arn:aws:iam::*:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowIndividualUserToManageTheirOwnMFA",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:DeleteVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::*:mfa/${aws:username}",
        "arn:aws:iam::*:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
      "Effect": "Allow",
      "Action": ["iam:DeactivateMFADevice"],
      "Resource": [
        "arn:aws:iam::*:mfa/${aws:username}",
        "arn:aws:iam::*:user/${aws:username}"
      ],
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    },
    {
      "Sid": "AllowIndividualUserToManageTheirSSHCredentials",
      "Effect": "Allow",
      "Action": [
        "iam:DeleteSSHPublicKey",
        "iam:GetSSHPublicKey",
        "iam:ListSSHPublicKeys",
        "iam:UpdateSSHPublicKey",
        "iam:UploadSSHPublicKey"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    },
    {
      "Sid": "BlockMostAccessUnlessSignedInWithMFA",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ListMFADevices",
        "iam:ListUsers",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice"
      ],
      "Resource": "*",
      "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}
    }
  ]
}

Speaking of MFA, it's easy to use in the web console. Using it on the command line isn't as straight forward. For details on the basic process check out this video from Amazon. (If you're like me, this looks like a prime opportunity to write a little script to help automate the process. That's left as an exercise for the reader.)


Footnotes

  1. One of the marvels of the modern world, Amazon Web Services is the "Cloud Computing" platform that's eating the software world.
  2. Every user has a My Security Credentials section they can use to manage their various credentials, assuming they have permissions to do so. Which, of course, is what this post is all about.
  3. Amazon's documentation is some of the best I've ever seen. The IAM docs are no exception (despite not having the specific thing I was after).
  4. Another marvel of the modern world, StackOverflow is the place to go for all your programming question wants and needs. (Though, again, they didn't have what I was looking for. At least, not until I post this there as well.)
  5. Multi-factor Authentication is the way to go. The basic idea is that logging in requires "something you have and something you know". The thing you know is your password. The thing you have is some type of device (or app on your phone) that spits out random numbers every 30 seconds. If you don't have the proper numbers to go along with your password, you can't login. The reason this is important is if your password gets stolen, the bad guys can't get in but you still can with your MFA device.

Video Review: Introduction to AWS Glue (Ian Robinson - Live from the London Loft)

June 10, 2019

A few bullet points on Introduction to AWS Glue (Ian Robinson - Live from the London Loft)



  • A few interesting things, but not worth the hour.
  • Slides have a ton of words on them that are hard to read since he doesn't really slow down for them. (Sometimes hits the main points on them, but it feels like sometimes he doesn't get to everything)
  • Does a few copy/paste without really explaining what's going on.
  • Talks a lot about things Glue can do, but doesn't show many examples.
  • Examples are spread out. I'd prefer doing something from start to finish.
  • Also, the example is relatively complex. Part of it creates an internal lambda function. That's not very well explained.
  • One good thing is pointing out the hierarchy where you name stuff in S3 like year=2019/month=6/day=9/some_file.csv and it automatically picks up the date as something you can querty against.
  • Talks about Notebooks and Developer endpoints and how that makes it a lot easier to develop, but doesn't show it. Would be great if he had time for that.
  • The sample he does at the end takes several minutes to run. Would be better if the sample data was trimmed down to run quickly for purposes of the demo.
  • The part at the end (44:15) talking about bookmarks is helpful. Knowing that by default, Glue won't process the same S3 file twice.

My First Bout of Suicidal Ideation

April 09, 2018

Well… I thought I was seeing the light at the end of the depression tunnel.

Turns out, that wasn't the case.

I've been struggling with thoughts of suicide (aka suicidal ideation) for a few weeks and ended up checking myself into hospital where I stayed the last four nights. Knowing what I know now, if I could do it again, I would have gone in a few weeks ago (when I was in the darkest downward spiral).

I thought I was getting better (hence the post about thinking I was seeing the light at the end of the tunnel), but the thoughts hung on. Even though they were less severe, it became easier to think them. (The repetition was effectively unintentional practice which in turn made me “better” at thinking them.) It finally got to the point that even with the diminished severity, the fact that they weren't going away got me make the jump.

The meds I'm on say to go to the hospital if suicidal thoughts occur (and you hear that in general as well). This may sound weird, but one of the reasons I didn't go when I had the first severe bout was a perception that no one else does. I'd never heard of anyone actually going to the hospital for suicidal thoughts until last Christmas when I was telling folks I went in for my manic episode. Since then, I've only heard of one person.

As we all have the cognitive bias of thinking everyone else thinks like we do, part of me figured everyone else had suicidal thoughts from time to time, but just powered through them. So, that's what I attempted to do.

