Identity and Access Management (IAM) console

– Configure MFA authentication
– Configure authorisation for EC2 Linux instances to access S3 Buckets for data backups or manual file transfers

You will see below why it is a learning curve with Amazon AWS services.[/vc_wp_text]

(1) It is a good idea to configure MFA account login credentials for further protecting your Amazon AWS account.

(2) We will take advantage of low cost S3 bucket (storage) to backup our data. We configure IAM credentials (keys) to authorise access. These keys can also be used with other host providers such as VentraIP’s cPanel websites, or Akamai/Linode linux instances. We can write a #!/bin/sh or #!/bin/bash shell script to transfer files very quickly, which can be automated via a crontab entry. We must configure backups as part of our best practice.

Once configured, we can also use a program like CyberDuck or Commander One to transfer files to/from S3 buckets with our PC or laptop.

Our master backups will be via “snapshots”, as per the EC2 console menu. Imagine a site is corrupted – down permanently. This can happen as we are not using RAID disk redundancy. A snapshot can restore to a point in time within a few minutes. File backups do not always work, so a master backup is a good idea. (Imagine a backup is corrupted, what do we do?)


MFA

From your Search menu you can type IAM, and click on the link to get there (you hover your mouse over the word “IAM” to get the link.)

From the Dashboard on the right hand side, use the Quick Links to go to My Security Credentials.

When you add to your smartphone app, you will then confirm the tokens with whatever one you currently see, and the one after that.

IAM User

We create an AIM user that gives authorisation to access S3 buckets.
Go to IAM > Access management > Users
With the orange button at the upper right, click “Create User”.
This takes a little getting used to, but we want to end up with these policies:

AdministratorAccess -> shown in the diagram below
AmazonS3FullAccess -> shown in the diagram below
AWSLambda_FullAccess -> just keep cycling through the entries until all done
CloudWatchFullAccess (and V2 is ok to include)

When created, go to the Users menu again and click on the new user, then find the menu to “Create access key”.

These keys can be changed, but it is a hassle if used in several places. AWS recommends short-term use per key, but I have not needed to.

Creating the User Access Keys

Start typing and press Enter to search

AWS Account – Open an AccountAWS Account
AWS Account – SMTP CredentialsAWS Account