Creating an IAM User in an AWS Account¶
A pfSense® Plus AMI uses AWS Identity and Access Management (IAM) accounts for administration. Every AWS account includes at least one user. For security reasons, the root account should not be used for day-to-day administration. This section describes the process of creating and using an IAM user account for administering the pfSense® Plus AMI.
To find out more about AWS security and credentials read Understanding and Getting Your Security Credentials.
There are multiple methods for creating users in IAM. The recommended method is to use the AWS Management Console. The process of creating a user and enabling that user to perform work tasks consists of the following steps:
Create the user.
Create credentials for the user.
As a best practice, create only the credentials that the user needs. For example, for a user who requires access only through the AWS Management Console, do not create access keys.
For cloud security the best practice is to limit access for the
rootaccount, so the
rootaccount is locked by default.
Grant the appropriate permissions to the user to administer the pfSense® Plus AMI.
Provide the user with the necessary sign-in information.
(Optional) Configure multi-factor authentication (MFA) for the user.
Creating IAM Users (Console)¶
The AWS Management Console can create IAM users.
To create one or more IAM users (console):
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users and then choose Add user.
Type the user name for the new user. This is the name they will use to sign in to AWS. To add up to 10 users at once, choose Add another user for each additional user and type their user names.
User names can be a combination of up to 64 letters, digits, and these characters:
Names must be unique within an account and are not case sensitive.
Select AWS Management Console access. This creates a password for each new user.
Choose one of the following options for Console password:
- Autogenerated password
Each user gets a randomly generated password that meets the account password policy in effect (if any).
The Final page allows viewing or downloading the passwords.
- Custom password
Each user is assigned a given password.
The best practice is to select Require password reset to ensure that users are forced to change their password the first time they sign in.
Click Next. On the Set permissions page, specify how to assign permissions to this new user(s). Choose one of the following three options:
- Add user to group
Choose this option to assign the user(s) to one or more groups that already have permissions policies. IAM displays a list of the groups in the account, along with their attached policies.
Select one or more existing groups or choose Create group to create a new group.
- Copy permissions from existing user
Choose this option to copy all access rights from an existing user to the new user(s).
- Attach existing policies to user directly
Choose this option to see a list of the managed policies in the account. Select the policies to attach to the new users or choose Create policy to open a new browser tab and create a new policy.
Choose Next: Review to see all of the choices made up to this point. Choose Create user to proceed.
To view user access keys (access key IDs and secret access keys), choose Show next to each password and access key to display. To save the access keys, choose Download .csv and then save the file to a secure location.
This is the only opportunity to view or download the secret access keys, and users must have this information before they can use the AWS API. Save the user new access key ID and secret access key in a safe and secure place.
There is no way to access the secret keys again after this step.
Choose Send email next to each user to send a message with account information. This opens a local mail client with a draft that to customize and send. The email template includes the following details to each user:
URL to the account sign-in page. Use the following example, substituting the correct account ID number or account alias:
https://AWS-account-ID or alias.signin.aws.amazon.com/console
The user’s password is not included in the generated email as email is not a secure communications channel. Provide passwords to the user in a secure way that complies with security policies set by the organization.