It also took me a while to get my head around the idea of going in. That is, going to the hospital for suicidal ideation didn't fit my mental model of myself.

Another cognitive bias came into play as well. The one where we try to act the way we think other folks expect us to act. I'm sure no one I know thought I was suicidal. So, part of me wanted to act like someone who wasn't.

Finally, I didn't know what the process looked like. I'm the type of person who likes having a solid idea of how to do a thing before doing it. So, this was another mental barrier. Plus, doing anything the first time is extra scary. (And let's remember that I'd already gone in once for mania, but the suicidal ideation felt different enough that it felt like the first time.)

All of that added up to me waiting much longer to seek help than I should have.

Turns out, it really was as easy as going to the Emergency Room and telling them I was having suicidal thoughts. I gave them my insurance card and they took care of everything from there. They put me into an exam room and had a few different folks come by to take some blood, run an EKG, and talk to me. I was a bit freaked out, but everyone there was a pro and clearly knew what they were doing (and had done it before so I was in good hands). As soon as I realized that, I settled down a lot.

After checking me out, they recommended I voluntarily admit myself for a stay in the Mental Health Unit. It was easy to agree since I knew that once I was in there I wouldn't have the ability to off myself even if the thoughts overwhelmed me. (I'll post more about what it was actually like to be in the MHU another time)

Anyway, I'm out now and have started a Partial Hospitalization Program where I go in for group therapy. I'll post more about that later too.

Incidentally, a big reason I wrote this is to make sure other folks don't fall into the trap I did. Thinking just because they don't know someone who's been hospitalized or they don't know what's up with the process that they can power through it. You now know someone who has and I can confirm the process isn't that bad and well worth it.

(I can also tell you that the idea of going in is way, way scarier than the experience actually is. Don't let that fear get in the way.)


How I Discovered I Have Bipolar Disorder

January 08, 2018

Below is a version of the email I sent to co-workers in December letting them know why I hadn't been in. It's a high level run down of my manic episode and corresponding hospital visit.

I am back at work now. Mostly full time. But still having to check out early on some occasions due to lack of energy. I'm continuing to work with my psychiatrist to tweak my meds to improve that.


Dec. 13, 2017 ~ From: Me ~ To: A bunch of co-workers

So…

As some of you know, I got to spend time in the hospital the week after Thanksgiving.

First off, let me reassure you that I'm in much better shape now.

In the spirit of an After-Action Report, here's the high level of what happened:

During the Thanksgiving holiday, I decided to experiment with recording a podcast

As I got more and more into it, I ended up in what I later discovered was a full blown manic state/episode. I was aware something was off, but figured I'd keep pushing it because 1) I'm me, and 2) well… mania…

After several days of constant talking/recording (and very little sleep), I called a buddy (and former TOUR employee) who came over to see if he could help me calm/slow down. (He also happens to be a trained crisis councilor. I wasn't thinking of that at the time, but it proved very helpful.)

I still wasn't able to calm down. He called the therapist I've been seeing for a couple years. With their help, I got myself voluntarily checked into Flaggler Hospital's psych ward

The psychiatrists there diagnosed me with Bipolar 1. (They were surprised I'd never been diagnosed before. Apparently, it's usually discovered well before someone hits their 40s)

Along with the diagnosis, I also received a prescription for a drug called Aripiprazole that I'm taking daily. It's one of those drugs that takes some time to get the dosage right, but I can already tell it's having a solid positive effect.

My manager and I have started discussing my return. The basic idea is that I'm going to ease myself back in slowly.

So, that's the gist…

The other thing I'm planning is to be very open about about all this (e.g. this email). There's a lot of stigma about mental health issues. My hope is that by being open about it, I can help remove some of that.

Please note: it's a testament to all of you that I'm willing to be so open. While the idea is still scary, I have more than enough trust in you all and the TOUR in general to have the confidence/courage to do it.

The only thing I'll ask at this point is to please avoid peppering me with questions. It takes a lot out of me to keep having to get back into the story.

Other than that, I look forward to seeing you all soon as I ease back in over the next several weeks.

-a

P.S. Since that was pretty intense, allow me to close with a joke. For those of you that have seen the FX show "Legion", there's still no indication that my time in the psych ward ended up giving me super powers…. yet.


An Ode to Modern Medicine (Or, a search for words)

January 04, 2018

Peace.

My mind at ease.

In a way I've never experienced before.

But, in a way that's still me.

Not a me dulled or altered or bent into a shape that's not my own.

Just me, but…

Quiet, perhaps is better.

That's it too.

But, not a lack of sound. A lack of commotion.

Like looking away from a crowd.

Watching instead the gentle motion of a breeze.

Or, perhaps a ship.

