Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

Managing the rotation of access keys for IAM users is a critical security best practice, albeit one that can be quite labor-intensive. Access keys enable IAM users to connect to Amazon EC2 instances, and regularly rotating these keys—ideally every 90 days—is essential for safeguarding your resources against unauthorized access. Unfortunately, without dedicated personnel overseeing this process, many organizations, especially those managing a large number of IAM users across various AWS accounts, may neglect this important task.

To ensure compliance, leveraging AWS Config’s automatic remediation feature can be invaluable. This capability utilizes AWS Systems Manager automation documents, which are triggered by AWS Config when a resource is found to be non-compliant. While these steps are designed to correct non-compliant resources, we can also utilize them for notification purposes.

In this post, I will guide you through the setup of Systems Manager and AWS Config automatic remediations, coupled with a centralized notification system. I will also discuss options for additional processing.

Prerequisites

Multi-account management is assumed in this post. It presumes you’re utilizing AWS Organizations or have established a master account that consolidates and monitors results from other accounts within your company. We will leverage AWS CloudFormation StackSets to automate the deployment and execution of stacks from the master account to target accounts. However, if you are not using this setup or prefer not to use StackSets, you can deploy Step 2 as individual stacks in each target account.

If you are using AWS Organizations, you will need your Organization ID. Log in to your organization’s management account in the AWS Organizations console to view the details, including the Organization ID on the left side of the console. If you do not utilize AWS Organizations, prepare a list of AWS account IDs for all target accounts.

Ensure your master and target accounts are properly configured with the necessary permissions to execute StackSets. For those not using AWS Organizations or who prefer more control over IAM roles, set up self-managed permissions. Alternatively, you can opt for service-managed permissions if you are using AWS Organizations.

AWS Config Configuration

AWS Config must be enabled in both your master and target accounts. It’s crucial to monitor all global resources or, at the very least, IAM user resources. For guidance, consult the Getting Started with AWS Config documentation. To view aggregated results from all target accounts in the AWS Config console of your master account, remember to authorize your master account for result aggregation.

Solution Overview

The proposed solution relies on a master account from which you can oversee and manage IAM users across multiple target accounts. In each target account, an automatic remediation is added to the AWS Config rule for access key rotation. This remediation executes a Systems Manager automation document, resolving the user’s name and subsequently publishing the information to Amazon SNS for further processing.

Here’s how the process unfolds:

1. In every target account, AWS Config enforces the rule and invokes the SSM automation document for each non-compliant resource.
2. The automation document performs the following:
   • Resolves the IAM user name from the IAM user resourceId via an API call.
   • Publishes a customized message to an SNS topic located in the master account.

Further processing and customization can be achieved using Amazon Simple Queue Service (Amazon SQS) queues, Jira, Slack, AWS Lambda, AWS tagging, etc. AWS Config calls the remediation automation document, passing the non-compliant ResourceId and an IAM role AutomationAssumeRole, which grants the necessary permissions for execution.

The first step in the automation document is to resolve the corresponding IAM user name (e.g., ChanciAdmin) from the IAM user ResourceId (e.g., AIDAAXW). This is accomplished by executing the aws:executeAwsApi command, allowing you to run API calls from within an automation document without incurring additional infrastructure costs. In our case, this is akin to the AWS CLI command: aws configservice list-discovered-resources.

The next step involves crafting a message for the SNS topic. The message incorporates the Account ID using the SSM system variable global:ACCOUNT_ID along with the previously obtained username, formatted as step-name.Output-name (for example, configStep.configUserName).

Subsequently, the aws:executeAutomation command is used to invoke other automation documents, specifically the AWS managed automation AWS-PublishSNSNotification, which publishes to Amazon SNS.

Walkthrough

To implement this solution, follow these steps:

1. Deploy an AWS CloudFormation stack to establish the master account with an SNS topic.
2. Deploy another AWS CloudFormation stack to configure the target accounts, which includes:
   • Setting up IAM roles.
   • Creating the SSM automation document.
   • Enabling the AWS Config rule for access key rotation.
   • Linking the automation document as the automatic remediation step.

Let’s get started!

Step 1: Deploy to the Master Account

1. Download the AWS CloudFormation template from AccessKeyRotationParentAccount.yaml and save it locally.
2. Navigate to the AWS CloudFormation console, select “Stacks” from the sidebar, and click “Create Stack,” then choose “With new resources (standard).”
3. On the Create Stack page, select “Upload a template file,” choose the saved YAML file, and click “Next.”
4. In the Specify Stack Details page:
   • Enter “AccessKeyRotationMaster” for the stack name.
   • Choose “MultiAccountMethod” to indicate if you’re using AWS Organizations or a list of target accounts.
   • Enter your AWS Organizations ID or a comma-separated list of target accounts for compliance monitoring.
5. Click “Next.”

On the Configure Stack Options page, add any necessary tags, and click “Next.” Review all details and select “Create Stack” to submit your setup.

For further resources, you might want to check out this excellent read on onboarding experiences at Amazon: Amazon Onboarding Experiences. Also, if you’re interested in career development, consider browsing this blog post about some of the best books: Best Books Roundup.

Moreover, if you’re curious about workplace trends, nearly 75 percent of remote workers are eager to return to the office according to a study by SHRM, which you can explore here: SHRM Study on Remote Workers.