As the technology landscape continues to evolve, the latest release of the Red Hat Ansible Certified Content Collection for amazon.aws introduces a suite of powerful modules that redefine the boundaries of automation within Amazon Web Services (AWS) while redefining how organizations approach security deployments and seamless migrations within the AWS ecosystem.
In our previous blog post, "What's New: Cloud Automation with amazon.aws 7.0.0," we presented the latest release, outlining the changes, new features and newly supported modules. In this blog post, we embark on an exploration of two interesting use cases that highlight the capabilities of these new Ansible-supported modules included in the amazon.aws 7.0 release. Let’s dive into it!
Looking to get started with Ansible for Amazon Web Services?
|
Use Case #1: Implementing Security Best Practices and Access Control for AWS Resources
Security in AWS is more critical than ever before, and the collection for AWS, amazon.aws 7.0, is up to the challenge with a host of new Identity and Access Management (IAM) modules. Discover the blueprint for a resilient security posture as we delve into amazon.aws 7.0's IAM modules, showcasing how organizations can implement robust security practices and control access to safeguard their AWS resources.
This use case focuses on leveraging the following new modules:
Module |
Description |
s3_bucket_info |
Lists S3 buckets and details about those buckets. |
iam_access_key |
Manages AWS IAM User access keys. |
iam_access_key_info |
Gathers information about AWS IAM User access keys. |
iam_group |
Manages AWS IAM groups. |
iam_managed_policy |
Manages User Managed IAM policies. |
iam_password_policy |
Updates an IAM Password Policy. |
iam_role |
Manages AWS IAM roles. |
iam_role_info |
Gathers information on IAM roles. |
sts_assume_role |
Assumes a role using AWS Security Token Service and obtain temporary credentials. |
rds_global_cluster_info |
Obtains information about Aurora global database clusters |
By combining these modules, organizations can implement security best practices and fine tune access control, enabling a robust defense against evolving threats. Let’s learn about each module's role in crafting a comprehensive security strategy for your AWS resources.
Let’s assume your organization has an AWS environment where a development team needs secure access to AWS resources to build and test applications. You may want to set up an access control and security configuration for the members of the development team, so that they have controlled access to AWS resources and follow best security practices.
In this scenario, the main stakeholders are the:
- AWS Account Administrator: Responsible for configuring and managing AWS resources and security.
- Development Team: Consisting of developers, engineers, and related personnel who need access to AWS resources.
Let's break down an Ansible Playbook into several steps and see how each one can assist in automating and streamlining the use case scenario described above.
Use case implementation steps:
- User and Group Setup:
- Create two IAM users, “DevUser1” and “DevUser2”, representing individual developers in the team who need access to AWS.
- Create an IAM group named "Developers". This group allows for streamlined permission management for all developers. Add both “DevUser1” and “DevUser2” to the “Developers" group, ensuring that they inherit the group permissions. This allows for easier permission management for the team.
- name: Implementing Security Best Practices and Access Control for AWS Resources hosts: localhost vars: user_1: "DevUser1" user_2: "DevUser2" group_name: "Developers" managed_policy_name: "DeveloperPolicy" role_name: "CustomRole" cluster_name: "example-rds-cluster" bucket_name: "example-bucket" tasks: - name: Get ARN of calling user amazon.aws.aws_caller_info: register: aws_caller_info - name: Set AWS account id ansible.builtin.set_fact: aws_account: "{{ aws_caller_info.account }}" - name: Create IAM Users amazon.aws.iam_user: name: "{{ item }}" state: present loop: - "{{ user_1 }}" - "{{ user_2 }}" - name: Create IAM Group and add users to it amazon.aws.iam_group: name: "{{ item.name }}" users: "{{ item.members }}" state: present loop: - { name: "{{ group_name }}", members: ["{{ user_1 }}","{{ user_2 }}"] }
- Managed Policy Creation:
- Create a custom IAM managed policy, "DeveloperPolicy", which contains the necessary permissions for the developers. This policy may include permissions for read-only access to various AWS resources, such as S3 buckets for storing application data, RDS and EC2 instances for hosting applications.
- name: Create IAM Managed Policy amazon.aws.iam_managed_policy: name: "{{ managed_policy_name }}" policy: "{{ lookup('file', 'managed_policy_update.json') }}" state: present
- Create a custom IAM managed policy, "DeveloperPolicy", which contains the necessary permissions for the developers. This policy may include permissions for read-only access to various AWS resources, such as S3 buckets for storing application data, RDS and EC2 instances for hosting applications.
- IAM Password Policy:
- Establish a strict IAM password policy that enforces password requirements, including length, complexity, and expiration. This helps all IAM user passwords adhere to security best practices.
- name: Configure IAM Password Policy amazon.aws.iam_password_policy: min_pw_length: 12 require_symbols: true require_numbers: true require_uppercase: true require_lowercase_characters: true require_lowercase: true pw_max_age: 90 pw_reuse_prevent: 3 allow_pw_change: true
- Establish a strict IAM password policy that enforces password requirements, including length, complexity, and expiration. This helps all IAM user passwords adhere to security best practices.
- Access Key Management:
- Create access keys for “DevUser1” and “DevUser2”. These access keys can be used for programmatic access to AWS services like the AWS CLI or SDKs.
