SonicOS 7 System

IAM Group and User

IAM Identities, including Users and Groups, can be created and managed from the IAM page in the AWS Management Console.

Assuming that the AWS Account is already created and that an Administrator with either Root access or widespread privileges is logged into that account, it is then necessary to create an IAM User, if one does not already exist, that is used by the firewall to access the various AWS APIs for the services supported by the firewall.

You need certain permissions to access the different services. These permissions can either be granted directly to the user or included in a security access policy assigned to an IAM Group and then the user added to that group.

The security policy used, either for a group to which the user belongs or attached to the user directly, must include the following permissions:

AmazonEC2FullAccess For AWS Objects and AWS VPN
CloudWatchLogsFullAccess For AWS Logs

Creating a group is described in the IAM Documentation. It is not strictly necessary to create a group; the permissions can be assigned directly to a user, however, it is common practice to define such a group so that it can be used for multiple users.

A user must be created. That user can be created specifically for use by the firewall alone. However, if the same user is going to access the AWS Management Console, the relevant checkbox must be ticked. In either case, the user must have "programmatic access."

The second step of the Add User wizard determines which permissions the user has assigned, either through adding the user to a group or attaching the permission policies directly.

After reviewing the details of the user to be created and pressing Create User, there is a final and critical stage.

DO NOT LEAVE THE ADD USER WIZARD

You must retrieve the Secret Access Key that has been created for the user. The Secret Access Key together with the Access Key is used in the configuration of the firewall. It is needed for all API access to AWS. You should either copy it to a safe location or download the CSV file and keep that in a safe, secure location.

Finally, the newly created user with their required permissions can be seen in the IAM Users section of the AWS Console.

If you miss getting the Secret Access Key, it is possible to create another access Key from the User section of the IAM Console. Indeed, it is considered good practice to rotate Access Keys.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden