To reduce the risks for accidents I've started to use account aliases to describe which account I'm currently managing. But how to name the accounts? There should be some standard way to name the account. They should clearly tell if the account is dev, testing or production account.
My organization is Bad Boys of Quality. Shortly it's BBoQ. That's good prefix for my accounts. Then dev, test and prod are good labels to describe the state of the environment. The final part should be the descriptive word for the account.
First - and most important account - for organization is master account. It's unique. I've decided that it's production. I've named it to bboq-prod-master. At the shared credentials I've got prod-master-admin profile to administer this account.
At the shared credentials I'm following the same naming convention as account aliases. This way I can easily change my account with awsume.
To set the account alias I would use AWS CLI. I don’t want to mess up the role history of my browser. Before doing anything else I’ve set the role to my shared credentials. I usually use ~/.aws/config for this. So now we are creating alias for bboq-dev-website. First I have to define the shared credential.
1 2 3 4 | [profile dev-website-admin] role_arn = arn:aws:iam::1234566543321:role/Admin source_profile = otherprofile mfa_serial = arn:aws:iam::1234566543324:mfa/myaccountt |
To set the account alias with AWS CLI the line is:
aws iam create-account-alias --account-alias bboq-dev-website --profile dev-website-admin
One cool side is that when you assume the role at AWS web console, you can use the account alias. So instead of cryptic Admin @ 123456654321 you are Admin @ bboq-dev-website. This reduces the amount on confusions. It again underlines what kind of account is I'm managing. Destruction at dev account shouldn't be bad, but destruction at production is.
So why the account alias is part of security and safety? The more clearly you see things, more easily you notice if something is wrong, and less mistakes you make. I can tell you that before I started to use account alises at naming, I got almost totally lost what I was doing. Juggling with account ids is nearly impossible when you have than 2 accounts. And we have… almost 10 already and part of the teams doesn’t have them yet.
So there is six accounts: development, test and production website and three support accounts. Accounts are named bboq-dev-website, bboq-test-website and bboq-prod-website. Then there’s several support accounts like bboq-prod-accounts (all IAM users are here), bboq-prod-master, bboq-prod-compliance (all logs are going to this one).
Next post will present some ideas how to enhance readability and safety with Terraform and account aliases.
aws iam create-account-alias --account-alias bboq-dev-website --profile dev-website-admin
One cool side is that when you assume the role at AWS web console, you can use the account alias. So instead of cryptic Admin @ 123456654321 you are Admin @ bboq-dev-website. This reduces the amount on confusions. It again underlines what kind of account is I'm managing. Destruction at dev account shouldn't be bad, but destruction at production is.
So why the account alias is part of security and safety? The more clearly you see things, more easily you notice if something is wrong, and less mistakes you make. I can tell you that before I started to use account alises at naming, I got almost totally lost what I was doing. Juggling with account ids is nearly impossible when you have than 2 accounts. And we have… almost 10 already and part of the teams doesn’t have them yet.
So there is six accounts: development, test and production website and three support accounts. Accounts are named bboq-dev-website, bboq-test-website and bboq-prod-website. Then there’s several support accounts like bboq-prod-accounts (all IAM users are here), bboq-prod-master, bboq-prod-compliance (all logs are going to this one).
Next post will present some ideas how to enhance readability and safety with Terraform and account aliases.
Hi Teemu, congrats on your blog!!!
ReplyDeleteYou mention that account aliases help in terms of Security because "The more clearly you see things, more easily you notice if something is wrong, and less mistakes you make".
My question is: could there be some sort of security risk of using account aliases, since AWS accounts will be more easily discoverable?
I mean, account ID 242541269812 (random number) surely is more difficult to identify as a real account number than account alias "my-project-prod-env". Therefore, I get the feeling that an account alias is more exposed to brute-force attacks.
Supposing that someone creates an account alias and doesn't take into account AWS's IAM best practices (strong password, adding MFA and not using root account, among others), could that account be under a bigger risk of being hacked by using an account alias?
Maybe I'm being too radical but I'm just curious to know if this could be an actual risk.
Thanks!