Identity and access management in App2Container - AWS App2Container

Identity and access management in App2Container

Your AWS security credentials identify you to AWS and grant you access to your AWS resources. For example, they can allow you to access artifacts saved to an Amazon S3 bucket. You can use features of AWS Identity and Access Management (IAM) to allow other users, services, and applications to use specific resources in your AWS account without sharing your security credentials. You can choose to allow full use or limited use of your AWS resources.

If you are the owner of the AWS account and use AWS as the root user, we strongly recommend that you create an IAM admin user to use for access to your AWS resources. See Creating Your First IAM Admin User and Group in the IAM User Guide to set up your own access before setting up any other IAM users who need to use App2Container.

By default, IAM users don't have permission to create or modify resources. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant permission to use the specific resources and API actions that they need. For more information about IAM policies, see Policies and Permissions in the IAM User Guide.

IAM groups and roles are a flexible way to manage permissions across multiple users. When you assign a user to a group or when your user assumes a role, that user inherits the group's or role's permissions, and is allowed or denied permission to perform the specified tasks on the specified resources. You can assign multiple users to the same group, and a role can be assumed by authorized users. While groups and roles both serve the purpose of granting access to resources, roles are more task-oriented, and assuming a role provides you with temporary security credentials for your role session.

IAM security best practices

Follow these top four security best practices when setting up your IAM resources. For more information and additional best practices, see Security Best Practices in IAM in the IAM User Guide.

  1. Lock away your AWS account root user access keys

    Protect your root user access key like you would your credit card numbers or any other sensitive secret, and only use your root user account for necessary account and service management tasks.

  2. Create individual IAM users

    Don't use your AWS account root user credentials to access AWS, and don't give your credentials to anyone else. Instead, create individual users for anyone who needs access to your AWS account.

  3. Use groups or roles to assign permissions to IAM Users

    Instead of defining permissions for individual IAM users, it's usually more convenient to create groups that relate to job functions (administrators, developers, accounting, etc.) or roles that relate to specific tasks.

  4. Grant least privilege

    When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks.

We recommend that you create a general purpose IAM group that can run all of the commands except commands that are run with the --deploy option.

If you plan to use App2Container to deploy your containers or create pipelines, then you should create a separate IAM user for deployments. The deployment user needs to be able to create or update AWS objects for container management services (Amazon ECR with Amazon ECS or Amazon EKS), and to create pipelines with AWS CodeStar services. This requires elevated permissions that should only be used for deployment.

Create IAM resources for general use

Follow best practices by using the following steps to create an IAM group with access to perform specific tasks, using specific resources, and to assign users to the group. Alternatively, you can choose to assign an inline policy to the IAM user who will run app2container commands.

  1. Create a customer managed IAM policy

    You can create a customer managed IAM policy for your general purpose user or group, using one of the example policies on this page after you have customized the JSON to refer to your resources. To create a policy using the AWS console, see Creating policies on the JSON tab in the IAM User Guide. To create a policy using the AWS CLI, use the create-policy command.

  2. Create IAM users and a group

    Every user who will run app2container commands needs to have an IAM user created for accessing AWS resources under your account. To follow best practices, you can create an IAM group with the policy attached, and assign users to it.

    To create an IAM user, see Creating an IAM User in Your AWS Account in the IAM User Guide. Be sure to select programmatic access to AWS when you create the IAM user.

    Perform the following steps to create an IAM group and assign users to it.

    1. To create an IAM group, see Creating IAM Groups in the IAM User Guide.

    2. Ensure that every person who will run app2container commands has an IAM user defined for AWS access.

    3. To assign the users to the group you created in step 1a, see Adding Permissions to a User (Console), or Adding and Removing a User's Permissions (AWS CLI or AWS API) in the IAM User Guide.

  3. Save your AWS access keys

    Save the access keys for your new or existing IAM user in a safe place. You'll need them to configure your AWS profile as part of getting set up for App2Container.

  4. Attach or assign the policy

    Use one of the following methods to assign permissions to your IAM users.

