Aws IAM ROLE AND POLICY FOR PFSENSE
Netgate recommends using an IAM user to set up and manage pfsense on aws, IAM (AWS Identity and Access Management) role provides specific privileges and restrictions to IAM users. It is also recommended to assign privileges based only on necessity, this is also referred to as the principle of the least privilege.
In order to create an IAM role for Pfsense management, we need to configure three components in the AWS Management Console.
- Create policy (set of privileges and restrictions)
- Create a User Group (To which this policy is attached)
- Create a User(Which is added to the newly created group)
Create IAM Policy
To start, go to aws.com, then from the top right corner of the page, select “sign into the console”, after entering your root/owner username and password you will be taken to “AWS Management Console“,
When you see this page select IAM or if it is not listed, use the search bar in AWS console and type IAM and you will find it, after you find the IAM role page then from the top left pane select “Users” and then select “Policies” from the left pane, after this choose “Create Policy” from the right pane.
Then choose select “service”.
After this choose EC2 from the service list.
once the EC2 is selected, another drop-down list is opened, just select the checkbox next to All EC2 Actions (ec2:*) as shown in the image.
After this scroll down a little further and select the “Resource” section when the list is populated then select the checkbox next to “All resources” then select “Next: Tags” and then select “Review”.
After this, add a name for this policy, fill in the optional description, and select “Create Policy”, this creates the new IAM Policy.
Create The IAM User Group
Let us now create a new user group so that a policy can be associated with it, once the user group is created we will then create an IAM User and assign it to the new User Group.
Now from the left pane, under “Access Management” select User groups and then select Create User group from the right pane.
Once the user group page is displayed, just enter an appropriate group name such as “Aws_Ec2_Admin” and after this scroll down and select the check box next to our recently created policy thus adding a policy to the new IAM user group. Once done, scroll down and little and select “Create group“, this will create the new User group.
Setup AWS IAM User for Pfsense AMI
If you have multiple instances and different groups of users manage different instances then you can make different IAM users for each Group for administration purposes.
Also, what is Pfsense AMI?, AMI stands for Amazon Machine Image, so in short, you can run any ec2 instance(with any processor and memory specification) based on a pfsense Image, If you need to spin up multiple pfsense Instances for different use cases then you may create base AMI and save it as a template and then use it to boot multiple instances, here is more Information.
IAM User Configuration
IAM user configuration involves the following steps:
- Create a new IAM user in the Aws management console.
- Create credentials for the new user.
- Add user to the newly created User group (Granting Permissions To The New User, which completes the IAM role for Pfsense).
Note: The IAM user is created at the global level, not at the region or zone level.
Creating IAM User Through AWS Management Console
For this tutorial, we need just one IAM user, so to create, follow the steps in the following screenshots. On the IAM page select the Users from the left pane and then select Add users from the right pane.
Once the new page opens, you need to add the following details as per your desire, here is a sample screenshot.
Username*: just type in your desired admin username, I have used admin.
Select the AWS access type:
select AWS credential type*:
- Access Key – Programmatic access
“Select” this check box for remote ssh access to pfsense.
- Password-Aws Management Console access
“Select” this check box to have access to network services and storage services for pfsense in the management console, depending on configured rights for this user, this user will have the very least rights in the management console so worry not.
Console password*: you can use auto-generated as well as a custom password, I have chosen a custom password here.
Require Password Reset: You can check this check box if you want the user to change its password on the first use.
Once done hit the “Next Permissions” Button. Next, Select, Add user to group, and then select the check box against the newly created Group (Aws_Ec2_Admin), the group already has an attached policy (Pfsense_Admin_Policy), thus assigning rights to the newly created user (Admin).
After this Click Next: Tags button then bypass the screen by hitting the Next: Review Button and in the end, just hit the Create: user button.
Once the user is created, you will see the following page, containing details regarding the new IAM user, it is recommended that you download them in a .csv format or email yourself by using send email link.
Important: The above-mentioned link contains your IAM id (in digits), just click the link and it will take you to the IAM login page, Just enter the user (admin) and the password you already created then you will be able to login with the new user having the IAM role assigned.
This concludes creating the new user with the IAM role (Policy rights) assigned to it.