Normally, if MFA is enabled, setting up your credentials as environment variables is a multi-step process. First, you
make the call to fetch the temporary STS credentials:
WARNING! Before running the following commands, authenticate to the AWS account that contains your IAM User using your
static API Access Key ID and Secret Key.
We strongly recommend using a password manager like 1Password or pass to store any static credentials so they don't sit unencrypted on your local disk.
Internally, the Grunts at Gruntwork use pass with a unique GPG Key for each set of secrets.
You must have the iam:AssumeRole permission on the "primary" AWS account in order to assume an IAM Role in a "secondary"
AWS account. Furthermore, you must have the iam:AssumeRole permission on the specific IAM Role you wish to assume or
on all resources (*).
Wrap the output in eval()
When finished running, the aws-auth script will write a series of export XXX=YYY statements to stdout:
NOTE: AWS_SESSION_EXPIRATION environment variable is not used by any official libraries (i.e. aws cli, boto, etc.). It's only exported for your convenience, for example a wrapper that renews once expired.
To setup your AWS environment variables in one command, all you have to do is eval the result!
If you store your secrets in a CLI-friendly password manager, such as pass,
lpass or
1Password CLI, then you can reduce this even further! Instructions on how to set this up for Lastpass / lpass can be found here and 1Password / ophere.
First, store your permanent AWS credentials in pass:
pass insert aws-access-key-id
Enter passwordfor aws-access-key-id: <PERMANENT_ACCESS_KEY>
pass insert aws-secret-access-key
Enter passwordfor aws-secret-access-key: <PERMANENT_SECRET_KEY>
Next, store your MFA ARN in pass as well:
pass insert aws-mfa-arn
Enter password for aws-mfa-arn:arn:aws:iam::123456789011:mfa/jondoe
If you will be assuming an IAM Role ARN, put that in pass too:
pass insert aws-iam-role-arn
Enter password for aws-iam-role-arn:arn:aws:iam::123456789011:role/my-role
Now, you can store a script in pass that ties all of this together. Run the insert command with the -m parameter
so you can enter multiple lines:
pass insert -m aws-sts-env-vars
Enter contentsof aws-sts-env-vars and press Ctrl+D when finished:
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"1b5648110d31d0f34041eb196ddccea85f873277"}]},{"name":".editorconfig","path":".editorconfig","sha":"a5eec1063e66c4cb953cba222dd50b4d314ef3e2"},{"name":".gitignore","path":".gitignore","sha":"db9544649ac09686ab10d48c26aa1d65fbd25fb7"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"8d98e6d06e9c4d3f9b680dc9ab6d5ccc7f9d96d3"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"90f69ca352e026ce99027459bb83ea303410fcfd"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.adoc","path":"README.adoc","sha":"2fa6943dc66863a9f854a55374ed6b89f1dab998"},{"name":"_ci","children":[{"name":"output-debug-values.sh","path":"_ci/output-debug-values.sh","sha":"39d6d5f080a53f932e3b5ec970b5f268fd00e50a"}]},{"name":"_docs","children":[{"name":"LANDING_ZONE_DEPLOY_GUIDE.md","path":"_docs/LANDING_ZONE_DEPLOY_GUIDE.md","sha":"977741ff0d0dab2d366ca63fb64183a4c35f9ec9"},{"name":"auto-update.png","path":"_docs/auto-update.png","sha":"77bfd1c65de0245ac8b3c67d5b0b64fc440824bf"},{"name":"aws-cloudtrail-architecture.png","path":"_docs/aws-cloudtrail-architecture.png","sha":"a2dd9a08b8ed77744fd5febab3be7bdf633dee79"},{"name":"aws-cloudtrail.png","path":"_docs/aws-cloudtrail.png","sha":"acc7dcaf4b46ce3cef1bcc20be0329e12c320e7f"},{"name":"aws-config-architecture.png","path":"_docs/aws-config-architecture.png","sha":"721458048d5e539468c438498863a91fa96e0a85"},{"name":"aws-config-rules-architecture.png","path":"_docs/aws-config-rules-architecture.png","sha":"29fe3f20358b176e385d1bcdc0357bff2c1d5b4a"},{"name":"aws-config-rules.png","path":"_docs/aws-config-rules.png","sha":"ac3f7b35bcac949887e62aee260d9cb70edd3ae8"},{"name":"aws-config.png","path":"_docs/aws-config.png","sha":"02f4b326aef57372def4f3fafa4f0e4cec07e395"},{"name":"aws-guardduty.png","path":"_docs/aws-guardduty.png","sha":"053b92412fb8e3fb5740acc404b493fe1dd7229b"},{"name":"aws-organizations-architecture.png","path":"_docs/aws-organizations-architecture.png","sha":"bd57412fe85d3fe8d5e358db5e3b7bfef3e786a9"},{"name":"aws-organizations-icon.png","path":"_docs/aws-organizations-icon.png","sha":"b2b3fa04f51a23e5bae1b3389ffedf5e17b3cef2"},{"name":"kms-icon.png","path":"_docs/kms-icon.png","sha":"cd4f350a9a3fda41089928a7e396ee8924b7a901"},{"name":"multi-account-multi-region-aws-config.png","path":"_docs/multi-account-multi-region-aws-config.png","sha":"a9c813b1799fe71554c20c8fefc703792293bfe4"},{"name":"multiaccount_guardduty.png","path":"_docs/multiaccount_guardduty.png","sha":"c56b50bbb4c2a041366b430cada27b88aa02524b"},{"name":"ssh-grunt-architecture.png","path":"_docs/ssh-grunt-architecture.png","sha":"9ced8c68bcc7957e50aa016cad6c5b043a05b470"},{"name":"terminal-icon.png","path":"_docs/terminal-icon.png","sha":"df09d52d5b1176d7e231bab6c7712c3728e45c1b"}]},{"name":"codegen","children":[{"name":"README.adoc","path":"codegen/README.adoc","sha":"985e83db4ee84bc073af9580c251646f08137ffc"},{"name":"core-concepts.md","path":"codegen/core-concepts.md","sha":"6194c545021687193f2d0b8d35849f3492dac6ec"},{"name":"generate-aws-config","children":[{"name":".gitignore","path":"codegen/generate-aws-config/.gitignore","sha":"b488f31b176e8da6501add7ce148074af2337d91"},{"name":"main.go","path":