When creating AWS IAM users, we need to share the initial credentials with AWS users. However, we must do this through an encrypted transmission. We do this by sharing the credentials in a Google Sheet through Google Drive. Google Drive uses AES-128 encryption. In using GDrive, we want to avoid using the email notification mechanism as it includes a preview of the file in the email (it’s still encrypted, though).
You will share the following information in the file:
- User Name
- Initial Password
- Access Key Id
- Secret Access Key
Here are some ways to share credentials with new users:
- Don’t share the file, but give them a link to the file (they’ll need to request your explicit permission). This way it won’t show up in an email preview.
- Create a PDF (and/or ZIP) of the file and maybe add a password to it (might be overkill) and share it in GDrive. This way it won’t show up in an email preview.
- Just share it with their Google userid and tell them it’s in their recent file listing with the name “xyz” ). Just share it with their Google userid and tell them it’s in their recent file listing with the name “xyz”” – i.e. don’t use the GDrive automatic email notification and/or do not email it to them)
Here’s an example email:
Here’s your IAM access to the AWS Pied Piper Labs account for your use. The name of the file is listed as “smith_bob_iam” in Google Drive.
You will also change your password after logging in and adding a new Access Key and deleting your old one. Once you’ve done this, I will give you IAM Group Access. You might create a new Google Sheet for managing this information, but don’t make changes (password, keys, etc.) to the Sheet that I created.
After logging in with your new password and group access, you will enable MFA. See http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html. You’ll need to do this before the end of today.
Let me know if you have any questions.
Do not assign an IAM group until you confirm that they’ve change their password. All users must add MFA to their IAM account. Give them a few hours to do so; if they have not, revoke their IAM group access.