Mastering AWS with amazon.aws 7.0: A Dive into New Modules for Enhanced Security and Seamless Migrations

December 13, 2023 by Alina Buzachis

As the technology landscape continues to evolve, the latest release of the Red Hat Ansible Certified Content Collection for amazon.aws introduces a suite of powerful modules that redefine the boundaries of automation within Amazon Web Services (AWS) while redefining how organizations approach security deployments and seamless migrations within the AWS ecosystem.

In our previous blog post, "What's New: Cloud Automation with amazon.aws 7.0.0," we presented the latest release, outlining the changes, new features and newly supported modules. In this blog post, we embark on an exploration of two interesting use cases that highlight the capabilities of these new Ansible-supported modules included in the amazon.aws 7.0 release. Let’s dive into it!

Looking to get started with Ansible for Amazon Web Services?  

 

Use Case #1: Implementing Security Best Practices and Access Control for AWS Resources

Security in AWS is more critical than ever before, and the collection for AWS, amazon.aws 7.0, is up to the challenge with a host of new Identity and Access Management (IAM) modules. Discover the blueprint for a resilient security posture as we delve into amazon.aws 7.0's IAM modules, showcasing how organizations can implement robust security practices and  control access to safeguard their AWS resources.

This use case focuses on leveraging the following new modules:

Module

Description

s3_bucket_info

Lists S3 buckets and details about those buckets.

iam_access_key

Manages AWS IAM User access keys.

iam_access_key_info

Gathers information about AWS IAM User access keys.

iam_group

Manages AWS IAM groups.

iam_managed_policy

Manages User Managed IAM policies.

iam_password_policy

Updates an IAM Password Policy.

iam_role

Manages AWS IAM roles.

iam_role_info

Gathers information on IAM roles.

sts_assume_role

Assumes a role using AWS Security Token Service and obtain temporary credentials.

rds_global_cluster_info

Obtains information about Aurora global database clusters

By combining these modules, organizations can implement security best practices and fine tune access control, enabling a robust defense against evolving threats. Let’s learn about each module's role in crafting a comprehensive security strategy for your AWS resources.

Let’s assume your organization has an AWS environment where a development team needs secure access to AWS resources to build and test applications. You may want to set up an access control and security configuration for the members of the development team, so that they have controlled access to AWS resources and follow best security practices. 

In this scenario, the main stakeholders are the:

  • AWS Account Administrator: Responsible for configuring and managing AWS resources and security.
  • Development Team: Consisting of developers, engineers, and related personnel who need access to AWS resources.

Let's break down an Ansible Playbook into several steps and see how each one can assist in automating and streamlining the use case scenario described above. 

Use case implementation steps:

  1. User and Group Setup:
    1. Create two IAM users, “DevUser1” and “DevUser2”, representing individual developers in the team who need access to AWS.
    2. Create an IAM group named "Developers". This group allows for streamlined permission management for all developers. Add both “DevUser1” and “DevUser2” to the “Developers" group, ensuring that they inherit the group permissions. This allows for easier permission management for the team.
      - name: Implementing Security Best Practices and Access Control for AWS Resources
        hosts: localhost
        vars:
         user_1: "DevUser1"
         user_2: "DevUser2"
         group_name: "Developers"
         managed_policy_name: "DeveloperPolicy"
         role_name: "CustomRole"
         cluster_name: "example-rds-cluster"
         bucket_name: "example-bucket"
      
        tasks:
         - name: Get ARN of calling user
           amazon.aws.aws_caller_info:
           register: aws_caller_info
      
         - name: Set AWS account id
           ansible.builtin.set_fact:
             aws_account: "{{ aws_caller_info.account }}"
      
         - name: Create IAM Users
           amazon.aws.iam_user:
             name: "{{ item }}"
             state: present
           loop:
             - "{{ user_1 }}"
             - "{{ user_2 }}"
      