"codegen/generate-aws-config/main.go","sha":"fbdc3f3df8ccf910430acad3d7d29e8b7d584cd2"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-aws-config/static/README.adoc","sha":"c0e1204ac792b55ced9bedb40736621b78ef8740"},{"name":"core-concepts.md","path":"codegen/generate-aws-config/static/core-concepts.md","sha":"976e6424dcb277f70377f92eb2a10d0c8e595a85"},{"name":"variables.tf","path":"codegen/generate-aws-config/static/variables.tf","sha":"b8edd83979b4229c58f9adaf77c62b81b1f4c589"}]},{"name":"template_data.go","path":"codegen/generate-aws-config/template_data.go","sha":"ea468adc8c3e0721f11076567081457323c9cf86"}]},{"name":"generate-aws-guardduty","children":[{"name":".gitignore","path":"codegen/generate-aws-guardduty/.gitignore","sha":"b488f31b176e8da6501add7ce148074af2337d91"},{"name":"main.go","path":"codegen/generate-aws-guardduty/main.go","sha":"65a8af5a54afd75c1123cf9905cac3a770ca210d"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-aws-guardduty/static/README.adoc","sha":"0c0833b9655d1d292f086b8f27c594ef1b968d68"},{"name":"variables.tf","path":"codegen/generate-aws-guardduty/static/variables.tf","sha":"992199e9e968a3006918b286c7f3e69eb2fbbd74"}]},{"name":"template_data.go","path":"codegen/generate-aws-guardduty/template_data.go","sha":"99aa2d3dd6e70fa736e6101e0ede935a59cec955"}]},{"name":"generate-multiregion-kms","children":[{"name":".gitignore","path":"codegen/generate-multiregion-kms/.gitignore","sha":"dd60654458233c0bdb18892c5989f1828889d55b"},{"name":"main.go","path":"codegen/generate-multiregion-kms/main.go","sha":"a4c0e0fefe40a90d724a054ceef68745871eb6e6"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-multiregion-kms/static/README.adoc","sha":"0e7764d5d98f2cc2f5decd6429ca3de22d4bed87"},{"name":"variables.tf","path":"codegen/generate-multiregion-kms/static/variables.tf","sha":"248549834cb3d7aa9669e5414d00a3826f5f25d4"}]},{"name":"template_data.go","path":"codegen/generate-multiregion-kms/template_data.go","sha":"7ec2a39c066905afa345fd07881681f199ad700f"}]},{"name":"generator","children":[{"name":"aws.go","path":"codegen/generator/aws.go","sha":"5c4712b16f00ebfe3d9ab85e5ef7ec4e7376bd7e"},{"name":"cli.go","path":"codegen/generator/cli.go","sha":"6e92f692f11d26c182c9e987fd566b0b8cb10901"},{"name":"errors.go","path":"codegen/generator/errors.go","sha":"21fd1f6d4bef60ea9cb39939783696526ddd02e7"},{"name":"generator.go","path":"codegen/generator/generator.go","sha":"512cd371bdf1342885f4313f4bb607137f8e51f8"},{"name":"main.tf.tpl.go","path":"codegen/generator/main.tf.tpl.go","sha":"4c7fa4d24105f73af5edd4b7b28780c2ef1e3360"},{"name":"outputs.tf.tpl.go","path":"codegen/generator/outputs.tf.tpl.go","sha":"d5f5236e76f98825f082c5d2d125b5f4f0376f09"}]},{"name":"go.mod","path":"codegen/go.mod","sha":"10fc12445001ccc8061886f383e9a37ef704121f"},{"name":"go.sum","path":"codegen/go.sum","sha":"264a7a2d25f07c58b4fcc30125fc569b23f191dd"},{"name":"logging","children":[{"name":"logging.go","path":"codegen/logging/logging.go","sha":"d4fb9da710acb21567b4e0581cb7bd7692baca04"}]}]},{"name":"examples","children":[{"name":"account-baseline-app","children":[{"name":"README.md","path":"examples/account-baseline-app/README.md","sha":"fbccb66fc57b6c9141b55c6501cffbf90647052d"},{"name":"main.tf","path":"examples/account-baseline-app/main.tf","sha":"5d352416e8e34b59184358f30844a52e54e9283a"},{"name":"outputs.tf","path":"examples/account-baseline-app/outputs.tf","sha":"e665d258e992d13639dee123987a8fe2751f29f6"},{"name":"variables.tf","path":"examples/account-baseline-app/variables.tf","sha":"37fb6055fb3231af7bfb7c1e526fa3d5cddb0277"}]},{"name":"account-baseline-root","children":[{"name":"README.md","path":"examples/account-baseline-root/README.md","sha":"422610eadfe830f767f99d57e225d2c2e75d2f48"},{"name":"main.tf","path":"examples/account-baseline-root/main.tf","sha":"a9fbcbc9af776889f7c31031048b0806f05399ef"},{"name":"outputs.tf","path":"examples/account-baseline-root/outputs.tf","sha":"4652997642ea8690f6adfea4af3f238fdff71500"},{"name":"variables.tf","path":"examples/account-baseline-root/variables.tf","sha":"fedf22066ff88769a2a7c58a671379138759ab23"}]},{"name":"account-baseline-security","children":[{"name":"README.md","path":"examples/account-baseline-security/README.md","sha":"64b898c9ef0f6a50ad06add0b0b778cf53ff07e7"},{"name":"main.tf","path":"examples/account-baseline-security/main.tf","sha":"667808f48be2c68781f1ebda5281542e2aa900b4"},{"name":"outputs.tf","path":"examples/account-baseline-security/outputs.tf","sha":"e665d258e992d13639dee123987a8fe2751f29f6"},{"name":"variables.tf","path":"examples/account-baseline-security/variables.tf","sha":"b6cd739379dab2e02cb1103510ccd89dec4615bc"}]},{"name":"auto-update","children":[{"name":"README.md","path":"examples/auto-update/README.md","sha":"d7c630c4585bad7869d55bc6c62fca248eeb521a"},{"name":"auto-update-example.json","path":"examples/auto-update/auto-update-example.json","sha":"cafac0a781f8c675338226eee4b2413f5a4e88c1"}]},{"name":"aws-config-multi-region","children":[{"name":"README.md","path":"examples/aws-config-multi-region/README.md","sha":"5d472db5cdc843b494852a062d8c0880f246fcd0"},{"name":"terraform","children":[{"name":"main.tf","path":"examples/aws-config-multi-region/terraform/main.tf","sha":"395314c06b53da6796fe2d1e3eb95481bb47b4ea"},{"name":"outputs.tf","path":"examples/aws-config-multi-region/terraform/outputs.tf","sha":"77ee90f69634c965b8ebed79a8d3afd6adca4db4"},{"name":"variables.tf","path":"examples/aws-config-multi-region/terraform/variables