Creating an IAM User in Your AWS Account¶
A pfSense® AMI uses AWS Identity and Access Management (IAM) accounts for administration. Every AWS account includes at least one user. For security reasons, the root account should not be used for day-to-day administration. This section describes the process of creating and using an IAM user account for administering the pfSense AMI.
To find out more about AWS security and credentials read Understanding and Getting Your Security Credentials.
There are multiple methods for creating users in IAM. The recommended method is to use the AWS Management Console. The process of creating a user and enabling that user to perform work tasks consists of the following steps:
Create the user.
Create credentials for the user.
As a best practice, create only the credentials that the user needs. For example, for a user who requires access only through the AWS Management Console, do not create access keys.
For cloud security, it is considered best practice to limit access for the root user, so
rootis locked by default.
Grant the appropriate permissions to the user to administer the pfSense AMI.
Provide the user with the necessary sign-in information.
(Optional) Configure multi-factor authentication (MFA) for the user.
Creating IAM Users (Console)¶
You can use the AWS Management Console to create IAM users. To create one or more IAM users (console):
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users and then choose Add user.
Type the user name for the new user. This is the name they will use to sign in to AWS. To add up to 10 users at once, choose Add another user for each additional user and type their user names.
User names can be a combination of up to 64 letters, digits, and these characters:
Names must be unique within an account and are not case sensitive.
Select AWS Management Console access. This creates a password for each new user.
For Console password, choose one of the following:
Autogenerated password. Each user gets a randomly generated password that meets the account password policy in effect (if any). You can view or download the passwords when you get to the Final page.
Custom password. Each user is assigned the password that you type in the box.
We recommend that you select Require password reset to ensure that users are forced to change their password the first time they sign in.
Click Next. On the Set permissions page, specify how you want to assign permissions to this new user(s). Choose one of the following three options:
Add user to group. Choose this option if you want to assign the user(s) to one or more groups that already have permissions policies. IAM displays a list of the groups in your account, along with their attached policies. You can select one or more existing groups, or choose Create group to create a new group.
Copy permissions from existing user. Choose this option to copy all access rights from an existing user to the new user(s).
Attach existing policies to user directly. Choose this option to see a list of the managed policies in your account. Select the policies that you want to attach to the new users or choose Create policy to open a new browser tab and create a new policy.
Choose Next: Review to see all of the choices you made up to this point. When you are ready to proceed, choose Create user.
To view the users’ access keys (access key IDs and secret access keys), choose Show next to each password and access key that you want to see. To save the access keys, choose Download .csv and then save the file to a safe location.
This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user’s new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.
On the final page you can choose Send email next to each user. Your local mail client opens with a draft that you can customize and send. The email template includes the following details to each user:
URL to the account sign-in page. Use the following example, substituting the correct account ID number or account alias:
https://AWS-account-ID or alias.signin.aws.amazon.com/console
The user’s password is not included in the generated email. You must provide them to the customer in a way that complies with your organization’s security guidelines.