Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

One of the key security practices that can be challenging to implement effectively is the regular rotation of IAM access keys for IAM users. These access keys allow users to connect to Amazon EC2 instances, making it essential to rotate them regularly, ideally every 90 days, to safeguard your resources against unauthorized access. However, in larger organizations that manage numerous IAM users across multiple AWS accounts, maintaining this routine can often fall by the wayside without dedicated personnel overseeing the process.

To enforce compliance, AWS Config offers an automatic remediation feature. This feature utilizes AWS Systems Manager automation documents that AWS Config invokes when it detects non-compliant resources. Although these steps are primarily designed to correct compliance issues, we can also leverage them to create a notification system.

In this article, I will guide you through setting up Systems Manager and AWS Config for automatic remediation while integrating a centralized notification system. Additionally, I will explore options for further processing.

Prerequisites

Multi-account management

This guide assumes you are utilizing AWS Organizations or have established a master account to monitor and consolidate results from other accounts within your organization. For this purpose, AWS CloudFormation StackSets will be used to deploy and execute stacks from the master account to the target accounts. If you prefer not to use StackSets, you can deploy Step 2 as individual stacks in each target account.

If you are using AWS Organizations, you will require your Organization ID. You can find this by signing into the management account in the AWS Organizations console, where it is displayed on the left side. Conversely, if you are not using AWS Organizations but have a master account overseeing target accounts, you will need a list of the AWS account IDs for those target accounts.

For deployment via StackSets, ensure that appropriate permissions are configured in both the master and target accounts. If you are not utilizing AWS Organizations or prefer to manage IAM roles manually, consider setting up self-managed permissions. Alternatively, service-managed permissions are available if using AWS Organizations.

AWS Config configuration

Ensure AWS Config is enabled in both your master and target accounts. Additionally, verify that your configuration monitors all global resources or at least the IAM user resources. For further guidance, refer to the getting started with AWS Config documentation. To view aggregated results from all target accounts in the AWS Config console of your master account, you must authorize it to aggregate results.

Solution Overview

The proposed solution hinges on a master account from which you can oversee and manage IAM users across various target accounts. In each target account, an automatic remediation is added to the AWS Config rule for access key rotation. This remediation triggers a Systems Manager automation document that identifies the user and publishes notifications to Amazon SNS for further action.

Here’s how the process unfolds:

  1. AWS Config executes the rule in each target account and invokes the SSM automation document for each non-compliant resource.
  2. The automation document performs the following:
    • Resolves the IAM user name from the IAM user resource ID using an API call.
    • Publishes a tailored message to an SNS topic in the master account.

Further processing and customization can be achieved through Amazon Simple Queue Service (Amazon SQS) queues, Jira, Slack, AWS Lambda, AWS tagging, and more. AWS Config calls the remediation automation document, passing the non-compliant ResourceId and an IAM role called AutomationAssumeRole, which provides necessary permissions for executing the automation document.

The first step in the automation document resolves the corresponding IAM user name (e.g., AliceAdmin) from the IAM user ResourceId (e.g., AIDAAXW). This is done using the aws:executeAwsApi command, which allows API calls to be executed without the need for additional infrastructure. In our case, it effectively performs what would be the equivalent of the AWS CLI command: aws configservice list-discovered-resources.

- name: configStep
  action: "aws:executeAwsApi"
  inputs:
    Service: config
    Api: ListDiscoveredResources
    resourceType: "AWS::IAM::User"
    resourceIds:
      - "{{ResourceId}}"
  outputs:
    - Name: configUserName
      Selector: "$.resourceIdentifiers[0].resourceName"
      Type: String

The next step in the automation document is to formulate a message for the SNS topic, incorporating the Account ID using the SSM system variable global:ACCOUNT_ID. It also includes the user name from the previous step formatted as step-name.Output-name (e.g., configStep.configUserName) in the message.

- name: publishMessage
  action: "aws:executeAutomation"
  maxAttempts: 1
  timeoutSeconds: 30
  onFailure: Abort
  inputs:
    DocumentName: AWS-PublishSNSNotification
    RuntimeParameters:
      TopicArn: !Ref SNSTopic
      Message: Account "{{global:ACCOUNT_ID}}" User "{{configStep.configUserName}}" needs to rotate their access key.

The aws:executeAutomation command is utilized to trigger other automation documents. Here, we invoke the AWS managed automation AWS-PublishSNSNotification, which publishes the message to Amazon SNS.

Walkthrough

Here are the steps to follow:

  1. Deploy an AWS CloudFormation stack to configure the master account with an SNS topic.
  2. Deploy an AWS CloudFormation stack to set up the target accounts, which includes:
    • Setting up IAM roles
    • Creating the SSM automation document
    • Enabling the AWS Config rule for access key rotation
    • Linking the automation document as the automatic remediation step

Let’s get started!

Step 1: Deploy to the master account

Download the AWS CloudFormation template from AccessKeyRotationParentAccount.yaml and save it locally. Go to the AWS CloudFormation console, select “Stacks” on the sidebar, and choose “Create Stack” followed by “With new resources (standard).”

On the “Create Stack” page, upload the saved template file and click “Next.”

On the stack details page:

  • Enter AccessKeyRotationMaster as the stack name.
  • Select the MultiAccountMethod to indicate if you will use AWS Organizations or a list of target accounts.
  • Provide either the AWS Organizations ID or a comma-separated list of target account IDs.
  • Click “Next.”

On the “Configure Stack Options” page, add any necessary tags and select “Next.” Review the information provided and click “Create Stack” to submit your configuration.

For an engaging read on women in leadership roles in technology, check out this blog post about Women Who Lead. Additionally, for more authoritative insights on health plan options, visit this resource. For new employees, this guide offers excellent insights into what to expect on the first day at Amazon.

Related Topics:

Chanci Turner