AWS IAM User Guide for Cohesive Networks Support Creating an Amazon Identity and Access Management User with "read only" policy 2016
Table of Contents Access the AWS IAM Service via AWS Portal 3 Create User 5 Attach Read-only Policy 10 Provide Information to Cohesive 17 After the support interaction is complete 19 2
Access the AWS "IAM" Service 3
Log into AWS Portal and choose "IAMS" Log into the AWS Amazon account that you need support for. Select the "Services" menu at the top of the AWS Portal page. Select "IAM" from the alphabetized list of services. 4
Create User 5
Go to Users section of IAM from Dashboard After selecting "IAM" you will be taken to the IAM Dashboard page. Select the "Users" menu item on the left of the Dashboard page. 6
Select "Create New Users" option After selecting "Users" you will be taken to the IAM Users page. Select the "Create New Users" menu item on the top of the Users page. 7
Create a new user for Cohesive Support After selecting "Create New Users" you will be taken to the Create Users page. Enter a descriptive username for account to be used by Cohesive Networks support staff. In this case we have called it "vns3ms_automation" (for VNS3 Management System automation). Make sure you select "Generate an access key for each user". This user will only have API access key. It will not have certificates or a password. Choose the "Create" button at the bottom of the page. 8
Copy the credentials to provide to Cohesive Networks After selecting "Create" on the Create User page you will be taken to a page providing the status of the operation. If successful, an API Access Key ID and Secret Access Key will have been generated and displayed on the screen. Copy the credentials to provide to Cohesive Networks Support. It also prompts you to download. This is your decision. It is Cohesive's recommendation that you do not. However the Secret Access Key will not ever be available again. 9
Attach the read-only policy to IAM user 10
Select newly created user to attach policy On the Users page you will see the newly created user. There is no menu action for the next step. Selecting the User (in this case vns3ms_automation) with your cursor, and clicking, will take you to a detail page for the user. 11
On the User detail page select "Attach Policy" On the user detail page you will select the "Attach Policy" button. Also note that the value for "Has Password" should be "No". The user should also NOT be in any groups as it might be inadvertently given upgraded permissions. 12
On the Attach Policy page filter for the desired policy On the Attach Policy page you will initially be provided with a large list of possible policies to attach to the support user. In order to prevent error, use the Filter / Search box in the top section of the page. Filter for "EC2Read" 13
Select the AmazonEC2ReadOnlyAccess policy After typing in the filter "EC2Read" you should see the AmazonEC2ReadOnlyAccess policy. Even if you see other policies (as Amazon may add similarly named ones that match this filter in future), do not select any other policies. Check the "tick box" next to the policy name, followed by then clicking the "Attach Policy" button on the bottom of the page. You will be taken back to the detail page for the user. The new IAM user should now be available for use by the Cohesive diagnostics system via the Access credentials. 14
User detail page now shows the attached policy After selecting "Attach Policy" on the previous page, you will be returned to the user detail page. It will show the attached policy and the ability to remove it in future. NOTE: The page should still show that this user has no password, and is part of no groups (a notation of "0"). 15
Further down the User detail page are Security Credentials Scrolling towards the bottom of the User detail page you will see the Security Credentials section You will see the Access Key ID, however the Secret Access Key is no longer available unless you copy/pasted it, or downloaded it when it was provided. You will see the Access credentials are "Active" in green text. You will also see a blue "link" with the text "Make Inactive" - do not use this (yet). 16
Provide needed information to Cohesive Networks 17
Information for Cohesive Networks To recap, provide the following information and access to Cohesive Networks - Provide the IAM user Access Key ID and Secret Access Key, you do not need to provide the username of the IAM account you created. - Provide the AWS 12 digit account ID for the VPC and VNS3 Controller(s) involved in your support issue. - Provide the VPC ID for the VPC(s) involved in your support issue. - Ensure that port 8000 is open to the Public IP designated by Cohesive Support as the source address of the diagnostic system being used. This may be different than the standard Cohesive Support IP of 54.236.197.84/32. 18
After the Support interaction is complete 19
Make Access credentials inactive (or delete user account) After the support incident is complete you can delete the user account. However, this will require a complete repeat of this IAM setup in the future. Alternatively you can make the Access credentials "Inactive" by clicking on the associated blue link/text. You can also delete the credential, then create a new one for this IAM user for future support incidents. Whether you delete the IAM account, deactivate the credential or delete the credential should be chosen based on your organization's policies. 20
What if I don't want to provide Cohesive access? The most effective way for Cohesive Networks to help debug the complexity of VPCs, security groups, network acls, subnets, route tables, Internet gateways, etc. is to have access (read only) to the VPC information. If you do not want to provide this access, Cohesive staff can work remotely in live session with you, via Webex or other screen sharing technology. There will however, be an hourly charge double the then published hourly rate (or part thereof) for support services. If you do not have Enhanced Support with the Quick Support (24x7 production outage) option, and it is outside standard support hours this can be quite expensive. We are quite willing to work either way. After supporting almost 1 billion device hours of cloud networking to-date we have a great understanding of how best to debug/ discover complex cloud interaction issues. 21