Example IAM policies

You can use one of the following templates as a starting point to configure the access that an IAM user needs to use App2Container to containerize your applications. If you plan to store extracts or other resources in Amazon S3, your policy must grant access to the buckets.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SectionForS3Access", "Action": [ "s3:DeleteObject", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetObject", "s3:GetObjectAcl", "s3:HeadBucket", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": "<user-provided-bucket-ARN>" }, { "Sid": "SectionForS3ReadAccess", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "SectionForECRAccess", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchDeleteImage", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:PutImage", "ecr:TagResource", "ecr:UntagResource", "ecr:UploadLayerPart" ], "Effect": "Allow", "Resource": "<resource-ARNs>" }, { "Sid": "SectionForECSWriteAccess", "Action": [ "ecs:CreateCluster", "ecs:CreateService", "ecs:CreateTaskSet", "ecs:DeleteCluster", "ecs:DeleteService", "ecs:DeleteTaskSet", "ecs:DeregisterTaskDefinition", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:RegisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", "ecs:UpdateContainerInstancesState", "ecs:UpdateService", "ecs:UpdateServicePrimaryTaskSet", "ecs:UpdateTaskSet" ], "Effect": "Allow", "Resource": "<resource-ARNs>" }, { "Sid": "SectionForPassRoleToECS", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "<ARN for ecsTaskExecutionRole>" }, { "Sid": "SectionForECSReadAccess", "Action": [ "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTaskSets", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "SectionForCodeCommitAccess", "Effect": "Allow", "Action": [ "codecommit:GetRepository", "codecommit:GetBranch", "codecommit:CreateRepository", "codecommit:CreateCommit", "codecommit:TagResource" ], "Resource": "arn:aws:codecommit:*:*:*" }, { "Sid": "SectionForByoVPC", "Effect": "Allow", "Action": [ "ec2:DescribeInternetGateways", "ec2:DescribeRouteTables", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Sid": "SectionForEC2", "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", "ec2:CreateKeyPair", "ec2:DescribeAvailabilityZones" ], "Resource": "*" }, { "Sid": "SectionForMetricsService", "Effect": "Allow", "Action": "execute-api:invoke", "Resource": "arn:aws:execute-api:us-east-1:*:*/prod/POST/put-metric-data" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SectionForS3Access", "Action": [ "s3:DeleteObject", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetObject", "s3:GetObjectAcl", "s3:HeadBucket", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": "<user-provided-bucket-ARN>" }, { "Sid": "SectionForS3ReadAccess", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "SectionForECRAccess", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchDeleteImage", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:PutImage", "ecr:TagResource", "ecr:UntagResource", "ecr:UploadLayerPart" ], "Effect": "Allow", "Resource": "<resource-ARNs>" }, { "Sid": "SectionForCodeCommitAccess", "Effect": "Allow", "Action": [ "codecommit:GetRepository", "codecommit:GetBranch", "codecommit:CreateRepository", "codecommit:CreateCommit", "codecommit:TagResource" ], "Resource": "arn:aws:codecommit:*:*:*" }, { "Sid": "SectionForByoVPC", "Effect": "Allow", "Action": [ "ec2:DescribeInternetGateways", "ec2:DescribeRouteTables", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Sid": "SectionForEC2", "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", "ec2:CreateKeyPair", "ec2:DescribeAvailabilityZones" ], "Resource": "*" }, { "Sid": "SectionForMetricsService", "Effect": "Allow", "Action": "execute-api:invoke", "Resource": "arn:aws:execute-api:us-east-1:*:*/prod/POST/put-metric-data" } ] }

Create IAM resources for deployment

The AdministratorAccess policy grants an IAM user full access to AWS. Therefore, IAM users with this policy can deploy a containerized application using any of the AWS services for deployment that are supported by App2Container.

  1. Create an IAM user

    You can create an IAM user with full access to AWS API actions and resources. Be sure to grant the user programmatic access to AWS and to attach the AdministratorAccess policy. For more information, see Creating IAM users in the IAM User Guide.

  2. Save your AWS access keys

    Save the access keys for the IAM user in a safe place. You'll need them to configure your AWS profile as part of getting set up for App2Container.