But, not one becalmed.

One harbored in an easy port after rough seas.

Seas ridden so long, I had memories of nothing else.


Bipolar 2017

December 31, 2017

2017 has been a hell of a year.

For me, it was mostly a good one. Personal highlights included:

  • Attending my first national championship game1
  • Seeing one of my favorite musicians in concert2
  • Getting a new gig3
  • Seeing a Total Eclipse4
  • Having a full blown manic episode the week after Thanksgiving, checking myself into the local hospital's mental ward, and getting diagnosed as Bipolar 1

Four outta five on the plus side ain't bad.

Regarding that last one, though: There's a lot of toxic stigma and fear associated with discussisng (and disclosing) mental health issues. It's not unwarranted, either. You don't have to think too hard to imagine how employers could wield that knowledge against you.

There are protections in place that try to prevent that, but it's still scary to talk about. In no small part because there's no guarantee those protections will work. The thing is, the cost of not talking about it can be even higher if it prevents folks from getting the care they need.

After giving it a lot of though, I decided talking about my diagnosis publically is the right thing to do. I've spent 17 years at the PGA TOUR. I trust both the organization and my manager to work with me in good faith5.

With luck, I can be a data point that helps us recognize that with our modern medicines, mental health issues like my bipolar diagnosis are still a big deal, but ones that can be managed. And, more to the point, that we recognize the stigmas we have against them are not only outdated but detrimental to everyone involved.

I'll tell the story of the manic episode another time. For now, just know I'm getting better and working with a doctor to dial in my medications.

In the mean time, may you and yours be safe and happy, and here's hoping 2018 turns out 5 by 5.

Footnotes

  1. Ideally, we would have won the game, but, you know… Roll Tide.
  2. If you are at all into Paul Simon, go see him. It's a delight and his new stuff sings to me just as much as the classics.
  3. I'm still at the TOUR. Just working on internal stuff instead of the web site and mobile platforms. It's cool because it's a change of pace, but all my institutional knowledge is still a huge asset.
  4. If you saw it too, I don't have to tell you this, but if you didn't: DO WHATEVER IT TAKES TO GO SEE THE NEXT ONE.
  5. So far so good, btw.

Watching for Errors and Rebooting with a Bash Script

December 20, 2017

The Problem:

  • A hardware issue on one of my FreeNAS servers1 causes hard drives to disappear every few hours
  • When the drives disappear, it puts my data at risk2

Warning Sign:

  • Prior to the failure, the system's dmesg3 command starts showing ahcich#: Timeout errors like these:

      ahcich2: Timeout on slot 10 port 0
      ahcich2: is 00000000 cs 00000400 ss 00000000 rs 00000400 tfd 50 serr 00000000 cmd 10008917
      ahcich4: Timeout on slot 31 port 0
      ahcich4: is 00000000 cs 80000000 ss 00000000 rs 80000000 tfd 50 serr 00000000 cmd 10009e17
      ahcich4: Timeout on slot 19 port 0
      ahcich4: is 00000000 cs 00080000 ss 00000000 rs 00080000 tfd 40 serr 00000000 cmd 10009217
    

Goal:

  • Write a bash script to run once an hour that watches for the Timeout errors and reboots the machine if it sees one4

My Solution - Version 1 (Shameless Green):

The first thing I did was to write a Sandi Metz5 style Shameless Green6 version of the script. Meaning, I wrote the quickest thing I could put together that met my minimum requirements of:

  1. Watch for Timeout errors
  2. Reboot if one is found

Here's what I came up with:

#!/bin/bash

dmesg | grep Timeout

if [ $? == "0" ]
then
    /sbin/shutdown -r now
fi

The way it works is:

  1. Run the built-in FreeNAS dmesg command and pipe (i.e. |) the output to grep to search for the word Timeout.

    If a Timeout has occurred, then grep will identify the match which results in an exit code7 of 0 for the line

    If no Timeout has occurred, the exit code is something other than 0. It's usually 1, but I don't really care what it is as long as it's not zero because I then…

  2. Use the special $? bash parameter8 to grab the exit code and compare it with == against zero inside an if conditional statement

  3. If the exit code stored in $? is zero, then I run the FreeNAS reboot command (/sbin/shutdown -r) with the argument now to tell the server to initiate a reboot immediately

    Otherwise, nothing else happens and the script simply finishes without doing anything else

Updated Solution:

I decided to add some logging after confirming the first version of the script worked as expected.

Here's the final version. (Detailing out what each line does is left as an exercise to the reader.)

