I'm working on a script for a Windows tool that uses PowerShell to discover accounts and rotate passwords for various providers; I'm working on AWS IAM users now.
Once a PowerShell script is complete, you load it into the tool and the tool provides a web interface and executes the PowerShell script as NetworkService in PowerShell Core 7+.
In the script, I need to securely authenticate to a user's AWS infrastructure and then using a role (I assume?), list all IAM users and change passwords.
I need to do this in the more secure way possible as this script may potentially be controlling IAM user passwords for many different companies.
After a lot of research, I've come up with a really rough plan but I'm no AWS expert here and looking for advice.
When setting this up for the first time, the tool docs would:
Instruct the user to setup an IAM user with permission to update all other IAM user passwords? Is there a least privilege way to do this?
Create an IAM role using this trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListIAMUsers",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:GetUser"
],
"Resource": "*"
},
{
"Sid": "ChangeIAMUserPasswords",
"Effect": "Allow",
"Action": [
"iam:UpdateLoginProfile"
],
"Resource": "arn:aws:iam::*:user/*"
}
]
}
Once the prereqs have been set up, what's the most secure way to leverage the role? Should the tool:
- create a credential profile on the fly with
Set-AWSCredential -RoleArnand possibly using theSessionTokenparameter to create temp credentials then runUpdate-IAMLoginProfileto change the IAM user requested? - make the user save a credential profile on disk once while logged into the server as an interactive user and then have the tool (running as NetworkService), use Get-AWSCredential reference that credential to assume the role and then change the password?
- I saw that AWS recommends using AWS IAM Identity Center for this?
I never realized how many options you have to authenticate to AWS until now!