.tf","sha":"3307748099622e855ae77d9730195c7c78224432"}]},{"name":"terragrunt","children":[{"name":"terragrunt.hcl","path":"examples/aws-config-multi-region/terragrunt/terragrunt.hcl","sha":"9a55dab3f9888a9258099d558df0972abec52792"}]}]},{"name":"aws-config","children":[{"name":"README.md","path":"examples/aws-config/README.md","sha":"5d66d09633de365e154669a090edc37fc70548d1"},{"name":"main.tf","path":"examples/aws-config/main.tf","sha":"bb70b1b351ae3d94fcfe0ee6a116e95384eb604f"},{"name":"outputs.tf","path":"examples/aws-config/outputs.tf","sha":"ddd32698f39772d663a2d9b8a6276260f5431068"},{"name":"variables.tf","path":"examples/aws-config/variables.tf","sha":"66f62d7333d5df8b562e6f2dfa4f701b88e4f31b"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.md","path":"examples/aws-organizations-config-rules/README.md","sha":"ce4f53fc37936aec55b2a7e8f358378032dac0d7"},{"name":"main.tf","path":"examples/aws-organizations-config-rules/main.tf","sha":"1dae398d8ed745e3b103f3803b887e61daf7a600"},{"name":"outputs.tf","path":"examples/aws-organizations-config-rules/outputs.tf","sha":"4319400eb4190f58458f2dd9398225869ff08da3"},{"name":"variables.tf","path":"examples/aws-organizations-config-rules/variables.tf","sha":"c97f8c6bdaf4ab3f9e5f26332fc7ec983e881a53"}]},{"name":"aws-organizations","children":[{"name":"README.md","path":"examples/aws-organizations/README.md","sha":"1da3c2fc061fee6ee99564b8b2323ccf69f2c690"},{"name":"main.tf","path":"examples/aws-organizations/main.tf","sha":"7339da612ebccaa785820b0f1e6fb42d5f72e20a"},{"name":"outputs.tf","path":"examples/aws-organizations/outputs.tf","sha":"88ba8f4012111036775958d7dfad4eec6bf84be6"},{"name":"variables.tf","path":"examples/aws-organizations/variables.tf","sha":"59afc28c87bc3c49d11c6faf7e112643f0a95481"}]},{"name":"cloudtrail-custom-key","children":[{"name":"README.md","path":"examples/cloudtrail-custom-key/README.md","sha":"bb376ddaca4b52bef18a5526aa9cb0465574ff7e"},{"name":"main.tf","path":"examples/cloudtrail-custom-key/main.tf","sha":"a46a0db52463d102bbca8d89ece553be24e2a073"},{"name":"outputs.tf","path":"examples/cloudtrail-custom-key/outputs.tf","sha":"2617a8347eb588d6ed5ccb529f50f3b58ddb1b7b"},{"name":"variables.tf","path":"examples/cloudtrail-custom-key/variables.tf","sha":"7a3ac8ce318fd783a427e68e490783a93747eb02"}]},{"name":"cloudtrail","children":[{"name":"README.md","path":"examples/cloudtrail/README.md","sha":"2fbe4b7494d970738d054910d86d0ae31718c8ec"},{"name":"main.tf","path":"examples/cloudtrail/main.tf","sha":"a8304cdc9a12e4e8e0faafbff1f604c845076a6f"},{"name":"outputs.tf","path":"examples/cloudtrail/outputs.tf","sha":"2617a8347eb588d6ed5ccb529f50f3b58ddb1b7b"},{"name":"variables.tf","path":"examples/cloudtrail/variables.tf","sha":"0a6c36190aab5966bb133b28ff8d02349dfb942c"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"examples/cross-account-iam-roles/README.md","sha":"bac6fd37f7f7009454a66e55e8ff377fff36aefb"},{"name":"main.tf","path":"examples/cross-account-iam-roles/main.tf","sha":"bfaa721486e1ac06591bca6a9f337c7b77e6b18a"},{"name":"outputs.tf","path":"examples/cross-account-iam-roles/outputs.tf","sha":"b43a7fe594e7e49b0ba7853ee431d6902e22662f"},{"name":"variables.tf","path":"examples/cross-account-iam-roles/variables.tf","sha":"ae6dfa1bd85525b7323635e75f3308ad57f68e07"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"examples/custom-iam-entity/README.md","sha":"7e6c2e15f44a4ddc28ef276da4b323d2fd326a3f"},{"name":"main.tf","path":"examples/custom-iam-entity/main.tf","sha":"c1b2291bb49e98b1b4ac642920751f54bd59c2a3"},{"name":"outputs.tf","path":"examples/custom-iam-entity/outputs.tf","sha":"835eb64f431386925438cb2f63e48e413faee90c"},{"name":"variables.tf","path":"examples/custom-iam-entity/variables.tf","sha":"4af8f352ddc35352243f8e1ac0dd3fb50f230e11"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"examples/fail2ban/README.md","sha":"7f6b797884ac148c0e34fd6da0eb8224e2255d8a"},{"name":"fail2ban-example.json","path":"examples/fail2ban/fail2ban-example.json","sha":"dca42add6036b1e18f03aaa3f41c500b8767f31d"}]},{"name":"guardduty","children":[{"name":"README.md","path":"examples/guardduty/README.md","sha":"23c75950a1b8b33286b79bd5e9d853cee02d62ea"},{"name":"main.tf","path":"examples/guardduty/main.tf","sha":"c61ad567d527732db435f2d1b62c4a609c3fac1d"},{"name":"outputs.tf","path":"examples/guardduty/outputs.tf","sha":"24b4eecc8136725bafa182f1c4febdf90da49a92"},{"name":"variables.tf","path":"examples/guardduty/variables.tf","sha":"77f3fbbeef3500c93b55899ad8e92f44420858ee"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"examples/iam-groups/README.md","sha":"7bd21c82fd8f28f7b3155497a0524d86ce17cfdd"},{"name":"main.tf","path":"examples/iam-groups/main.tf","sha":"8db2e8f30996ea720528b1bde4d862f51c92732b"},{"name":"outputs.tf","path":"examples/iam-groups/outputs.tf","sha":"5076c13be431d7844e1ce524bcd40076450c051e"},{"name":"variables.tf","path":"examples/iam-groups/variables.tf","sha":"6132b953e392a2050532881faab88a2eb10378c6"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"examples/iam-user-password-policy/README.md","sha":"bc62258833767d2e383a130c43d57a11e229af27"},{"name":"main.tf","path":"examples/iam-user-password-policy/main.tf","sha":"ae22f0ac3173d5c0f191ec537725ea6230962fc5"},{"name":"variables.tf","path":"examples/iam-user-password-policy/variables.tf","sha":"e123f5bbbaa376c3c8edf5f37e2bc012feed65d7"}]},{"name":"iam-users","children":[{"name":"README.md","path":"examples/iam-users/README.md","sha":"f8b65e9756e9f8c8703