Can I automate user creation in AWS IAM service?

Question

I'm currently setting up a website project and I am creating 20 new IAM users on AWS. Since it is a repetitive process, I figured there must be a way to automate this with existing user info(e-mails, user name, etc). What are some recommended ways to do this? And what are security concerns about it since secret access key is only there once and has to be regenerated if not copied?

Answer 1

Excluding using federation to access AWS, I am not aware of any tools that automate creating users.

The parts of security that consist of AAA (Authentication, Authorization, Accounting) need to be taken very seriously. No matter how boring or repetitive, mistakes in this phase could cost you far more time and money to fix later. In other words, take the time to think through how you will implement AAA on AWS and take the time to do it right. This also means understanding completely what an IAM user is, how permissions are managed, etc.

If you go thru the process of creating a user, you will find that there is very little to automate. AWS IAM does not store much about the user beyond their username, password, group, permissions and security credentials.

Lets take a hypothetical company who is creating a new AWS account and go thru the steps to setup AAA correctly. I am ignoring AWS Organizations, which I highly recommend, to separate production users and resources from developer and test resources.

STEP 1: Create a AWS account, complete all of the various forms for contact information, payment information, etc. Do not create any users at this point.

STEP 2: Create IAM Groups. For this imaginary company, we will have Administrators, Finance, Sales, Developers and SysOps. Assign the correct permissions (IAM Policies) for each group.

STEP 3: Create a new user with administrator and billing rights. This user will replace the root user that AWS creates when you create an account. Verify that you can login to this account.

STEP 4: Login again as the root user, enable MFA, change the password. Securely store the login and password away in the company safe. This login will not be used again except in an emergency.

STEP 5. Create an S3 bucket and enable CloudTrail. I create a bucket with the companyname-cloudtrail and send all CloudTrail logs to this bucket. Only the administrator has rights to this bucket. This provides for the last A in AAA.

Now we are at the point that we have the root user locked away, a new Administrator with all permissions and the required IAM groups created with IAM policies assigned. From here you can look at automating user creation. However, for 5 groups and 20 users, you will spend more time automating, then to just create the users.

Let's create the first user to see the process. We will use the AWS CLI so that you can see in detail what is required and where automation might help.

An important item is to chose how you will name your users. In this example we will use First Name period Last Name concatenated together.

STEP 1: Create an IAM User. This user will be part of the Finance Group:

aws iam create-user --user-name bob.henry

STEP 2: Assign this user to the Finance group:

aws iam add-user-to-group --user-name bob.henry --group-name Finance

STEP 3: Optionally assign an IAM Policy that is unique to this user:

aws iam put-user-policy --user-name bob.henry --policy-name BobHenryRole --policy-document file://C:\Policies\BobHenryPolicyFile.json

For each user I normally create a folder in the company S3 bucket `/Users/bob.henry'. In this optional policy I give bob.henry full permissions to this bucket folder. Each user now has their own private storage location which we use for backups.

STEP 4: Assign the initial user password:

aws iam create-login-profile --password-reset-required --user-name bob.henry --password My!Password&Is-Bettern=Than^Yours@

At this point you have created a new user. The last step is to decide which users should have AWS credentials. The finance department does not need them. However, the following command will demonstrate how:

aws iam create-access-key --user-name bob.henry

Note: I recommend giving users that should have security credentials the ability to create their own. This way the account admin does not have to worry about creating and handing out credentials.

Go thru the steps above and review what could be automated.

I create a batch file that includes all of the steps above for creating a user. I then edit the batch file and double check that I have all the details correct. I use a batch file because it helps me remember every step that needs to be completed for a new user. Sort of like a checklist so that I don't forget something.