Using IAM Roles

AWS IAM Roles are used to delegate access to users, applications, or services that require controlled access to AWS resources. IAM Roles should be used to manage all pfSense® instances. This unique role can be specified when launching a new instance, or attached to an existing instance.

The AWS Management Console is the recommended method for creating roles for use with pfSense. It is also recommended to create these roles based on the principle of least privilege, also known as the principle of least authority, which is the assignment of lowest needed privileges based on necessity. The below instructions attempt to follow this principle.

Create Policy for pfSense Management IAM Role

Create a custom policy that will be associated with an IAM role allowing access to the pfSense Management GUI running on an EC2 Instance.

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the console, select Policies then choose Create Policy.

  3. Drop down the Service menu and select EC2.

  4. In the Actions dropdown check the box next to All EC2 actions (ec2:)

    Note

    If stricter policies are required for the actions that can be performed on the pfSense EC2 Instance, these can be set here.

  5. Select the Resources dropdown arrow and review resulting warnings.

  6. Click the All resources bubble

  7. Select Review policy.

  8. Populate the Name field (e.g. pfSense_EC2_Access) and Description, if desired.

    Note

    Policy names must be unique within the AWS account, and the name of the policy cannot be changed once created.

  9. Select Create Policy.

Create IAM Role for pfSense Management

Create a role that an IAM user, or users within an IAM Group, can assume and use to connect to and manage pfSense running on an EC2 Instance.

Note

The administrator of the specified account can grant permission to assume this role to any IAM user in that account. To do this, the administrator attaches a policy to the user or a group that grants permission for the sts:AssumeRole action. That policy must specify the role’s ARN as the Resource.

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the console, select Roles then choose Create Role.

  3. Select the Another AWS account role type.

  4. In the Account ID field, type the AWS account ID that will be allowed to access the destination resource.

  5. The Require external ID checkbox should remain cleared unless granting permissions to users from an account that you do not control. Reference AWS Documentation for External ID Roles in the event this is required.

  6. It is recommended to restrict the role to users who sign in with multi-factor authentication (MFA). Select Require MFA to add a condition to the role’s trust policy to require MFA sign-in.

  7. Select Next: Permissions.

  8. Type the name of the previously created Custom policy in the search field. Check the box next to the correct Policy name.

  9. Select Next:Tags

    Note

    IAM tags are key-value pairs that can be used to organize, track, or control access for this role. This is an optional step. More information can be found within AWS Documentation for Tagging IAM Entities.

  10. Select Next: Review.

  11. Populate the Role name field (e.g. pfSense_Admin) and Role description if desired.

    Note

    Role names must be unique within the AWS account, and the name of the role cannot be changed once created.

  12. Review remaining configured settings then select Create role.

This role can now be assigned to an IAM User or all users in an IAM group allowing secure administrative access to the EC2 Instance(s) containing pfSense.