a854c1363be700b5fe8d9"},{"name":"main.tf","path":"examples/iam-users/main.tf","sha":"b4eed5731277da357997617868872c8d8b9e4b1d"},{"name":"outputs.tf","path":"examples/iam-users/outputs.tf","sha":"2b305a310e6c78ed5d89ff62303b5c64b956bd12"},{"name":"variables.tf","path":"examples/iam-users/variables.tf","sha":"d3693a709d6bee6f57aabaf07cddb0f02349c7a4"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"examples/ip-lockdown/README.md","sha":"3962ba23a76d8f02e5c0ffc8cb71196991628e38"},{"name":"aws-example","children":[{"name":"README.md","path":"examples/ip-lockdown/aws-example/README.md","sha":"da44a1265bdd321d10b4a6e3471a655da91033bb"},{"name":"main.tf","path":"examples/ip-lockdown/aws-example/main.tf","sha":"948172240196c610e26957ca60640191fdfab0ad"},{"name":"outputs.tf","path":"examples/ip-lockdown/aws-example/outputs.tf","sha":"a175a78c9a10f9f2fd9d7c84f9b304aebc1bdb41"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/ip-lockdown/aws-example/user-data/user-data.sh","sha":"c6d308027737a434f4c96bc3eba5bd301897af62"}]},{"name":"variables.tf","path":"examples/ip-lockdown/aws-example/variables.tf","sha":"85be46b79dfe349e32974eccdc9c3206211787ac"}]},{"name":"ip-lockdown-sample.json","path":"examples/ip-lockdown/ip-lockdown-sample.json","sha":"2ccf2fe1a5b90bf4ab760ddd4f7714a8e1d43df6"},{"name":"local-test","children":[{"name":"README.md","path":"examples/ip-lockdown/local-test/README.md","sha":"3f0e1a6483ce3155bb04dbb9a4fd76ed41486d35"},{"name":"docker-compose.yml","path":"examples/ip-lockdown/local-test/docker-compose.yml","sha":"7c8e3a5d1fd40a95ef99b4bba0911c63ed43b530"}]}]},{"name":"kms-master-key-multi-region","children":[{"name":"main.tf","path":"examples/kms-master-key-multi-region/main.tf","sha":"2f92868a8786cfedfc5e431170382d6840b4ae21"},{"name":"outputs.tf","path":"examples/kms-master-key-multi-region/outputs.tf","sha":"c2685a282b5ce295c2dd80a78841711a40e80dcb"},{"name":"variables.tf","path":"examples/kms-master-key-multi-region/variables.tf","sha":"b7a6e703020cda726f37ac25d4e107c44a0265af"}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"examples/kms-master-key/README.md","sha":"821565d831f2afcf7a2ffeea9a0854fabdaae033"},{"name":"main.tf","path":"examples/kms-master-key/main.tf","sha":"36e66561c53a74f0c66813237d92c83c2338d46d"},{"name":"outputs.tf","path":"examples/kms-master-key/outputs.tf","sha":"4d5fd0a19ea917beff0241f169b51417ff9935b9"},{"name":"variables.tf","path":"examples/kms-master-key/variables.tf","sha":"c1de5a7b1c0859710d1253b61baf86c4564560e3"}]},{"name":"ntp","children":[{"name":"README.md","path":"examples/ntp/README.md","sha":"b676e802c1d196f6af204d14d143b80864bccd30"},{"name":"ntp-example.json","path":"examples/ntp/ntp-example.json","sha":"ab322bfd9042a9eaf3a9b2ec3418abd7188bc99a"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"examples/os-hardening/README.md","sha":"d311d0932f7e98b236d0dcf3d9c629a7f8b3b107"},{"name":"packer-build.sh","path":"examples/os-hardening/packer-build.sh","sha":"8a0cf99893046f648c04ad62d505746e9c3a5e95"},{"name":"packer","children":[{"name":"amazon-linux.json","path":"examples/os-hardening/packer/amazon-linux.json","sha":"e75442792ba2588a02bcc93a90eceade50e5a846"},{"name":"files","children":[{"name":"etc","children":[{"name":"fstab","path":"examples/os-hardening/packer/files/etc/fstab","sha":"cbf68cec68a92bc54f514dd0d6906f19cea857e6"}]}]}]},{"name":"terraform","children":[{"name":"main.tf","path":"examples/os-hardening/terraform/main.tf","sha":"0279c513bb48e2a5c966b19298066c04bf6b02f5"},{"name":"outputs.tf","path":"examples/os-hardening/terraform/outputs.tf","sha":"33083aed25a4ed6e323bf84381b896614814c9d1"},{"name":"variables.tf","path":"examples/os-hardening/terraform/variables.tf","sha":"b03be351c82d4d5c6942cd29adc78fe11e23cf1b"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"examples/saml-iam-roles/README.md","sha":"b4ef2b28d5704aec892ea54cc28a61fbb46378c9"},{"name":"main.tf","path":"examples/saml-iam-roles/main.tf","sha":"9cd018196d7e30095d2c5e6e38906ccbb8f8825c"},{"name":"outputs.tf","path":"examples/saml-iam-roles/outputs.tf","sha":"1bd4fec9529cddfd2d3f61bba60f9dfb8b286c70"},{"name":"saml-metadata.xml","path":"examples/saml-iam-roles/saml-metadata.xml","sha":"88596cfde52242a43559c79216a1c60b2ea12903"},{"name":"variables.tf","path":"examples/saml-iam-roles/variables.tf","sha":"534ae2df70275df6b341c62a896cbd09ebbc6936"}]},{"name":"ssh-grunt","children":[{"name":"houston","children":[{"name":"README.md","path":"examples/ssh-grunt/houston/README.md","sha":"b73e23cd9fe47ba48e355605ff56a5740283a950"},{"name":"main.tf","path":"examples/ssh-grunt/houston/main.tf","sha":"259871d0103ff1bfd7e3e3a23147a0325e3600a1"},{"name":"outputs.tf","path":"examples/ssh-grunt/houston/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"variables.tf","path":"examples/ssh-grunt/houston/variables.tf","sha":"fb687fec420ea8cc16384f4bda4c4df45573d636"}]},{"name":"iam","children":[{"name":"README.md","path":"examples/ssh-grunt/iam/README.md","sha":"2add9fcdb0ed7f06816c3761fa0bef3bb6bc535d"},{"name":"main.tf","path":"examples/ssh-grunt/iam/main.tf","sha":"334d8b8f5b840b3946da954bd4e753c3d9011b42"},{"name":"outputs.tf","path":"examples/ssh-grunt/iam/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"variables.tf","path":"examples/ssh-grunt/iam/variables.tf","sha":"1ee58afdef7dad43bb3fb221995cc3daf631177b"}]},{"name":"mock-houston","children":[{"name":"README.md","path":"examples/ssh-grunt/mock-houston/README.md","sha":"94c0ef92814db64b5f3d578a4ba7011fb058fedf"},{"name":"main.tf","path":"examples/ssh-grunt/mock-houston/main.tf","sha":"5d095152e7efc51db2d2a2c25a96e6237588c538"},{"name":"outputs.tf","path":"examples/ssh-grunt/mock-houston/outputs.tf","sha":"a25069b6b919c0fa31fc32c3bcf1d326f7c3d46c"},{"name":"variables.tf","path":"examples/ssh-grunt/mock-houston/variables.tf","sha":"f435d1666f6a4ea18d6ce8a3230d8898a965fbea"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/ssh-grunt/packer/README.md","sha":"40dc203c7287544434c7f668ea58782afd2f2386"},{"name":"build-binary.sh","path":"examples/ssh-grunt/packer/build-binary.sh","sha":"fe84ead78eb3e87e4855272f28c83d681c58ffff"},{"name":"ssh-grunt-houston.json","path":"examples/ssh-grunt/packer/ssh-grunt-houston.json","sha":"cd3c4a1c2053c238720b0b4111efc3003db7e6cb"},{"name":"ssh-grunt-iam.json","path":"examples/ssh-grunt/packer/ssh-grunt-iam.json","sha":"ab7237cf73deccb4f94837046be2efa0d6df3ebf"}]}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"examples/ssm-healthchecks-iam-permissions/README.md","sha":"f1fe555a3aff887a966def0a1d3ccaff3dd826e7"},{"name":"main.tf","path":"examples/ssm-healthchecks-iam-permissions/main.tf","sha":"2ff78d1f7cc4a484319a74a62880b26ad679f8b5"},{"name":"outputs.tf","path":"examples/ssm-healthchecks-iam-permissions/outputs.tf","sha":"52688c3a4f1f8349500505fb8949fa0d21c385a3"},{"name":"variables.tf","path":"examples/ssm-healthchecks-iam-permissions/variables.tf","sha":"725532cff7e91c2858c666a8d6a21cade2db213c"}]}]},{"name":"modules","children":[{"name":"_deprecated","children":[{"name":"custom-iam-group","children":[{"name":"README.md","path":"modules/_deprecated/custom-iam-group/README.md","sha":"e7a0ff783eb1052aa77fe50d7eaa6a06d2d82649"}]}]},{"name":"account-baseline-app","children":[{"name":"README.adoc","path":"modules/account-baseline-app/README.adoc","sha":"7f18ec7d53555ca35cb437e748ad46886f5995aa"},{"name":"main.tf","path":"modules/account-baseline-app/main.tf","sha":"0501041ff1d4d0b36b2e657ff7edfe153b35fa87"},{"name":"outputs.tf","path":"modules/account-baseline-app/outputs.tf","sha":"2aaacc83753a538b0fc795db8796140d5b31f14d"},{"name":"variables.tf","path":"modules/account-baseline-app/variables.tf","sha":"9f098574b71a4e248d1f32b3e0ab6f738d96f390"}]},{"name":"account-baseline-root","children":[{"name":"README.adoc","path":"modules/account-baseline-root/README.adoc","sha":"3726568b9ec7c5704cb2067a6136e28d88e4c159"},{"name":"main.tf","path":"modules/account-baseline-root/main.tf","sha":"c42ea974b70af6da675196ace13b544f5ecc465b"},{"name":"outputs.tf","path":"modules/account-baseline-root/outputs.tf","sha":"c3e9fb3a425ca32dde2d3f8c7c35d1c218a8b6d4"},{"name":"variables.tf","path":"modules/account-baseline-root/variables.tf","sha":"03a4193646a05c9869301c7b30da648276e9984f"}]},{"name":"account-baseline-security","children":[{"name":"README.adoc","path":"modules/account-baseline-security/README.adoc","sha":"4a6ff36ad488396075f61c9e8c01ef16d2d4656d"},{"name":"main.tf","path":"modules/account-baseline-security/main.tf","sha":"3e1f15f202c922ab8eff02a8d3fb9b01ccb2446b"},{"name":"outputs.tf","path":"modules/account-baseline-security/outputs.tf","sha":"089af193f6e5283f24aa292c86456bcab175dd96"},{"name":"variables.tf","path":"modules/account-baseline-security/variables.tf","sha":"ba53ceb1cf02ef16951b38ac972e8850fec5a824"}]},{"name":"auto-update","children":[{"name":"README.adoc","path":"modules/auto-update/README.adoc","sha":"6aefe0ec50a3479dc08366ee6ace6f306eec8e7a"},{"name":"core-concepts.md","path":"modules/auto-update/core-concepts.md","sha":"a292e900ff20e205679c5a8a2b382081f338a41f"},{"name":"install-scripts","children":[{"name":"configure-auto-update","path":"modules/auto-update/install-scripts/configure-auto-update","sha":"9557efec90bf62cbcd0360198ec2bf984a8a873b"},{"name":"unattended_upgrades_config.txt","path":"modules/auto-update/install-scripts/unattended_upgrades_config.txt","sha":"abe88fd8a5037ce518bec69a6cac0699cb421d47"},{"name":"yum_cron_config.txt","path":"modules/auto-update/install-scripts/yum_cron_config.txt","sha":"e7ef4273f1b2af0c9c032fadaacd03130ba5ea78"}]},{"name":"install.sh","path":"modules/auto-update/install.sh","sha":"7c19fd0d04b11c358af64149b3169d6b2c5e3b58"}]},{"name":"aws-auth","children":[{"name":"AWS-AUTH-1PASSWORD.md","path":"modules/aws-auth/AWS-AUTH-1PASSWORD.md","sha":"85348650e336ba37aece840bf790048b5e919910"},{"name":"AWS-AUTH-LASTPASS.md","path":"modules/aws-auth/AWS-AUTH-LASTPASS.md","sha":"f989822c9600fdb7dec2b67a929f8e4b49947aa8"},{"name":"README.md","path":"modules/aws-auth/README.md","sha":"7c7b79c87fccb29c9bbab1c5e80de163b478ea7d","toggled":true},{"name":"bin","children":[{"name":"aws-auth","path":"modules/aws-auth/bin/aws-auth","sha":"973c0ad62b2ab51cb18abf57d332869171480eff"}]},{"name":"install.sh","path":"modules/aws-auth/install.sh","sha":"ab9611d92d6822ceed981bdff3766724366037f0"}],"toggled":true},{"name":"aws-config-multi-region","children":[{"name":"README.adoc","path":"modules/aws-config-multi-region/README.adoc","sha":"c0e1204ac792b55ced9bedb40736621b78ef8740"},{"name":"core-concepts.md","path":"modules/aws-config-multi-region/core-concepts.md","sha":"976e6424dcb277f70377f92eb2a10d0c8e595a85"},{"name":"main.tf","path":"modules/aws-config-multi-region/main.tf","sha":"9a99420cc226a432c85f86171e060d4ec6525ba4"},{"name":"outputs.tf","path":"modules/aws-config-multi-region/outputs.tf","sha":"b0b62c8a003fcef88734cb540ad9e75b25721ffa"},{"name":"variables.tf","path":"modules/aws-config-multi-region/variables.tf","sha":"b8edd83979b4229