Forcing Powershell scripts to use AWS MFA

Finally, I get to do some “real” AWS work.

So after getting my credentials,  for this new account, it turns out that they don’t let people get access keys.   Yep, it’s a security risk.  So to minimize it, I created simple policy to disallow 99% of the items except for the ability to read your MFA token ID.   (iam:ListMFADevices)

So the policy I created is below:

 

{
 "Version": "2012-10-17",
 "Statement": [
 {
    "Sid": "DenyWhenMFAIsNotPresent",
    "Effect": "Deny",
    "NotAction": "iam:ListMFADevices",
    "Resource": "*",
    "Condition": {
     "BoolIfExists": {
      "aws:MultiFactorAuthPresent": false
       }
     }
  }
 ]
}

Also remember you need to grant yourself the proper rights in another policy, so that you can do what you need to do.

So if you have your Powershell set up to run with multiple credentials, it’s easy to switch between them, you have to get a temporary token by calling Get-STSSessionToken

Get-AWSCredential -ListProfileDetail
#changes context to run as that id, same as -credential on all aws commands
Set-AWSCredential -ProfileName <whatever>

#saves credentail for future use
Set-AWSCredential -ProfileName <whatever> -StoreAs <something>
#sets up a new session to use MFA session

$MFASession=Get-STSSessionToken -SerialNumber (Get-IAMMFADevice).SerialNumber -TokenCode  <CurrentMFAToken>
#now use it or do -credential $MFASession.credentials on any AWS call that needs this
Set-AWSCredential -Credential $MFASession

 

 

 

 

 

 

 
$MFASession=Get-STSSessionToken -SerialNumber (Get-IAMMFADevice).SerialNumber -TokenCode
Set-AWSCredential -Credential $MFASession

AWS Associate Developer is now done

Did that test today and passed on the first time with an 80%.  IThis one I spent more time focusing on DynamoDB instead of the other items that I haven’t been using for a while, like SNS, SQS, etc. so the “basics” were not as good as they could have been.  A pass is still a pass.

 

Developer-Associate

 

The more interesting one is going to be the Sysops exam, or do I do the professional Solutions Architect one first?

 

 

Using AWS as lab space for Active Directory

My current adventure is providing guidance and coaching to 20+ Junior sys admins that have no experience with Active Directory.

 

I’ve had to do testing of some scripts for DNS setting from the command  line, so I  made up this little powershell script to use in the AWS user data section.  The other advantage that this script has is that it’s a simpe cut and paste if you want to do it on an existing machine.. Just get rid of the <powershell> tags at the start and end of the file once  you get a system up and running

 

As you can see the longest part of the script is writing the the unattend.txt file for the dcpromo.

<powershell>
# This should be able to be pasted into an AWS system startup script, or use it
# without the <powershell> tags on an existing system to make it a DC


import-module ServerManager
add-windowsfeature DNS, GPMC
add-windowsfeature AD-Domain-Services, ADDS-Domain-Controller

# create newforest-dcpromo.txt
set Unattendfile "newforest-dcpromo.txt"

add-content $Unattendfile "[DCINSTALL]"
add-content $Unattendfile "InstallDNS=yes"
add-content $Unattendfile "NewDomain=forest"
add-content $Unattendfile "NewDomainDNSName=YOURDOMAIN.local"
add-content $Unattendfile "DomainNetBiosName=YOURDOMAIN"
add-content $Unattendfile "SiteName=Default-First-Site-Name"
add-content $Unattendfile "ReplicaOrNewDomain=domain"
add-content $Unattendfile "ForestLevel=3"
add-content $Unattendfile "DomainLevel=3"
add-content $Unattendfile "DatabasePath=""%systemroot%\NTDS"""
add-content $Unattendfile "LogPath=""%systemroot%\NTDS"""
add-content $Unattendfile "RebootOnCompletion=yes"
add-content $Unattendfile "SYSVOLPath=""%systemroot%\SYSVOL"""
add-content $Unattendfile "SafeModeAdminPassword=TheOopsPasswordGoesHere"
add-content $Unattendfile "`n"


#password of domain admin will be what administrator is

dcpromo /unattend:newforest-dcpromo.txt
</powershell>

So what’s next?  Making this into a powershell script that I can run locally to do the entire server creation process.