         - name: Create IAM Group and add users to it
           amazon.aws.iam_group:
             name: "{{ item.name }}"
             users: "{{ item.members }}"
             state: present
           loop:
             - { name: "{{ group_name }}", members: ["{{ user_1 }}","{{ user_2 }}"] }
      
  2. Managed Policy Creation:
    1. Create a custom IAM managed policy, "DeveloperPolicy", which contains the necessary permissions for the developers. This policy may include permissions for read-only access to various AWS resources, such as S3 buckets for storing application data, RDS and EC2 instances for hosting applications.
       - name: Create IAM Managed Policy
         amazon.aws.iam_managed_policy:
           name: "{{ managed_policy_name }}"
           policy: "{{ lookup('file', 'managed_policy_update.json') }}"
           state: present
      
  3. IAM Password Policy:
    1. Establish a strict IAM password policy that enforces password requirements, including length, complexity, and expiration. This helps all IAM user passwords adhere to security best practices.
       - name: Configure IAM Password Policy
         amazon.aws.iam_password_policy:
           min_pw_length: 12
           require_symbols: true
           require_numbers: true
           require_uppercase: true
           require_lowercase_characters: true
           require_lowercase: true
           pw_max_age: 90
           pw_reuse_prevent: 3
           allow_pw_change: true
      
  4. Access Key Management:
    1. Create access keys for “DevUser1” and “DevUser2”. These access keys can be used for programmatic access to AWS services like the AWS CLI or SDKs.
       - name: Create IAM Access Keys
         amazon.aws.iam_access_key:
           user_name: "{{ item }}"
           state: present
           no_log: true
         loop:
           - "{{ user_1 }}"
           - "{{ user_2 }}"
      
       - name: Fetch access keys for {{ user_1 }}
         amazon.aws.iam_access_key_info:
           user_name: "{{ user_1 }}"
      
  5. IAM Role for Cross-Account Access:
    1. Create an IAM role named "CustomRole" that allows both “DevUser1” and “DevUser2” to assume the role. This role can be used when there's a need to grant temporary access to other AWS accounts or resources.
    2. Attach the "DeveloperPolicy" to the "CustomRole" so that developers have the necessary permissions when they assume the role.
       - name: Create IAM Role
         amazon.aws.iam_role:
           name: "{{ role_name }}"
           assume_role_policy_document: |
             {
         "Version": "2012-10-17",
                "Statement": [
                  {
                     "Effect": "Allow",
                     "Principal": {
                     "AWS": [
                       "arn:aws:iam::{{ aws_account }}:user/{{ user_1 }}",
                       "arn:aws:iam::{{ aws_account }}:user/{{ user_2 }}"
                     ]
                  },
                  "Action": "sts:AssumeRole"
                }
              ]
            }
           state: present
      
       - name: Attach Managed Policy to {{ role_name }}
         amazon.aws.iam_role:
           name: "{{ role_name }}"
           managed_policy:
             - "{{ managed_policy_name }}"
           state: present
      
       - name: Gather information about the IAM role
         amazon.aws.iam_role_info:
           name: "{{ role_name }}"
         register: _result_iam_role_info
      
  6. Validation and Testing:
    1. Use the playbook to assume the "CustomRole",  resulting in the issuance of temporary security credentials. These temporary credentials allow developers to access AWS resources with the specified permissions for the duration of their session.
       - name: Assume role
         amazon.aws.sts_assume_role:
           role_arn: "{{ _result_iam_role_info.iam_role.arn }}"
           role_session_name: DevUser1Session
         register: _result_assumed_role
      
       - name: Set AWS temporary credentials 
         ansible.builtin.set_fact:
           access_key: "{{ _result_assumed_role.sts_creds.access_key }}"
           secret_key: "{{ _result_assumed_role.sts_creds.secret_key }}"
           session_token: "{{ _result_assumed_role.sts_creds.session_token }}"
      
