Getting Started with IAM¶
Using IAM, you can specify who can access VECTR resources (environments) and perform privileged actions such as managing users and policies.
How It Works¶
With IAM, you define how users can access what by specifying the permission for specific resources and other actions/operations. IAM will enforce these permissions for every request and will either allow or deny the request. By default, access to resources are denied and are only granted when a policy contains a specific permission allowing the action.
Walk Through¶
We'll walk you through getting setup in IAM and how to create policies and set the correct permissions to ensure your users are given the appropriate access.
During the walk through, you will perform the following tasks:
- Create a user and add that user to the
Admins
group - Using this administrator user:
- Create the sample
SAMPLE_PURPLE
environment - Create policies
- Create groups and assign policies to the group
- Create users and assign them to groups
- Create the sample
View the Policy Management walk through.
Best Practices¶
Review the topics below to help secure your VECTR resources while ensuring that users can log in and have the correct permissions.
Topics:¶
- Use a strong password for the default root VECTR account
- Enable MFA on the default root account
- Enable MFA for all local accounts
- Grant least privilege
- Use the default
BasicAccess
group where possible - Use groups to manage the permissions for a collection of users
Use a strong password for the default root VECTR account¶
The default root user has full access to VECTR and their privileges cannot be revoked. With this in mind, we recommend that you use a strong password and do not share this with anyone.
We recommend that you setup user accounts with administrative permissions and use these accounts for your day-to-day work. When you setup additional "admin" user accounts, it's easier to revoke their privileges and audit their actions should the need arise.
Enable MFA on the default root account¶
For extra security, we recommend that you enable multi-factor authentication for the default root account. With MFA, the root account will require this extra step of validating an authentication challenge. Since the root account cannot be disabled and should the password be compromised, your VECTR resources will still be secured because of the additional authentication requirement.
To learn how to setup MFA, see MFA Setup.
Enable MFA for all local accounts¶
For extra security, we recommend that you enable multi-factor authentication for all users. With MFA, users have a device that generates a response to an authentication challenge. With MFA enabled, users will be required to validate the authentication challenge in all login scenarios except when using an API key.
As an administrator, you can set a "soft" requirement that strongly encourages users to enable MFA. At this time, MFA cannot be mandated.
To learn how to configure MFA settings, see Security Settings.
To learn how to setup MFA, see MFA Setup.
Grant least privilege¶
When you create IAM policies, grant only the permissions required to perform a task. Determine what users need to do and then create policies that allow them to perform only those actions.
Additionally, when creating groups, attach only the policies that are specific to that group's function.
Use the default BasicAccess
group where possible¶
The BasicAccess
group contains all the minimum required policies that grant permissions to log into VECTR. This group does not contain permissions on individual VECTR environments so you can safely use this as a base for all of your VECTR users.
Attention
If you do not plan to use the BasicAccess
group to manage minimum permissions, be sure to give all users the minimum required permissions as noted in the Default SRA Managed Policies section.
Use groups to manage the permissions for a collection of users¶
We recommend creating groups to assign permissions. When you assign permissions to a group, any user that belongs to the group will inherit those permissions. With groups, it's easier to add or revoke permissions for a collection of users and it can simplify the administrative burden of managing user permissions.
To more information about groups, see Groups.