14.01 Policy – Sharing Initial AWS Credentials

When creating AWS IAM users, we need to share the initial credentials with AWS users. However, we must do this through an encrypted transmission. We do this by sharing the credentials in a Google Sheet through Google Drive. Google Drive uses AES-128 encryption. In using GDrive, we want to avoid using the email notification mechanism as it includes a preview of the file in the email (it’s still encrypted, though).

You will share the following information in the file:

  • URL
  • User Name
  • Initial Password
  • Access Key Id
  • Secret Access Key

Here are some ways to share credentials with new users:

  1. Don’t share the file, but give them a link to the file (they’ll need to request your explicit permission). This way it won’t show up in an email preview.
  2. Create a PDF (and/or ZIP) of the file and maybe add a password to it (might be overkill) and share it in GDrive. This way it won’t show up in an email preview.
  3. Just share it with their Google userid and tell them it’s in their recent file listing with the name “xyz” ). Just share it with their Google userid and tell them it’s in their recent file listing with the name “xyz”” – i.e. don’t use the GDrive automatic email notification and/or do not email it to them)

Here’s an example email:

Bob  –

Here’s your IAM access to the AWS Pied Piper Labs account for your use. The name of the file is listed as “smith_bob_iam” in Google Drive.

You will also change your password after logging in and adding a new Access Key and deleting your old one. Once you’ve done this, I will give you IAM Group Access. You might create a new Google Sheet for managing this information, but don’t make changes (password, keys, etc.) to the Sheet that I created.  

After logging in with your new password and group access, you will enable MFA. See http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html. You’ll need to do this before the end of today.

Let me know if you have any questions.

Paul

 

Do not assign an IAM group until you confirm that they’ve change their password. All users must add MFA to their IAM account. Give them a few hours to do so; if they have not, revoke their IAM group access.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s