       - name: Gather information about an S3 bucket
         amazon.aws.s3_bucket_info:
           access_key: "{{ access_key }}"
           secret_key: "{{ secret_key }}"
           session_token: "{{ session_token }}"
           name: "{{ bucket_name }}"
      
       - name: Get info on a specific DB cluster
         amazon.aws.rds_global_cluster_info:
           global_cluster_identifier: "{{ cluster_name }}"
      

Benefits:

  • Secure and Controlled Access: The setup gives developers access to AWS resources while adhering to security best practices, reducing the risk of unauthorized actions.
  • Password Policy Compliance: The IAM password policy enforces strong password requirements, enhancing account security.
  • Role-Based Access: The "CustomRole" enables developers to assume a role when temporary elevated permissions are needed, facilitating secure cross-account access.
  • Permission Management: Grouping developers in the "Developers" IAM group simplifies permission management, allowing for consistent access controls.
  • Auditability: All access and actions can be audited and monitored to maintain security and compliance.

 

Use Case #2: Migrating On-Premises Virtual Machines to AWS

The second leg of our journey delves into the world of seamless migrations, spotlighting Ansible's two new modules. 

Module

Description

ec2_import_image

Manages AWS EC2 import image tasks.

ec2_import_image_info

Gathers information about importing virtual machine tasks.

The intricate process of migrating on-premises virtual machines to AWS demands precision and efficiency. The amazon.aws 7.0 collection empowers organizations with two new modules to orchestrate this migration seamlessly. Learn how these modules simplify the migration journey, providing organizations with the flexibility and scalability inherent in the AWS cloud. We uncover the nuances of utilizing these modules to import images, enabling a smooth transition that preserves both data integrity and operational continuity. 

Suppose you have a number of virtual machines (VMs) running on your on-premises infrastructure or  another cloud platform, and you want to migrate them to AWS. The amazon.aws.ec2_import_image module is used to automate the process of importing an existing VM image into AWS as an Amazon Machine Image (AMI). This can be useful in various scenarios, such as migration, disaster recovery, or simply for creating custom AMIs from VMs running on other platforms. Here's a playbook showing how the amazon.aws.ec2_import_image and amazon.aws.ec2_import_image_info modules can be used to import an existing VM image as an AMI:

- name: Import VM image to AWS
  hosts: localhost
  tasks:
   - name: Import VM image
     amazon.aws.ec2_import_image:
       task_name: "clone-vm-import-image"
       disk_containers:
         - format: raw
           user_bucket:
              s3_bucket: "clone-vm-s3-bucket"
              s3_key: "clone-vm-s3-bucket/ubuntu-vm-clone.raw"
       state: present

   - name: Check status of the EC2 import image task
     amazon.aws.ec2_import_image_info:
       filters:
         - Name: "tag:Name"
           Values: ["clone-vm-import-image"]
         - Name: "task-state"
           Values: ["completed", "active"]

Once the image import is complete, you can use the imported AMI to launch new EC2 instances, effectively replicating VMs that were running on the on-premise infrastructure or  another cloud platform.

 

Where to go next

  • Red Hat Summit and AnsibleFest 2023 - if you missed out on this event, check out sessions available online and make sure to register for AnsibleFest 2024!
  • Self-paced exercises - We have interactive, in-browser exercises to learn and dive into Ansible Automation Platform.
  • Trial subscription - Are you ready to install Ansible Automation Platform? Get your own trial subscription for unlimited access to all the components of Ansible Automation Platform.

 

Share:

Topics:
AWS, Cloud Automation, Ansible content collections


 

Alina Buzachis

Alina Buzachis, PhD, is a Senior Software Engineer at Red Hat Ansible, where she works primarily on cloud technologies. Alina received her PhD in Distributed Systems in 2021, focusing on advanced microservice orchestration techniques in the Cloud-to-Thing continuum. In her spare time, Alina enjoys traveling, hiking, and cooking.


rss-icon  RSS Feed