Skip to content

Getting Started with IAM

Using IAM, you can specify who can access VECTR resources (databases) and perform privileged actions such as managing users and policies.

How It Works

With IAM, you define how users can access what by specifying the permission for specific resources and other actions/operations. IAM will enforce these permissions for every request and will either allow or deny the request. By default, access to resources are denied and are only granted when a policy contains a specific permission allowing the action.

Walk Through

We'll walk you through getting setup in IAM and how to create policies and set the correct permissions to ensure your users are given the appropriate access.

During the walk through, you will perform the following tasks:

  • Create a user and add that user to the Admins group
  • Using this administrator user:
    • Create the sample SAMPLE_PURPLE database
    • Create policies
    • Create groups and assign policies to the group
    • Create users and assign them to groups

View the Policy Management walk through.

Best Practices

Review the topics below to help secure your VECTR resources while ensuring that users can log in and have the correct permissions.

Topics:


Use a strong password for the default root VECTR account

The default root user has full access to VECTR and their privileges cannot be revoked. With this in mind, we recommend that you use a strong password and do not share this with anyone.

We recommend that you setup user accounts with administrative permissions and use these accounts for your day-to-day work. When you setup additional "admin" user accounts, it's easier to revoke their privileges and audit their actions should the need arise.


Enable MFA on the default root account

For extra security, we recommend that you enable multi-factor authentication for the default root account. With MFA, the root account will require this extra step of validating an authentication challenge. Since the root account cannot be disabled and should the password be compromised, your VECTR resources will still be secured because of the additional authentication requirement.

To learn how to setup MFA, see MFA Setup.


Enable MFA for all local accounts

For extra security, we recommend that you enable multi-factor authentication for all users. With MFA, users have a device that generates a response to an authentication challenge. With MFA enabled, users will be required to validate the authentication challenge in all login scenarios except when using an API key.

As an administrator, you can set a "soft" requirement that strongly encourages users to enable MFA. At this time, MFA cannot be mandated.

To learn how to configure MFA settings, see Security Settings.

To learn how to setup MFA, see MFA Setup.


Grant least privilege

When you create IAM policies, grant only the permissions required to perform a task. Determine what users need to do and then create policies that allow them to perform only those actions.

Additionally, when creating groups, attach only the policies that are specific to that group's function.


Use the default BasicAccess group where possible

The BasicAccess group contains all the minimum required policies that grant permissions to log into VECTR. This group does not contain permissions on individual VECTR databases so you can safely use this as a base for all of your VECTR users.

Attention

If you do not plan to use the BasicAccess group to manage minimum permissions, be sure to give all users the minimum required permissions as noted in the Default SRA Managed Policies section.


Use groups to manage the permissions for a collection of users

We recommend creating groups to assign permissions. When you assign permissions to a group, any user that belongs to the group will inherit those permissions. With groups, it's easier to add or revoke permissions for a collection of users and it can simplify the administrative burden of managing user permissions.

To more information about groups, see Groups.