#!/bin/bash

LOG_FILE="/mnt/z/depot/Files/mingus_protection_tools/ahcich_issue_rebooter/log.txt"

DATE_TIME=$(date +%Y%m%d-%H%M%S) G
echo "${DATE_TIME}: Running script." >> $LOG_FILE

dmesg | grep Timeout

if [ $? == "0" ]
then
    echo "${DATE_TIME}: Found a timeout. Rebooting." >> $LOG_FILE
    /sbin/shutdown -r now
else
    echo "${DATE_TIME}: No Timeout issue found." >> $LOG_FILE
fi

Putting that script in place is letting me move files off the machine without the Timeout issue building up to the point of failure. As long as nothing changes, it should keep my data safe while I move things that weren't yet backed-up to another machine.

Footnotes

  1. This FreeNAS server, as a matter of fact.

  2. The server is setup with 11 hard drives in ZFS in RAID-Z3. Up to three can fail and my data won't be affected. However, if four fail at the same time all the data across all eleven drives will be lost in a way that's basically impossible to restore.

  3. More details about dmesg vai it's manual page.

  4. The script is run as the root user via cron once an hour.

  5. If you're not already familiar with her, you should check out Sandi's work. Her Practical Object-Oriented Design in Ruby class with Katrina Owen improved my programming by an order of magnitude.

  6. While it took a while to get use to, I'm now in love with the term (and concept) of Shameless Green. It's a specific reminder to do the minimum possible amount of work to get a test to pass. Without it, I have a tendency to internally scope-creep new code in a way that usually comes back to bite me. That little reminder has done more to improve and speed up my programming than anything else I've learned in my 20+ years hacking at code. (Why yes… it does deserve it's own post. Said post is one of the many items on my TODO list.)

  7. Here's more info on Exit Status (aka exit codes).

  8. And, here' more info on Bash Special Parameters including $?.


Bullet Points on Bracelets or: A Wonder Woman Review

July 15, 2017

In case it's not obvious from the title…


### WARNING: Spoilers for Wonder Woman (2017) Below ###



  • First off, I'm continuing my practice of avoiding trailers. This includes closing my eyes during the inevitable 20 minute gauntlet before a feature presentation starts.1 This pays off in spades.

    For example, instead of seeing it the trailer, I got to experience the sword-in-the-back-of-the-dress reveal in context with the rest of the movie.

    It was a delightful, "Ahhhh, yeah. It's about to get real" moment.2

  • It should not have been possible to make a decent Wonder Woman movie in corporate Hollywood today. And yet, they somehow made a great one. One that leaps most movies (comic based or otherwise) in a single bound.

  • They walked an incredible balance of making Wonder Woman a powerful, intelligent, beautiful, confident, humane, and oh-yeah-a-god superhero. All while keeping her relatable.

    Related: Gal Gadot has replaced Daisy Ridley as my #1 Movie Star Crush. (At least, until the next Star Wars movie.)

  • The scene with the nude dude (in reverse of the usual random female sexualization scene) was a touch of genius.3, 4


  • I can't believe they left in the part with the sniper for the good guys freezing up under fire.

    It wouldn't have been surprising if the superhero was a guy. But, to show that breakdown in direct contrast with an unshakable woman superhero… I'm amazed studio execs didn't force the scene to be cut because they considered it emasculating.

  • I got choked up a few times thinking about how the little girls of my friends and family will grow up in a world where this film exists.

    And, more to the point, Wonder Woman (form of: Gal Gadot) will exist in their minds. Helping them realize they are tougher and more capable than society might otherwise have lead them to believe.

  • Trend lines have been on my mind a lot recently. Plotting the increased power women have seen since the invention (and increasing commodification) of effective birth control, I had begun thinking the U.S. will become a matriarchy within 75 years. After seeing Wonder Woman, I'm revising my estimate down to within 50 years.

    (By the way, part of my hypothesis is that much of the badness going on in today's society is the final, and naturally desperate, death throes of the traditional rich, white, male patriarchy. Something there's no way past except by going through it. But also, something that can't and won't last long.)

So, yeah. Two thumbs up.


Footnotes

  1. You should totally give closing your eyes during trailers a try. You'll notice trailers are way longer than you realize. And, despite using very few words, how they tend to reveal a half dozen key plot points that were originally designed to be a surprise.

    I haven't started putting in headphones to try to drown out the audio yet. But, the idea is getting strong consideration.

  2. I fully acknowledge the language in my head was stronger.

  3. I pulled these images from trailers. They don't contain the rest of the Wonder Woman scene showing the much more revealing shot of Chris Pine with nothing but his hands to cover his privates. Otherwise, I would have used that.

  4. For those not familiar with "Star Trek - Into Darkness", the sleeve on the right belongs to the same Chris Pine who's naked in the next image.


Go To Index Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107


© Alan W. Smith
RSS Feed