{"id":19345405,"url":"https://github.com/kavehmz/aws-setup","last_synced_at":"2026-04-27T00:32:04.849Z","repository":{"id":79426176,"uuid":"89677201","full_name":"kavehmz/aws-setup","owner":"kavehmz","description":"Secure AWS Usage by Assume Role and 2FA","archived":false,"fork":false,"pushed_at":"2017-04-28T06:56:36.000Z","size":18,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-06-27T15:02:17.691Z","etag":null,"topics":["2fa","2factor","assume-role","aws","aws-security"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kavehmz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-28T06:55:59.000Z","updated_at":"2018-03-03T06:32:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"545c42d7-3a53-49a6-9589-dabca4425231","html_url":"https://github.com/kavehmz/aws-setup","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kavehmz/aws-setup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kavehmz%2Faws-setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kavehmz%2Faws-setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kavehmz%2Faws-setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kavehmz%2Faws-setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kavehmz","download_url":"https://codeload.github.com/kavehmz/aws-setup/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kavehmz%2Faws-setup/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32318417,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"ssl_error","status_checked_at":"2026-04-26T23:26:25.802Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","2factor","assume-role","aws","aws-security"],"created_at":"2024-11-10T04:06:33.850Z","updated_at":"2026-04-27T00:32:04.833Z","avatar_url":"https://github.com/kavehmz.png","language":"Shell","readme":"# aws-setup\n\nWe need just few roles\n - read : This will be our main daily role. Getting info from aws parts, read s3 files,..\n - write : Creating instances and adding files to s3. No remove or terminate.\n - delete : Terminating instance and removing files. Not if they are marked as eternal.\n - ampute: Deleting and removing eternals (No one is in this trust list)\n - supervise: Modify trust policy (who has access to what)\n\n| Role | members | userman | read | write | delete | ampute |\n| ------------- |:---------:|:-------:|:----:|:-----:| :-----:| ------:|\n| supervise | head | YES | | | | |\n| read | all | | YES | | | |\n| write | all | | YES | YES | | |\n| delete | empty | | YES | YES | YES | |\n| amputate | empty | | YES | YES | YES | YES |\n\nIn command-line we will use these roles like:\n\n```bash\n$ source \u003c(curl -s https://raw.githubusercontent.com/kavehmz/dev/master/home/share/aws_assumerole.sh)\n\n$ assume -p qa list\narn:aws:iam::999999999999:role/supervise\narn:aws:iam::999999999999:role/amputate\narn:aws:iam::999999999999:role/delete\narn:aws:iam::999999999999:role/write\narn:aws:iam::999999999999:role/read\n\n\n# Notice using 2FA will reduce risk of mixing evenironments even further.\n# Also our access will expure in one hour\n$ assume -p qa read kaveh 647895\nAssuming role of arn:aws:iam::999999999999:role/read until [2016-12-29T18:44:20Z]\n\n# Wrong 2FA and my Token is useless\n$ assume -p qa read kaveh 111111\nAn error occurred (AccessDenied) when calling the AssumeRole operation: MultiFactorAuthentication failed with invalid MFA one time pass code. \nFail to assume the role\n\n# Not in trust list and I can't assume the role\n$ assume -p qa amputate kaveh 022405\nAn error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::999999999999:user/kaveh is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::999999999999:role/amputate\nFail to assume the role\n\n```\n\nPlease notice that:\n- First draft is about deciding about roles.\n- We should not need any group.\n- We should not end up with many roles otherwise we are doing it wrong.\n- This way of using Role/2FA/Assuming Role is a best practice in AWS.\n- This way of using aws-cli to define resource is not a best practice. We eventually need to decide about using Terraform or CloudFormation.\n\nLinks\n- http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkavehmz%2Faws-setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkavehmz%2Faws-setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkavehmz%2Faws-setup/lists"}