c58f9adaf77c62b81b1f4c589"}]},{"name":"aws-config","children":[{"name":"README.adoc","path":"modules/aws-config/README.adoc","sha":"6bbbc1efc5801b27371c99ecbef3bff56a56f200"},{"name":"core-concepts.md","path":"modules/aws-config/core-concepts.md","sha":"e5a7b8646bab42398ff7f5224549e528ce8c0d52"},{"name":"main.tf","path":"modules/aws-config/main.tf","sha":"c2c4019209da3d814c940f73656390ef1e10c89d"},{"name":"outputs.tf","path":"modules/aws-config/outputs.tf","sha":"6a9b8599754ea3d6f0d54f23e1f3279d37e046f7"},{"name":"variables.tf","path":"modules/aws-config/variables.tf","sha":"4eb02b509c3d4f6fa85c4abe2515686493304b11"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.adoc","path":"modules/aws-organizations-config-rules/README.adoc","sha":"bec4b2e3f116e356bbe7776c28f27002c838e61a"},{"name":"core-concepts.md","path":"modules/aws-organizations-config-rules/core-concepts.md","sha":"28f0d3a3325c97e0417c01671bbfc8a1b577498a"},{"name":"main.tf","path":"modules/aws-organizations-config-rules/main.tf","sha":"3bcc8f2a2547b540488dcf47f57cd3af4d5bddc0"},{"name":"outputs.tf","path":"modules/aws-organizations-config-rules/outputs.tf","sha":"9b78cd00ad242a02579147b390c6ad946620e1f0"},{"name":"variables.tf","path":"modules/aws-organizations-config-rules/variables.tf","sha":"3ce9615fd722af00b48601175993f7beff3f0c15"}]},{"name":"aws-organizations","children":[{"name":"README.adoc","path":"modules/aws-organizations/README.adoc","sha":"711b480a00245dc87a73e1c13a18867498eb6f7b"},{"name":"core-concepts.md","path":"modules/aws-organizations/core-concepts.md","sha":"8766c8f36eef9e8992bf13a44f6571261c43995d"},{"name":"main.tf","path":"modules/aws-organizations/main.tf","sha":"d835568c2c09a220fba9e85e306b276ab8d894b5"},{"name":"outputs.tf","path":"modules/aws-organizations/outputs.tf","sha":"5d71fce583011b7351615821e6a888eb8f73906a"},{"name":"variables.tf","path":"modules/aws-organizations/variables.tf","sha":"4eac97565d5ab76a5e0c03cde4a9337001125156"}]},{"name":"cloudtrail","children":[{"name":"README.adoc","path":"modules/cloudtrail/README.adoc","sha":"cb56736b0eff0b10521fc5a42e6fd30e6660f165"},{"name":"core-concepts.md","path":"modules/cloudtrail/core-concepts.md","sha":"7e8c8a4631410e36831f5ae2b5644d229d36a4d0"},{"name":"main.tf","path":"modules/cloudtrail/main.tf","sha":"93ba2637a5310a9a6f4c6d8c588a92fbe7c815b0"},{"name":"outputs.tf","path":"modules/cloudtrail/outputs.tf","sha":"e767a625d8c9363c67f953a82cc7b58c4cef2836"},{"name":"variables.tf","path":"modules/cloudtrail/variables.tf","sha":"167c5972339ced321ccabd8ba8f1d86d4be4f2b6"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"modules/cross-account-iam-roles/README.md","sha":"126974b47c5de044f7e371ae8469fd24344565a4"},{"name":"main.tf","path":"modules/cross-account-iam-roles/main.tf","sha":"01240543335c9f1847f2236b41db35a56c855e86"},{"name":"outputs.tf","path":"modules/cross-account-iam-roles/outputs.tf","sha":"5eccd0a22450fcfd4d1672902c21dc35922867fe"},{"name":"variables.tf","path":"modules/cross-account-iam-roles/variables.tf","sha":"70c7798254357c29f823aa6b7aab3613257c692a"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"modules/custom-iam-entity/README.md","sha":"98ab8129418c43978d46d58896b6e64172995aba"},{"name":"main.tf","path":"modules/custom-iam-entity/main.tf","sha":"f520be8f0e233548111365316c24d3bc7491cad0"},{"name":"outputs.tf","path":"modules/custom-iam-entity/outputs.tf","sha":"23cc0eb151da4ab2f146c89d9ad53dfc0e5c8c82"},{"name":"variables.tf","path":"modules/custom-iam-entity/variables.tf","sha":"ad93fc85d6d7c21bb348086a72406f08ccd07edb"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"modules/fail2ban/README.md","sha":"2301349c1b8775809b7362189a72655ce58b26fb"},{"name":"install-scripts","children":[{"name":"cloudwatch-metric.conf","path":"modules/fail2ban/install-scripts/cloudwatch-metric.conf","sha":"f78f5f55f585a6efe60a51a2c0f41e4a63f99749"},{"name":"configure-fail2ban","path":"modules/fail2ban/install-scripts/configure-fail2ban","sha":"2d44d0459dbbcc9a1d2747648875a1ab44d7548f"},{"name":"fail2ban.local","path":"modules/fail2ban/install-scripts/fail2ban.local","sha":"8292c4a18c825bfbf0a8d52cfb2746aa43f76ca4"},{"name":"filters.sshd.amazon.conf","path":"modules/fail2ban/install-scripts/filters.sshd.amazon.conf","sha":"093bb1baf88a1e283a43b7dd7d04c64992abecc6"},{"name":"jail.amazon.local","path":"modules/fail2ban/install-scripts/jail.amazon.local","sha":"a0aef73873e461c46ff63a4a3e5166ad3453c5e3"},{"name":"jail.amazon2.local","path":"modules/fail2ban/install-scripts/jail.amazon2.local","sha":"7f0c82cc3e4f5e3e569f8bb902164f7dbd6a3dee"},{"name":"jail.ubuntu.local","path":"modules/fail2ban/install-scripts/jail.ubuntu.local","sha":"148543b26f543c3e37434736fba7d484ad176804"}]},{"name":"install.sh","path":"modules/fail2ban/install.sh","sha":"8f7b536f08506dabc2f6beb6cd5a50f7282168aa"},{"name":"user-data-scripts","children":[{"name":"configure-fail2ban-cloudwatch.sh","path":"modules/fail2ban/user-data-scripts/configure-fail2ban-cloudwatch.sh","sha":"64b7c27b8aa50302f4f7e35ebd8bbf93064bb777"}]}]},{"name":"guardduty-multi-region","children":[{"name":"README.adoc","path":"modules/guardduty-multi-region/README.adoc","sha":"0c0833b9655d1d292f086b8f27c594ef1b968d68"},{"name":"main.tf","path":"modules/guardduty-multi-region/main.tf","sha":"861d5b2287f4594c690a251b72d9549c59b9d1ad"},{"name":"outputs.tf","path":"modules/guardduty-multi-region/outputs.tf","sha":"17ed87f6be722742d29aee0ef8e35a641a2ea54e"},{"name":"variables.tf","path":"modules/guardduty-multi-region/variables.tf","sha":"992199e9e968a3006918b286c7f3e69eb2fbbd74"}]},{"name":"guardduty","children":[{"name":"README.adoc","path":"modules/guardduty/README.adoc","sha":"8826f32664593d0cdc0ff4a7fd94e5cbf475478a"},{"name":"core-concepts.md","path":"modules/guardduty/core-concepts.md","sha":"2eab0fd6c0548ba11104b6d778eb224df5622886"},{"name":"main.tf","path":"modules/guardduty/main.tf","sha":"37cfa8a2a9c13d7ee6f9227af08981f60c90a318"},{"name":"outputs.tf","path":"modules/guardduty/outputs.tf","sha":"0fd6fdc76d8bc1bb4c544028c802248999d309f7"},{"name":"variables.tf","path":"modules/guardduty/variables.tf","sha":"e5c1e4b60f219d93e21a382bb3dad970977c9fcf"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"modules/iam-groups/README.md","sha":"07820342d38caf90b08a1ff0df904298ed132c8f"},{"name":"_docs","children":[{"name":"iam-user-access-to-billing.png","path":"modules/iam-groups/_docs/iam-user-access-to-billing.png","sha":"063f6cf8dc766b4d44942de89660e8ab9e1f3d63"},{"name":"my-account.png","path":"modules/iam-groups/_docs/my-account.png","sha":"387320200ed756ce4191afef87f0ab76e2c3d89a"}]},{"name":"main.tf","path":"modules/iam-groups/main.tf","sha":"fb3ba3e8ef9ecbe751a80dce4ce75f5bfed775b1"},{"name":"outputs.tf","path":"modules/iam-groups/outputs.tf","sha":"0fc97269b51e6c51647aa5420198d1d11c5afa37"},{"name":"variables.tf","path":"modules/iam-groups/variables.tf","sha":"d54e229b070925f1c927090781333c20ae6d765f"}]},{"name":"iam-policies","children":[{"name":"README.md","path":"modules/iam-policies/README.md","sha":"0297e14a7dfdf5727d9be5ab4f47dcf67357b247"},{"name":"main.tf","path":"modules/iam-policies/main.tf","sha":"10d5be22c3fc7116922fbc0f4beae6e05fb0dc84"},{"name":"outputs.tf","path":"modules/iam-policies/outputs.tf","sha":"bd92f1b5ac1c01c9ff727621a60c098780e2ace2"},{"name":"variables.tf","path":"modules/iam-policies/variables.tf","sha":"02a3add807a7878bc736a0a1aaa193ac42ee5b47"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"modules/iam-user-password-policy/README.md","sha":"5bea6ba56fc796be5b860549156a3a251735fc2a"},{"name":"main.tf","path":"modules/iam-user-password-policy/main.tf","sha":"9670fa0991057e03a72b72987c02a71e14611724"},{"name":"variables.tf","path":"modules/iam-user-password-policy/variables.tf","sha":"7c08eef88a7b13226cc4e18aa8338db64fdf83f0"}]},{"name":"iam-users","children":[{"name":"README.md","path":"modules/iam-users/README.md","sha":"eacb8c8dd745d047f3844e0b63573af66b8c1083"},{"name":"main.tf","path":"modules/iam-users/main.tf","sha":"76321096c30e09156c7247d4f2770f5f5f7e9f4b"},{"name":"outputs.tf","path":"modules/iam-users/outputs.tf","sha":"4d053caccca2412befcf956c94e908b2d5c89054"},{"name":"variables.tf","path":"modules/iam-users/variables.tf","sha":"25e55a291fa64e63996f5baab05a2082b548cd41"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"modules/ip-lockdown/README.md","sha":"af806e396600aed64922eac8a3c7ab29a90f858d"},{"name":"install.sh","path":"modules/ip-lockdown/install.sh","sha":"ce61af763bee9ad29754220ae24521f22c3a956f"},{"name":"ip-lockdown","path":"modules/ip-lockdown/ip-lockdown","sha":"93a0e1f5876e7de5778c595e8801d64986cb118b"}]},{"name":"kms-master-key-multi-region","children":[{"name":"README.adoc","path":"modules/kms-master-key-multi-region/README.adoc","sha":"0e7764d5d98f2cc2f5decd6429ca3de22d4bed87"},{"name":"main.tf","path":"modules/kms-master-key-multi-region/main.tf","sha":"762497cf4fd073a47e5aa144dca0d7fe3575ba11"},{"name":"outputs.tf","path":"modules/kms-master-key-multi-region/outputs.tf","sha":"932a3ac2a94e4950267c55c115f1118328345bf3"},{"name":"variables.tf","path":"modules/kms-master-key-multi-region/variables.tf","sha":"248549834cb3d7aa9669e5414d00a3826f5f25d4"}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"modules/kms-master-key/README.md","sha":"1b43a005494f12b05551adb020a31726f28e10d3"},{"name":"main.tf","path":"modules/kms-master-key/main.tf","sha":"9fca835497a97c0e3247c041c68b42ec9834e125"},{"name":"outputs.tf","path":"modules/kms-master-key/outputs.tf","sha":"4d0dbba81e8186243d96a8325a5f643d87543451"},{"name":"variables.tf","path":"modules/kms-master-key/variables.tf","sha":"429efaf5e29bbc885812cfd19ce9030507e7175d"}]},{"name":"ntp","children":[{"name":"README.md","path":"modules/ntp/README.md","sha":"c81ae3adf4d5af364729c5537414de1ada470af5"},{"name":"install.sh","path":"modules/ntp/install.sh","sha":"66f01538550459e770dde3d03b8c1ee705301b49"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"modules/os-hardening/README.md","sha":"3e864b0e9208eb6809adf41968c51e02fc233ee1"},{"name":"_docs","children":[{"name":"Helpful Email.md","path":"modules/os-hardening/_docs/Helpful Email.md","sha":"246a0b80b29f5ff3d2b2f4c5c170fc927e2d9dd7"}]},{"name":"ami-builder","children":[{"name":"files","children":[{"name":"user-data.sh.template","path":"modules/os-hardening/ami-builder/files/user-data.sh.template","sha":"4a3c87a19e1a4caa20b9b425b2a02101566d1166"}]},{"name":"main.tf","path":"modules/os-hardening/ami-builder/main.tf","sha":"3b23018276920ce33dab358eab79ef39e269fd98"},{"name":"outputs.tf","path":"modules/os-hardening/ami-builder/outputs.tf","sha":"8ce2ee598124ca50dd530a33aa60f5d1452a4a2b"},{"name":"variables.tf","path":"modules/os-hardening/ami-builder/variables.tf","sha":"c5927cfcebf6781b8b920d8fd7872f2992bb1501"}]},{"name":"partition-scripts","children":[{"name":"README.md","path":"modules/os-hardening/partition-scripts/README.md","sha":"a2986f1ab8f7470d2ba71d5270e5217d64cb10a3"},{"name":"bin","children":[{"name":"cleanup-volume","