Assignment 1: Establishing an Amazon Web Services (AWS) id

Assignment value: 2% of total course grade.

Assignment evaluation: Full credit will be awarded for creating a root AWS id. For safety purposes, we recommend that you at least add MFA (Step 2) and preferably IAM (Step 3). But these steps are not required.

Assignment due: Sunday Jan. 12, 23:59.

Turn in

Upload to CourSys a screen shot of your signon.

Description

During the course, you will be doing exercises to gain familiarity with Amazon Web Services (AWS). The larger programming projects will all be done on Cloud474, where you won’t be charged for computation and we can control the environment. But we also want to give you experience using basic AWS services, whether through their Web-based console interfaces or making simple calls from Python. To do this, you first need an AWS id. In fact, I recommend that you create both a root ID and an IAM id. I’ll explain the difference below.

This week’s exercise is administrative: You will create an AWS user id and set its security parameters. This is at once both trivial and tedious. It takes several hours of work and at the end you won’t have a single line of code to show for it. But it is a prerequisite for every use of AWS in the coming weeks, so best to start now.

Steps to getting an AWS ID and IAM id

Step 1: Set up your root AWS account

Although you can use the same email address for your AWS Id as you use for your Amazon id, your AWS Id needs you to enter a password and credit card number. You can use the same password and credit card as you use for Amazon.com or you can use different ones. I recommend at least using a separate password, on the general security principle that every site should have a distinct passsword.

Why you should care about AWS security

You could just stop here. But I recommend that you follow through with the following steps. Your AWS id is backed by your credit card. As your system is currently configured, anyone who knows your AWS password can run huge computations on the service— at your expense. If you uncover this situation, your only recourse will be to delete your account to prevent future misuse and pay the large bill.

You can increase protection in two ways:

Amazon’s many forms of security can be confusing. They provide a summary of all their credential types.

Step 2: (Optional) Set up multifactor authentication

AWS allows you to set up multifactor authentication for your accounts. Steve Gibson (of Security Now) describes multifactor authentication as, “Something you know and something you have”. It increases the security of your account beyond just a password (something you know) by adding the requirement that a user has to have your phone (something you have) to login. Google provides a simple description—but note that clicking on the “Get Started” link on that page will add MFA to your Google account, not your AWS account.

The most straightforward way to add your smart phone to your AWS authentication is to download Google’s Authenticator app (see the “Virtual MFA Applications” list) and configure your AWS account to use it for sign on to your root account.

You can do everything you need from your Amazon account id but some security issues remain. If someone hacks your account you have no way of turning it off. A more secure solution is to set up a separate account under AWS’s Identity and Access Management (IAM) and do all your work from there. If someone hacks into your IAM account, you can sign in to your root AWS account, disable the hacked IAM account, and create a fresh IAM account to work from.

Amazon describes the differences between a root id and IAM id.

Added Wed Jan. 8 There are some subtleties to IAM that can trip you up. Consider the following screen, taken while signed on as the root AWS ID, setting up an IAM id:

IAM set up screen

The top right corner of the screen lists my root ID (I’ve obscured it under a red box for security purposes). The middle left shows that I’ve set up MFA and password policies for my root id. The middle right shows that I’ve created a group and a user for IAM. You have to create a group first, then add an IAM user to that group. Give the group “Administrator Access” permissions—the highest level.

The lower left is the subtlest part. This lists the URL from which you sign on using your IAM id. Initially, it will include your AWS account number, so it will look like https://1234567890.signin.aws.amazon.com/console. That’s neither easy to type nor remember, so Amazon lets you set an “alias” by pressing a button just below the signing URL. You can pick anything you want, but it will have to be different from any other AWS user’s alias.

Once you have set your alias, say to chenaws then your signon will become https://chenaws.signin.aws.amazon.com/console. These are indicated by the red rectangles on the lower left.

Now when you want to sign in to AWS using your IAM id, put the above URL into your browser. Then AWS will ask you for your IAM id and password and (if you’ve set MFA on the IAM id) then your MFA number.

Step 4 (Optional) Give your IAM account access to your AWS billing pages

If you’re doing all your work from an IAM account, it is annoying to have to sign in to your original AWS account to find out how much you’ve used the system in the past month. By default, your IAM ids cannot access your AWS billing pages—even if you give the IAM id full privileges.

To give your IAM account billing access:

Now you will be able to do everything you need, including check whether you’ve exceeded the Free Tier, from your IAM id. You can keep your root AWS id in reserve in case the IAM id is hacked.