Forcing Powershell scripts to use AWS MFA

Finally, I get to do some “real” AWS work.

So after getting my credentials,  for this new account, it turns out that they don’t let people get access keys.   Yep, it’s a security risk.  So to minimize it, I created simple policy to disallow 99% of the items except for the ability to read your MFA token ID.   (iam:ListMFADevices)

So the policy I created is below:

 

{
 "Version": "2012-10-17",
 "Statement": [
 {
    "Sid": "DenyWhenMFAIsNotPresent",
    "Effect": "Deny",
    "NotAction": "iam:ListMFADevices",
    "Resource": "*",
    "Condition": {
     "BoolIfExists": {
      "aws:MultiFactorAuthPresent": false
       }
     }
  }
 ]
}

Also remember you need to grant yourself the proper rights in another policy, so that you can do what you need to do.

So if you have your Powershell set up to run with multiple credentials, it’s easy to switch between them, you have to get a temporary token by calling Get-STSSessionToken

Get-AWSCredential -ListProfileDetail
#changes context to run as that id, same as -credential on all aws commands
Set-AWSCredential -ProfileName <whatever>

#saves credentail for future use
Set-AWSCredential -ProfileName <whatever> -StoreAs <something>
#sets up a new session to use MFA session

$MFASession=Get-STSSessionToken -SerialNumber (Get-IAMMFADevice).SerialNumber -TokenCode  <CurrentMFAToken>
#now use it or do -credential $MFASession.credentials on any AWS call that needs this
Set-AWSCredential -Credential $MFASession

 

 

 

 

 

 

 
$MFASession=Get-STSSessionToken -SerialNumber (Get-IAMMFADevice).SerialNumber -TokenCode
Set-AWSCredential -Credential $MFASession

Sponsored Post Learn from the experts: Create a successful blog with our brand new courseThe WordPress.com Blog

Are you new to blogging, and do you want step-by-step guidance on how to publish and grow your blog? Learn more about our new Blogging for Beginners course and get 50% off through December 10th.

WordPress.com is excited to announce our newest offering: a course just for beginning bloggers where you’ll learn everything you need to know about blogging from the most trusted experts in the industry. We have helped millions of blogs get up and running, we know what works, and we want you to to know everything we know. This course provides all the fundamental skills and inspiration you need to get your blog started, an interactive community forum, and content updated annually.

AWS Associate Developer is now done

Did that test today and passed on the first time with an 80%.  IThis one I spent more time focusing on DynamoDB instead of the other items that I haven’t been using for a while, like SNS, SQS, etc. so the “basics” were not as good as they could have been.  A pass is still a pass.

 

Developer-Associate

 

The more interesting one is going to be the Sysops exam, or do I do the professional Solutions Architect one first?

 

 

Using AWS as lab space for Active Directory

My current adventure is providing guidance and coaching to 20+ Junior sys admins that have no experience with Active Directory.

 

I’ve had to do testing of some scripts for DNS setting from the command  line, so I  made up this little powershell script to use in the AWS user data section.  The other advantage that this script has is that it’s a simpe cut and paste if you want to do it on an existing machine.. Just get rid of the <powershell> tags at the start and end of the file once  you get a system up and running

 

As you can see the longest part of the script is writing the the unattend.txt file for the dcpromo.

<powershell>
# This should be able to be pasted into an AWS system startup script, or use it
# without the <powershell> tags on an existing system to make it a DC


import-module ServerManager
add-windowsfeature DNS, GPMC
add-windowsfeature AD-Domain-Services, ADDS-Domain-Controller

# create newforest-dcpromo.txt
set Unattendfile "newforest-dcpromo.txt"

add-content $Unattendfile "[DCINSTALL]"
add-content $Unattendfile "InstallDNS=yes"
add-content $Unattendfile "NewDomain=forest"
add-content $Unattendfile "NewDomainDNSName=YOURDOMAIN.local"
add-content $Unattendfile "DomainNetBiosName=YOURDOMAIN"
add-content $Unattendfile "SiteName=Default-First-Site-Name"
add-content $Unattendfile "ReplicaOrNewDomain=domain"
add-content $Unattendfile "ForestLevel=3"
add-content $Unattendfile "DomainLevel=3"
add-content $Unattendfile "DatabasePath=""%systemroot%\NTDS"""
add-content $Unattendfile "LogPath=""%systemroot%\NTDS"""
add-content $Unattendfile "RebootOnCompletion=yes"
add-content $Unattendfile "SYSVOLPath=""%systemroot%\SYSVOL"""
add-content $Unattendfile "SafeModeAdminPassword=TheOopsPasswordGoesHere"
add-content $Unattendfile "`n"


#password of domain admin will be what administrator is

dcpromo /unattend:newforest-dcpromo.txt
</powershell>

So what’s next?  Making this into a powershell script that I can run locally to do the entire server creation process.

 

Got One AWS test done.. what’s next?

Passed my AWS Technical Architect test today..

 

Solutions Architect-Associate

 

So they give you this nice pretty logo, who hoo.. Who knows? Maybe I’ll add the other two AWS certs to the bottom of this list and then become a follower of amazon web.

 

But I have to spend time and play with Azure now to see how that compares to AWS,  but it’s different, they only give you a free month, then you start paying, and also azure seems more expensive….