- name: Create IAM Access Keys amazon.aws.iam_access_key: user_name: "{{ item }}" state: present no_log: true loop: - "{{ user_1 }}" - "{{ user_2 }}" - name: Fetch access keys for {{ user_1 }} amazon.aws.iam_access_key_info: user_name: "{{ user_1 }}"
- Create access keys for “DevUser1” and “DevUser2”. These access keys can be used for programmatic access to AWS services like the AWS CLI or SDKs.
- IAM Role for Cross-Account Access:
- Create an IAM role named "CustomRole" that allows both “DevUser1” and “DevUser2” to assume the role. This role can be used when there's a need to grant temporary access to other AWS accounts or resources.
- Attach the "DeveloperPolicy" to the "CustomRole" so that developers have the necessary permissions when they assume the role.
- name: Create IAM Role amazon.aws.iam_role: name: "{{ role_name }}" assume_role_policy_document: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::{{ aws_account }}:user/{{ user_1 }}", "arn:aws:iam::{{ aws_account }}:user/{{ user_2 }}" ] }, "Action": "sts:AssumeRole" } ] } state: present - name: Attach Managed Policy to {{ role_name }} amazon.aws.iam_role: name: "{{ role_name }}" managed_policy: - "{{ managed_policy_name }}" state: present - name: Gather information about the IAM role amazon.aws.iam_role_info: name: "{{ role_name }}" register: _result_iam_role_info
- Validation and Testing:
- Use the playbook to assume the "CustomRole", resulting in the issuance of temporary security credentials. These temporary credentials allow developers to access AWS resources with the specified permissions for the duration of their session.
- name: Assume role amazon.aws.sts_assume_role: role_arn: "{{ _result_iam_role_info.iam_role.arn }}" role_session_name: DevUser1Session register: _result_assumed_role - name: Set AWS temporary credentials ansible.builtin.set_fact: access_key: "{{ _result_assumed_role.sts_creds.access_key }}" secret_key: "{{ _result_assumed_role.sts_creds.secret_key }}" session_token: "{{ _result_assumed_role.sts_creds.session_token }}" - name: Gather information about an S3 bucket amazon.aws.s3_bucket_info: access_key: "{{ access_key }}" secret_key: "{{ secret_key }}" session_token: "{{ session_token }}" name: "{{ bucket_name }}" - name: Get info on a specific DB cluster amazon.aws.rds_global_cluster_info: global_cluster_identifier: "{{ cluster_name }}"
- Use the playbook to assume the "CustomRole", resulting in the issuance of temporary security credentials. These temporary credentials allow developers to access AWS resources with the specified permissions for the duration of their session.
Benefits:
- Secure and Controlled Access: The setup gives developers access to AWS resources while adhering to security best practices, reducing the risk of unauthorized actions.
- Password Policy Compliance: The IAM password policy enforces strong password requirements, enhancing account security.
- Role-Based Access: The "CustomRole" enables developers to assume a role when temporary elevated permissions are needed, facilitating secure cross-account access.
- Permission Management: Grouping developers in the "Developers" IAM group simplifies permission management, allowing for consistent access controls.
- Auditability: All access and actions can be audited and monitored to maintain security and compliance.
Use Case #2: Migrating On-Premises Virtual Machines to AWS
The second leg of our journey delves into the world of seamless migrations, spotlighting Ansible's two new modules.
Module |
Description |
---|---|
ec2_import_image |
Manages AWS EC2 import image tasks. |
ec2_import_image_info |
Gathers information about importing virtual machine tasks. |
The intricate process of migrating on-premises virtual machines to AWS demands precision and efficiency. The amazon.aws 7.0 collection empowers organizations with two new modules to orchestrate this migration seamlessly. Learn how these modules simplify the migration journey, providing organizations with the flexibility and scalability inherent in the AWS cloud. We uncover the nuances of utilizing these modules to import images, enabling a smooth transition that preserves both data integrity and operational continuity.
Suppose you have a number of virtual machines (VMs) running on your on-premises infrastructure or another cloud platform, and you want to migrate them to AWS. The amazon.aws.ec2_import_image module is used to automate the process of importing an existing VM image into AWS as an Amazon Machine Image (AMI). This can be useful in various scenarios, such as migration, disaster recovery, or simply for creating custom AMIs from VMs running on other platforms. Here's a playbook showing how the amazon.aws.ec2_import_image and amazon.aws.ec2_import_image_info modules can be used to import an existing VM image as an AMI:
- name: Import VM image to AWS
hosts: localhost
tasks:
- name: Import VM image
amazon.aws.ec2_import_image:
task_name: "clone-vm-import-image"
disk_containers:
- format: raw
user_bucket:
s3_bucket: "clone-vm-s3-bucket"
s3_key: "clone-vm-s3-bucket/ubuntu-vm-clone.raw"
state: present
- name: Check status of the EC2 import image task
amazon.aws.ec2_import_image_info:
filters:
- Name: "tag:Name"
Values: ["clone-vm-import-image"]
- Name: "task-state"
Values: ["completed", "active"]
Once the image import is complete, you can use the imported AMI to launch new EC2 instances, effectively replicating VMs that were running on the on-premise infrastructure or another cloud platform.
Where to go next
- Red Hat Summit and AnsibleFest 2023 - if you missed out on this event, check out sessions available online and make sure to register for AnsibleFest 2024!
- Self-paced exercises - We have interactive, in-browser exercises to learn and dive into Ansible Automation Platform.
- Trial subscription - Are you ready to install Ansible Automation Platform? Get your own trial subscription for unlimited access to all the components of Ansible Automation Platform.
About the author
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit