Chapter 3 Use cases
3.1 Problem
You campany just bought a large dataset from a vendor (cloud summit) that can enable new business and capabilities for the company. You are asked to build a secure aws infrastracture to let the vendor securely transfer data to the company. We’ll use your personal aws account as your company’s aws account. Cloud summit will provide an account as the external company’s account in this tutorial.
3.2 Solution
- You company’s aws account (aka your personal aws account):
- Create an admin group and an admin user
- Create an S3 bucket with server side encryption enforced using AWS KMS service.
- Create a KMS key to be used to encrypt files as rest
- Ask the vendor to generate a random alpha numeric string for increased security.
- Create an external role for the vendor
- Attach permissions to write to the S3 bucket and use the KMS key to the external role
- Provide the role ARN, KMS key ID and s3 bucket name to the vendor
- The vendor(cloud summit)’s AWS account:
- Create a group for the use case
- Identify or create users for this group
- Attach a policy to the group to assume the role
- User setup aws commandline tool or SDK for assume role
- User upload files to the s3 bucket while specifying the KMS key id.
3.3 Step by step guide
Cloud summit’s aws account is the vendor’s account. Your personal account is your company’s account.
The vendor (cloud summit) has provided the following information:
- Account number: 743355281737
- external ID: be740d03293890c9
3.3.1 Collect information on your AWS account
- Login to aws console
- Write down your aws account number
- Create an user admin-user from AWS console
- Create access key for admin-user from AWS console. Download the csv file to your local.
3.3.2 Use Cloud Summit EC2 to create resource in your aws account
We have created an EC2 instance for you to use. In order to use, you’ll need an SSH client on your desktop.
- Get an ssh client for your laptop.
- Mac: Just use terminal or iterms
- Windows: putty
- SSH to the EC2 instance with provided username, password and IP
- Check if aws command is available
If command is not found, run the following command first.
Note that we are using an ec2 instance inside cloud summit’s aws account. But in this step, we are creating resources in your personal aws account.
- Configure AWS default profile
The command will ask for your access keys and default aws settings.
AWS Access Key ID [None]: ***
AWS Secret Access Key [None]: ***
Default region name [None]: us-east-1
Default output format [None]: json
Enter the admin user’s access key and secret access key. Choose us-east-1 for region and json for output.
- Clone the git repo
git clone https://github.com/bingweiliu/aws-tutorial.git
cd aws-tutorial/terraform/create-user-account-resources
- Change the follow values in the file terraform.tfvars
account_id = {
dev = "<your aws account number>"
}
admin_arn = {
dev = "arn:aws:iam::<your aws account number>:user/<admin user name>"
}
admin_user_name = "<admin user name>"
bucket_name = "cloudsummit-bucket-<your aws account number>"
Save the file and exit
- Initialize terraform
- Plan terraform
- Create the resources
Type yes when you are asked if the resources should be created. Output will be like following:
Outputs:
bucket_arn = arn:aws:s3:::cloudsummit-bucket-123456789012
bucket_kms_key_alias = arn:aws:kms:us-east-1:123456789012:alias/cloudsummit-bucket-123456789012-key
bucket_kms_key_arn = arn:aws:kms:us-east-1:123456789012:key/51c1df8d-0d7f-4845-b06a-c3a695ab628f
bucket_name = cloudsummit-bucket-123456789012
external_role_arn = arn:aws:iam::123456789012:role/cloud-summit-ext-role
You’ll need to write down the KMS key id, external role arn.
3.3.3 Vendor (cloud summit) AWS
- Add a new aws profile named tutorial
The access keys will be provided during the turorial.
Configure assume role profile
Add the following to the end of ~/.aws/config
[profile tutorial-assume]
region = us-east-1
output = json
role_arn = arn:aws:iam::<>:role/<>
external_id = <>
source_profile = tutorial
- Create a dummy file to be uploaded to the s3 bucket
- Upload the file using aws command line
aws s3 cp test.txt s3://<bucket name>/<new file name> \
--profile tutorial-assume --sse aws:kms \
--sse-kms-key-id arn:aws:kms:us-east-1:<aws account number>:key/<kms key id>
- Try upload the file without the KMS key ID
aws s3 cp test.txt s3://<bucket name>/text.txt --profile tutorial-assume
upload failed: ./test.txt to s3://<bucket name>/text.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
The command will fail because the bucket policy would not access file uploading without KMS key.