1

The AWS documentation "recommend[s] that you delete your root user access keys", and to "not use the AWS account root user for your everyday tasks", because "[a]nyone who has the access key for your AWS account root user has unrestricted access to all the resources in your account."

But then an authoritative answer suggests to "create IAM User credentials with the appropriate permissions and put them in the ~/.aws/credentials file."

IIUC this means that my ~/.aws/credentials will have my AWS IAM "named profiles", which will look like this:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[ses_user]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

[s3_user]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=2Zp9UtkClwBF/je7MtGb/o8nvbh3yCEXAMPLEKEY

To leave these IAM identities in my ~/.aws/credentials file (in a Docker container) in an EC2 instance means merely that someone who captures them would not be able to run amock with the entire AWS account, but would only be able to run amock one piece at a time with parts of the AWS SDK.

This is small consolation, especially for a sufficiently large application that accesses many AWS services.

Why then are the perpetual IAM identities (the ones in ~/.aws/credentials) suggested as an alternative to root access keys? Is it not indeed the case the only temporary credentials offer significant additional safety?

Calaf
  • 10,113
  • 15
  • 57
  • 120
  • 1
    IAM user credentials are ideally for people, not machines. You should use instance profiles (and IAM roles) rather than IAM user credentials on EC2. That way the credentials available on the machine will be short-lived and auto-rotated. – jarmod Sep 18 '18 at 13:49

1 Answers1

2

You cannot use policies to explicitly deny access to the root account so non-root users are the suggested alternative because you can limit their access appropriately .

Jarmod also made a good point in the comments about using instance profiles instead of users for perform tasks as the system.

Will Evers
  • 934
  • 9
  • 17
  • So the advantage is not that it stops a hacker from using the services under my account, but to stop a hacker from hijacking all of the account (and blocking me in the process); is that right? – Calaf Sep 18 '18 at 13:44
  • Yes, hijacking the account and using the root user to execute operations that it was not originally intended to by the developer. You can apply iam policies to other users to deny this. – Will Evers Sep 18 '18 at 13:46