There are a few ways to set up your AWS integrations on the Adoptech Portal. This article discusses those methods and the pros and cons of each.
Here are some suggested ways to set up the API keys for your integrations. Firstly, log in to the Amazon Console and navigate to IAM.
Method 1: Same API key for all integrations, ReadOnlyAccess
Add a new user called "adoptech", and under the Permissions tab, add the "ReadOnlyAccess" policy to that user. This gives the user the right to make any read-only API call across the whole of AWS.
Pros
- Single API key is easier to manage and store.
- No need to update the permissions when adding a new integration to the Adoptech Portal.
Cons
- User has more permissions than it needs, which strictly speaking violates the principle of least privilege.
Method 2: Same API key for all integrations, restricted access (recommended)
Add a new user called "adoptech", and under the Permissions tab, add specific read-only policies for each service that you would like to integrate with the Adoptech Portal.
Pros
- Single API key is easier to manage and store.
- Principle of least privilege is preserved.
Cons
- IAM user permissions will need to be modified each time a new service is integrated with the Adoptech Portal.
Method 3: Different API key for each integration, segregated access
For each service, add a user called e.g. "adoptech-guardduty". Give this user only the read-only permissions it needs for the service at hand. Create an API key for each user.
Pros
- Permissions are maximally segregated which minimises the risk arising from any breach.
Cons
- Setting up is more complex and will take longer to achieve.
- Managing and storing multiple API keys is more difficult.