# AWS temporary credential best practice for developer access - console setup

# Background

I've seen [numerous posts on Reddit](https://www.reddit.com/r/aws/search/?q=account%20hacked&restrict_sr=1) about people getting hacked or their access keys leaked. So I started this blog to address the gap in the issue. While AWS launched AWS SSO in 2017, not a lot of people are aware of it and most of the time people still resort to using IAM Users or worse the root account for day to day operations.

Do note that this just improves security, making it harder for attackers to get access and is **not** a foolproof method to make your account unhackable. You can still get hacked in numerous ways like exposing your access key(it will still be valid up to 1 hour after you first generated it, if you use the default value) or setting a weak root/sso user password with no MFA and many more like granting a random person IAM role access etc. The attack surface is limitless so please still be careful.

Let's start, I am unsure of the level of this blog. But personally, I would put it at level 200.

If you want a semi-automated setup with terraform script, please refer to [this blog post](https://vincenttjia.com/aws-temporary-credential-best-practice-for-developer-access)

# Prerequisite

* an AWS Account
    

# Steps

### Initial setup

Go to [https://console.aws.amazon.com/singlesignon/home](https://console.aws.amazon.com/singlesignon/home) on your AWS console then make sure that you have chosen the AWS region that is closest to you, for this example, I will be using the ap-southeast-1 region.

Go ahead and click `Enable`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697297537622/d8f1af98-79f4-428c-9340-eacdfe994a8b.png align="center")

Depending on whether you have enabled AWS Organization or not. You may or may not get this message. But if you do, click on `Create AWS organization`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697297667477/d2227579-e203-4513-bbc9-be32d07ea77d.png align="center")

Before continuing to create users, groups and permission sets. You will need to define some setup through the console. Unfortunately at the time of writing this blog AWS did not provide any API to enable these settings, so these steps must be done manually, I will probably be updating this guide when it's available.

On your IAM Identity Center dashboard, click on `settings` on the left navigation bar

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697301150561/24501502-958e-4123-a826-6f7caa2c7d4f.png align="center")

Click on Authentication

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697301229345/bed6c381-f166-47df-a4fa-6241b058bd16.png align="center")

Click `Configure` on **Standard authentication** and then check the box on `Send email OTP`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697301295944/3548564d-adb5-44fb-9e46-851b13e06c98.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697301367342/4b133229-d68d-4acf-8889-5d0b9186ced4.png align="center")

Next click `Configure` on **Multi-factor Authentication**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697301433766/c94c2f4e-ca4e-4fd5-a63d-3642f22e706f.png align="center")

You can choose to be creative on this screen, but I would strongly advise that you copy the settings on the screen for maximum security. But you can be flexible between context-aware and always-on, as with anything on security, there's always a tradeoff between more secure and more comfortable, the more comfortable you are the less secure it is like not enforcing MFA.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697301503530/59370495-ffcd-4f59-b7d4-a3cd7786caac.png align="center")

Note: to improve security even further, you can even choose to disable Authenticator apps and only enable Security keys if you have hardware devices such as Yubikey. But I will take the most common use-case and allow virtual authenticator

### Creating permission sets and groups

Now comes the fun part setting up your users and permissions

Go to [https://ap-southeast-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#!/accounts/permissionSets](https://ap-southeast-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#!/accounts/permissionSets)

Click on `Create permission set`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697357522732/e66ce3d3-2889-4015-9647-1110d587ae97.png align="center")

You can choose on one of the predefined permission set or create your own custom. But for this example I will be using the AdministratorAccess predefined permission set

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697357553812/115c083e-a5d5-443f-81f6-6f384204ab8c.png align="center")

Click on next

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697357605096/558ce7a1-ade1-40a2-83f6-391b47728aa8.png align="center")

Feel free to fill it in or just leave it as the default value, both work. Then hit `next` and then hit `create` after you review that the information is correct.

Next go to [https://us-east-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#/groups](https://us-east-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#/groups)

Create a group with the name of your permission sets with the accountId/accountAlias

Example AdministratorAccess-123456789012

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697357971310/61666a9c-6550-4823-bff9-282e89ab52a1.png align="center")

Go to [https://us-east-1.console.aws.amazon.com/iamv2/home?region=ap-southeast-1#/organization/accounts](https://us-east-1.console.aws.amazon.com/iamv2/home?region=ap-southeast-1#/organization/accounts)

Check the box for your AWS account and then click on `Assign users or groups`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697358097574/be8bd73c-02f9-440d-bc40-6dbb759f4955.png align="center")

Check the box the group that we created earlier, then hit `Next`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697358147872/0f897cbc-c1c1-447d-b69d-e34c69280cdd.png align="center")

Same goes for the permission sets and hit `Next` and `Submit` once you reviewed that the information is correct.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697358195585/6c9059a4-a9c6-4d3f-9bce-a6c521ca3fba.png align="center")

Repeat the steps above for all the permission set you want to create

### Creating the users and assigning them permissions

Next go to [https://us-east-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#/users](https://us-east-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#/users)

Click on `Add users`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697357725071/2bfd53be-fb3d-415b-8b83-47f191e806e6.png align="center")

Fill in the details of user that you want to create, then hit `Next`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697357826598/0b949de8-5753-49ca-9fec-0d5c81b7241c.png align="center")

Assign the users to the groups that you have created, then hit `Next`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697358254107/b85d83d3-a9e9-46e8-bef8-707f79befcb3.png align="center")

Review the info then click on `Add user`

### Account Setup

Check the email that you have provided on the users, you should see an email similar to this

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697358469206/74ab55a8-0127-488e-a3ea-4522e825e8ee.png align="center")

If for any reasons you did not receive the email, you can go to [https://us-east-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#/users](https://us-east-1.console.aws.amazon.com/singlesignon/home?region=ap-southeast-1#/users), click on the user and on the top of the page click on `Send email verification link`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697358602434/e46c25c0-e007-4315-8965-a7d0f012a352.png align="center")

Continue through the setup, by setting up your password and MFA.

Now, you should now be arriving at this page

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697305332371/2420d98d-7fb6-43a6-bb12-74acb5468a46.png align="center")

Now that you have confirmed that you have access, we can start on setting up your temporary credential on the cli.

```bash
aws configure sso
```

```bash
SSO session name (Recommended): <You can choose any>
SSO start URL [None]: <Use the url from earlier>
SSO region [None]: <The region that was used earlier>
SSO registration scopes [sso:account:access]: <Just leave blank and hit enter>
```

Example

```bash
SSO session name (Recommended): personal
SSO start URL [None]: https://d-1234acd5.awsapps.com/start/
SSO region [None]: ap-southeast-1
SSO registration scopes [sso:account:access]:
```

Confirm and continue, then allow it

```plaintext
CLI default client Region [ap-southeast-1]: <Use which ever region best for you>
CLI default output format [None]: <Use which ever format best for you>
CLI profile name [SuperAdmin-198266650228]: default
```

Example

```bash
CLI default client Region [ap-southeast-1]: ap-southeast-1
CLI default output format [None]: json
CLI profile name [SuperAdmin-198266650228]: default
```

Note: only use the profile default if you only have 1 credential, if you have multiple like SuperAdmin, PowerUser etc. You can separate their naming and pass the `--profile` parameter every time you want to use them

Now you should be able to use temporary credentials on your terminal and periodically run `aws sso login` when your session runs out

```plaintext
aws sso login
```

## Cleanup(important)

### Cleanup on the root account

Now that everything is done, there are a few cleanup that we need to do

Go to [https://us-east-1.console.aws.amazon.com/iam/home#/security\_credential](https://us-east-1.console.aws.amazon.com/iam/home#/security_credential)

Delete any root access keys that you might have found here. But, before deleting other access keys be sure that you are not using them for anything else or stuff will break.

Secondly, generate a strong password using your password manager for your root account and don't forget to set up MFA to make sure that the root account is never compromised. I would suggest at least a 128-character password with a letter, number and symbol.

There are 2 approaches that you can use, you can store the password in your password manager if you ever need to use the root account in the future or you can choose not to store it and just request a password reset anytime you need to access the root account. This needs to be taken with a grain of salt as you will need to secure and maintain access to the email that is associated with the root account as well.

Ideally, it should look like this

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697306143392/83055416-3ccd-4fc2-93d6-c98a3dedc0d0.png align="center")

Lastly, as root, you would want to give access to Billing for yourself

Go to [https://us-east-1.console.aws.amazon.com/billing/home#/account](https://us-east-1.console.aws.amazon.com/billing/home#/account)

then scroll down until you find **IAM user and role access to Billing information** edit it and activate IAM access

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697306541994/14aa593c-e1a8-4539-b4d7-25011827d87d.png align="center")

### Cleanup on IAM Users

Delete all existing IAM users on your account, but before deleting please be sure that you have re-created the user in IAM Identity Center, assigned the correct permission and you have communicated it clearly to the affected user the new method to login and assume cli access.

## Nice to have

### Custom domain

You can set a custom domain for your AWS SSO login portal

Go to the settings page we visited earlier from [https://ap-southeast-1.console.aws.amazon.com/singlesignon/home](https://ap-southeast-1.console.aws.amazon.com/singlesignon/home) -&gt; Scroll down to Identity Source -&gt; Actions -&gt; Customize AWS access portal URL

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697306748795/e4fba541-0836-4688-905b-647f50cd5f38.png align="center")

# Troubleshooting

### Running issue into assuming different profiles

If you only used the `default` profile you will not be running into this issue. But if you set up multiple profiles you might have issues such as running the terraform version before 0.12

I would suggest you install [Granted-cli](https://docs.commonfate.io/granted/getting-started/) and then you can just do

```bash
assume profileName
```
