Creating AWS IAM user access key specifically for SES

1
votes

I'm tracking how to send an Email Using the AWS SDK for Python (Boto).

At the AWS Developer Guide using-credentials page I read that:

For security best practice, use AWS Identity and Access Management (IAM) user access keys instead of AWS account access keys [emphasis added].

Then at the Managing Access Keys for IAM Users I am eventually led to this section and I duly confirm using 

aws iam list-access-keys

that I have just created (in JSON form):

{
    "AccessKeyMetadata": [
        {
            "UserName": "My_User_Name", 
            "Status": "Active", 
            "CreateDate": "2018-09-03T00:43:37Z", 
            "AccessKeyId": "JRUFKDHUWHE8DD495CHD"
        }
    ]
}

but I lack clarity about whether this identity is the "AWS account access keys" that I was earlier warned does not fall in the "security best practice".

How do I create an IAM identity (user access + password) for sending email through SES and boto (while eliminating the chance I am exposing the entire AWS account)?

Ranting (and a constructive suggestion to AWS staff writers, if here): Specific branding would help. At Ikea I might order a chair or a table with the meaningless name Fjorstuvstok, but I know with certainty that I am ordering the chair I want.

2
amazon-web-servicesamazon-ses

2 Answers

0
votes

The AWS account access keys are the ones owned by the root account user. To check what these are, you need to know your root account user name. This can be checked using the aws cli using the AWS root credentials, or loging in with your root account credentials to the AWS Console and clicking "My Security Credentials" under your username in the top right corner.

Assuming you use the cli, make sure you've configured the root credentials in ~/.aws/credentials. Then run:

aws iam get-user
{
    "User": {
        "UserName": "my_root_user_name", 
        "PasswordLastUsed": "2018-09-03T06:40:38Z", 
        "CreateDate": "2017-03-01T08:53:36Z", 
        "UserId": "9XXXXXXXXXXX", 
        "Arn": "arn:aws:iam::9XXXXXXXXXXX:root"
    }
}

This will provide you with details of your root user. This username can then be used to query for access keys:

aws iam list-access-keys --user-name my_root_user_name

If any of the keys listed from this result are being used for SES, then that's bad news. AWS reccomends that you use Access Keys assigned to IAM Users (non-root).

0
votes

The AWS account access keys mean the Root account access /secret keys of your AWS account. When you register yourself with aws using your email, the account created is Root account. There is key associated with that, which needs to be removed. (As this is Root account, it provides unrestricted access to all AWS services. Check AWS Account Root User Credentials vs. IAM User Credentials

The warning suggested to use IAM user access keys. So you can create IAM user in your aws account and create associated access key id and secret access key and configure that on your machine from where you are running your code. ( This is not good practice in higher deployment environment. If the machine gets compromised then access key will be exposed)

As its unclear how you are running your application code (from ECS or EC2 or AWS Lambda), You should create IAM role to grant access to SES from where you are going to run your code. This will avoid exposing IAM access key Id and Secret access key from your application code / machine.