10 Steps To a Read Only AWS User

Amazon has released many features in the last two years, but likely no feature more important to my personal peace of mind than Identity & Access Management (IAM). Before IAM, we had two types of access to our AWS infrastructure: none and administrator. It's amazing I was able to sleep in those pre-IAM days, with an entire team walking around with global credentials. It's sort of like the President of the United States granting access to the nuclear weapons codes to his cabinet, the congressional leadership, the First Family, and... hey, why not... the First Dog.

Below is the 10 steps to creating a read-only user that can view all infrastructure, including monthly bills.

Step 1: Login to AWS Console
Login to the Amazon AWS Console and go to the IAM service for your account.

iam

Step 2: Create Group
Click on Create a New Group of Users.

create group

Enter a name for your new group (e.g. ReadOnlyUser) and click Continue.

name group

Step 3: Set Group Policy
Select Custom Policy and click Select. Unfortunately the default read-only policy of the wizard does not allow read-only access to usage and activity reports, so we'll create our own policy.

custom policy

Step 4: Set Custom Policy
Give the policy a name (e.g. ReadOnlyUserPolicy), and cut and paste the below policy into the Policy Document.

custom policy

{  
    "Statement": [  
      {  
        "Effect": "Allow",  
        "Action": [  
          "aws-portal:ViewBilling",  
          "aws-portal:ViewUsage",  
          "autoscaling:Describe*",  
          "cloudformation:DescribeStacks",  
          "cloudformation:DescribeStackEvents",  
          "cloudformation:DescribeStackResources",  
          "cloudformation:GetTemplate",  
          "cloudfront:Get*",  
          "cloudfront:List*",  
          "cloudwatch:Describe*",  
          "cloudwatch:Get*",  
          "cloudwatch:List*",  
          "dynamodb:GetItem",  
          "dynamodb:BatchGetItem",  
          "dynamodb:Query",  
          "dynamodb:Scan",  
          "dynamodb:DescribeTable",  
          "dynamodb:ListTables",  
          "ec2:Describe*",  
          "elasticache:Describe*",  
          "elasticbeanstalk:Check*",  
          "elasticbeanstalk:Describe*",  
          "elasticbeanstalk:List*",  
          "elasticbeanstalk:RequestEnvironmentInfo",  
          "elasticbeanstalk:RetrieveEnvironmentInfo",  
          "elasticloadbalancing:Describe*",  
          "iam:List*",  
          "iam:Get*",  
          "route53:Get*",  
          "route53:List*",  
          "rds:Describe*",  
          "s3:Get*",  
          "s3:List*",  
          "sdb:GetAttributes",  
          "sdb:List*",  
          "sdb:Select*",  
          "ses:Get*",  
          "ses:List*",  
          "sns:Get*",  
          "sns:List*",  
          "sqs:GetQueueAttributes",  
          "sqs:ListQueues",  
          "sqs:ReceiveMessage",  
          "storagegateway:List*",  
          "storagegateway:Describe*"  

        ],  
        "Resource": "*"  
      }  
    ]  
  }

Click Continue when ready.

Step 5: Add Users To Group
Click on the Create New Users tab, enter a user name (e.g. readonlyuser) and click Continue.

add user to group

Review the final information on your new group and click Finish to complete the process.

Step 6: Download Credentials
Click on Download Credentials to download the keys for your read only user. Store these in a save location on your computer.

download creds

Step 7: Enable Console Access
Click on Users from the navigation menu and select the newly created user.

goto users

In the bottom pane, click Manage Password and assign a custom password of your choosing for this user.

assign password

Step 8: Enable CSV Reports
From the Account page, click on Billing Preferences.

billing preferences

Click on Sign Up Now to turn on the generation of CSV reports for your account.

csv reports

Step 9: Enable Console Access For User
From the Account page, click on Manage Your Account.

manage account

Click on the check boxes to enable the account activity and usage pages, and click Activate Now.

iam console access

Step 10: Create Console Alias (Optional)
We suggest you setup an alias for your account that will be easy for you to remember. To do this, click on the IAM Dashboard and choose to set an alias web address for your account.

change alias


If you'd like an easier way to do steps 1-6, feel free to use my CloudFormation template. CloudFormation is a great concept, but its implementation is still very limited. Call me when I can automate steps 7-10. ;)

comments powered by Disqus
by Joe Kinsella