DEV Community

Cover image for My personal AWS account setup - IAM Identity Center, temporary credentials and sandbox account
AWS Community Builders profile image Julian Michel
Julian Michel for AWS Community Builders

Posted on

My personal AWS account setup - IAM Identity Center, temporary credentials and sandbox account

#aws #security

I work on AWS projects every day and have access to internal and customer AWS accounts. But I also manage some personal AWS accounts. They are useful for several reasons:

  • I can run personal AWS applications, such as the smart home application I built.
  • I can test new features, e.g. it was very helpful to learn about the CDK pipeline when it was introduced. I was able to create the accounts as suggested in the documentation. Later I was able to apply my knowledge to the customer project.
  • If I have some permission issues, I can try to replicate the problem in my personal AWS accounts without any restrictions. I can try new services that are only available in organizational root accounts, such as AWS Identity Center.

Of course, I want to run the AWS account in a secure and convenient way. So I decided to manage the accounts as described in this article.

Account structure and AWS Organizations

Like a business, I created an AWS organization to manage my accounts. I'm using these accounts:

  • Root account, which owns the organization
  • Dev, Test, and Prod accounts to develop, test, and run my application
  • Pipeline account, which contains an AWS CodePipeline to deploy to Dev, Int, Prod
  • Sandbox account for testing new stuff (gets nuked after testing)

AWS Account structure with Root, Dev, Test, Prod, Pipeline and Sandbox account

User management and authentication using AWS Identity Center

I'm sure AWS IAM user management was great when it first launched. Now, AWS IAM Identity Center has more features and is easier to use. For example, it provides an easy-to-use interface to access all accounts and roles. Or it has improved MFA capabilities, such as support for Apple's TouchID. That is why I chose AWS Identity Center. It is set up in the AWS Organizations root account and connects to all accounts in the organization.

When you open AWS IAM Identity Center, you can see the accounts and roles you can assume:
AWS IAM Identity Center

Temporary credentials and Leapp

AWS IAM Identity Center provides temporary credentials by default, which is a good security choice. It supports SSO integration with AWS CLI or manual download of access key, secret access key, and session token.

Personally, I prefer to use Leapp, a tool that supports secure cloud access in multi-account environments. Recently, the company behind Leapp announced the end of the commercial version. The open source version still exists and can be used.

Leapp displays all AWS accounts/roles that are configured in AWS Identity Center. If you select an account, the credentials can be used in the CLI. You can override the default profile so you don't have to pass a --profile parameter. Or, you can configure a name profile.

Leapp

Nuking the sandbox account

When I'm learning a new AWS service or testing a complex scenario, I'm not always using infrastructure as code. In this case, it takes a long time to manually clean up an AWS account and delete all (expensive) resources.

To improve this process, I use aws-nuke, which automatically deletes all AWS resources in an AWS account. Be careful with this tool. The first time I used it, it also deleted the configurations required for IAM Identity Center. So I couldn't login anymore.

aws-nuke supports filters to exclude resources that should not deleted. I created filters to exclude the IAM Identity Center configuration and resources created during AWS CDK bootstrapping. I ended up with these filters:

presets:
  common:
    filters:
      IAMRole:
      - "OrganizationAccountAccessRole"
      - type: glob
        value: "cdk-hnb659fds-*"
      - type: glob
        value: "AWSReservedSSO_AdministratorAccess_*"
      IAMRolePolicyAttachment:
      - "OrganizationAccountAccessRole -> AdministratorAccess"
      - type: glob
        value: "AWSReservedSSO_AdministratorAccess_* -> AdministratorAccess"
      - type: glob
        value: "cdk-hnb659fds-*"
      IAMRolePolicy:
      - type: glob
        value: "cdk-hnb659fds-*"
      IAMSAMLProvider:
      - type: glob
        value: "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
      S3Bucket:
      - type: glob
        value: "s3://cdk-hnb659fds-assets*"
      SSMParameter:
      - "/cdk-bootstrap/hnb659fds/version"
      CloudFormationStack:
      - CDKToolkit
      ECRRepository:
      - type: glob
        value: "Repository: cdk-hnb659fds-container-assets-*"
Enter fullscreen mode Exit fullscreen mode

Summary

This setup works very well for me. AWS IAM Identity Center is great for managing users and logging into AWS accounts. Leapp is very helpful when using CLI credentials. However, it's not the only option as AWS IAM Identity Center offers other options as well. I regularly use the sandbox account when testing or learning about AWS services. By deleting everything with aws-nuke, I can easily start with an empty AWS account - and of course, I don't have to pay for unused resources.

Top comments (2)

Collapse
 
tacodes profile image
tacodes

Thank you for teaching me about aws-nuke. It's my new fav next to terraform destroy

Collapse
 
davidswalkabout profile image
DavidP

I tried Identity Center but there is no guidance about how to set its required Application property, especially when it should be an https or wss api endpoint.

Read next

stintrilamah profile image

AWS Automated Centralized Multi Account Patching

StintriLamah -

wickenico profile image

Simplifying AWS SSO Setup: The effortless way

Nico Wickersheim -

maguzzi profile image

Please stop publishing AWS S3 buckets as static websites! Read here for a secure, fast, and free-ish approach [1st episode]

Marco Aguzzi -

stefanalfbo profile image

OWASP Amass

Stefan Alfbo -