Establish IAM Users and Minimal Configuration in New AWS Account

How to take the smallest possible set of manual actions on your AWS Account so that you can ask Nucleator to automate the rest.

 

Minimal IAM Setup

When a new AWS Account is created, only the Root Account User exists.  As a security best practice, AWS destroys the IAM Access Keys for the Root Account User so that the Root Account User cannot be used to access AWS APIs.  To ensure security of your Root Account User, it is prudent to set-up multifactor authetication on this account.  To do so, click on Dashboard and then select Manage MFA.  This page provides more information about AWS' MFA capabilities. As well as setting up MFA, it is strongly recommended to ensure a password policy exists for every user. This can be done in the IAM console by selecting Account Settings and then selecting the necessary policies. A minimum of 8 characters and forcing at least one lowercase, uppercase, number and symbol is suggested. 

An IAM User, together with IAM Access Keys, must be created to be able to use the Account through AWS APIs.  Upon creation of a new AWS Account, we want to manually undertake the minimum possible IAM setup so that the 47Lining Nucleator toolkit can programmatically complete the remaining required IAM Setup and configure the Account.  This consists of creating a single IAM User and obtaining IAM Access Keys for that user.  By convention, we name this IAM User NucleatorUser.  NucleatorUser does not require a password or the ability to log into the AWS Management Console.  You will just need to provide the IAM Access Keys (AWS_ACCESS_KEY_ID  and AWS_SECRET_ACCESS_KEY) obtained for NucleatorUser in the configuration process for the 47Lining Nucleator Toolkit. When creating NucleatorUser, you must provide a specific access policy with minimal permissions.  It is suggested to create a group called NucleatorBootstrapGroup and add the necessary policies to that group and then assign NucleatorUser to the NucleatorBootstrapGroup. Use the AWS Management Console to assign the following policy to NucleatorBootstrapGroup:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1424722650000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions",
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Checklist

Using the AWS Console, perform the following minimal steps within your AWS Account:

Minimal Configuration for new AWS Account

Icon
  • Create a new IAM User in the new AWS Account.  Name the user NucleatorUser.
  • Generate and download IAM Credentails for NucleatorUser
  • Greate a group called NucleatorBootstrapGroup
  • Add a User Policy to NucleatorBootstrapGroup by selecting a custom policy and copy and paste the policy listed above.
  • Add NucleatorUser to the NucleatorBootstrapGroup.
  • Retain the IAM Access Keys that you downloaded for NucleatorUser.  You will need to use these in the next step when you run nucleator siteconfig wizard

 

Next: Use the Nucleator Setup Wizard to Create an Initial Siteconfig

Installation Documentation Releases License Community