path":"modules/os-hardening/partition-scripts/bin/cleanup-volume","sha":"c7cbf3ecebd915235238557d27a1ce25e6fc10fa"},{"name":"partition-volume","path":"modules/os-hardening/partition-scripts/bin/partition-volume","sha":"f4f8566a1ef6aa4ff0c0268bd28721488aa6dfc4"}]},{"name":"install.sh","path":"modules/os-hardening/partition-scripts/install.sh","sha":"606776c068260836e8612a681ff4e3edc8abdb41"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"modules/saml-iam-roles/README.md","sha":"33bf24eda3da343247cbb85baee2dc6a2c75429f"},{"name":"main.tf","path":"modules/saml-iam-roles/main.tf","sha":"c8401f470496a38f03662de3c91ceb682e3cbd74"},{"name":"outputs.tf","path":"modules/saml-iam-roles/outputs.tf","sha":"87812b92aed60aa27710a384391f713eeb33553f"},{"name":"variables.tf","path":"modules/saml-iam-roles/variables.tf","sha":"773fd484a7e73897b177be6bf571d5d793bdca1b"}]},{"name":"ssh-grunt-selinux-policy","children":[{"name":"README.md","path":"modules/ssh-grunt-selinux-policy/README.md","sha":"8a934c81da696e32c365183b6a707594da99ba79"},{"name":"install.sh","path":"modules/ssh-grunt-selinux-policy/install.sh","sha":"3de871d61a9990e7f2c130f23afaf00daeb6bbef"},{"name":"ssh-grunt.pp","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.pp","sha":"7c7050f812cd0e3cb34e37b88c35fb09f369be7d"},{"name":"ssh-grunt.te","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.te","sha":"3317a71feaa633662a00b1dc05b1176cb85c9793"}]},{"name":"ssh-grunt","children":[{"name":".dockerignore","path":"modules/ssh-grunt/.dockerignore","sha":"a725465aee245635a2bd129af54858ed32c84cb8"},{"name":"Dockerfile","path":"modules/ssh-grunt/Dockerfile","sha":"3d1a6eb67de35573d8ec48bb6ac06b515f9a63d8"},{"name":"README.adoc","path":"modules/ssh-grunt/README.adoc","sha":"89e1ff7db5620809af182703c45f87601e59a766"},{"name":"_ci","children":[{"name":"build-and-test.sh","path":"modules/ssh-grunt/_ci/build-and-test.sh","sha":"903993de2d7bcde19d472fa5e510ee862d4b10c3"},{"name":"test.sh","path":"modules/ssh-grunt/_ci/test.sh","sha":"235603944316e81f1da1cc0248b80beecf99cb27"}]},{"name":"_docs","children":[{"name":"houston-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/houston-upload-ssh-key.png","sha":"e32519497262f9796a4ea46c53953923975cbd7d"},{"name":"iam-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/iam-upload-ssh-key.png","sha":"8bb1e793185eb0b4822023552899874394342f21"}]},{"name":"core-concepts.md","path":"modules/ssh-grunt/core-concepts.md","sha":"be3b64a930906b8b16412ccdc0fe9384079a2191"},{"name":"docker-compose.yml","path":"modules/ssh-grunt/docker-compose.yml","sha":"0609cfaadf18bb9eb8ff13459cf9f0f10928765e"},{"name":"go.mod","path":"modules/ssh-grunt/go.mod","sha":"33e7bfc12450f68fe0fc800d06248129ed229b9f"},{"name":"go.sum","path":"modules/ssh-grunt/go.sum","sha":"9c21e75d8e59393633a732fe8b646daedf4ac139"},{"name":"scripts","children":[{"name":"build-linux-binary.sh","path":"modules/ssh-grunt/scripts/build-linux-binary.sh","sha":"fc74dd9990e9f4526ae2e7cd13e338d4fd0f11c4"},{"name":"run.sh","path":"modules/ssh-grunt/scripts/run.sh","sha":"050027e034cd03e53625986eb0f331c043492cf6"}]},{"name":"src","children":[{"name":"cli.go","path":"modules/ssh-grunt/src/cli.go","sha":"f72f670dcf0ae2e0bcb8ed02e91c706a5e8c3be0"},{"name":"cli_test.go","path":"modules/ssh-grunt/src/cli_test.go","sha":"89c94ffdefb2e607fa005f028bdbd13b2f6c13f0"},{"name":"collections.go","path":"modules/ssh-grunt/src/collections.go","sha":"aa9b67f00f57088f9bf4e129dcc53003524dd0a7"},{"name":"cron.go","path":"modules/ssh-grunt/src/cron.go","sha":"4ceb8efd0cdf51b5170bb152b6824fc54f8d429c"},{"name":"cron_test.go","path":"modules/ssh-grunt/src/cron_test.go","sha":"4b87577a1cc2b8dbff08457d60bbc96546149174"},{"name":"errors.go","path":"modules/ssh-grunt/src/errors.go","sha":"03c89804638ecc45fdcd0a0aeaed9ea5f605940b"},{"name":"file.go","path":"modules/ssh-grunt/src/file.go","sha":"eb991fd15ac2c3660313e6d4c5669b36ccc9cc21"},{"name":"groups.go","path":"modules/ssh-grunt/src/groups.go","sha":"49e569a80abb6306ab0f7fd79c810d2e2ad8ab3a"},{"name":"groups_test.go","path":"modules/ssh-grunt/src/groups_test.go","sha":"7e54ba9b640b07605ae959de086fc6998861e311"},{"name":"houston.go","path":"modules/ssh-grunt/src/houston.go","sha":"e9db062f2cb815b49e4df754427ae286e4d163d4"},{"name":"houston_test.go","path":"modules/ssh-grunt/src/houston_test.go","sha":"82a9b2d2d41e09b6949897ed989a483fc7e0a650"},{"name":"iam.go","path":"modules/ssh-grunt/src/iam.go","sha":"dafbc8fbb732d2d6212cade786eb13d7215b9862"},{"name":"iam_test.go","path":"modules/ssh-grunt/src/iam_test.go","sha":"79a55543a72baf93bbac7140d89226e3fd7ab133"},{"name":"logger.go","path":"modules/ssh-grunt/src/logger.go","sha":"93095ba8216709b3178fcc44a76421a765f4e302"},{"name":"main.go","path":"modules/ssh-grunt/src/main.go","sha":"a89d9402d32d371dc9b945ab9c72996808d17b85"},{"name":"shell.go","path":"modules/ssh-grunt/src/shell.go","sha":"7f49eeee4119efde0bd58d7c78fd4ef785dc5f6c"},{"name":"ssh.go","path":"modules/ssh-grunt/src/ssh.go","sha":"8e6b62d6c33279aaf5af6cabacd0afc4d186ca97"},{"name":"ssh_test.go","path":"modules/ssh-grunt/src/ssh_test.go","sha":"7500d8fd85ef74758501f6952be45cb523e29cd1"},{"name":"string.go","path":"modules/ssh-grunt/src/string.go","sha":"fc61ca9625f9d654c2b3576ff932db1b90ae9dfe"},{"name":"string_test.go","path":"modules/ssh-grunt/src/string_test.go","sha":"78bf08d239079c9c985d40da1cc9bcdcb4c0bc5d"},{"name":"sync.go","path":"modules/ssh-grunt/src/sync.go","sha":"7c2f9ff292b484a7ca1ab14e1bbd558cd24553f2"},{"name":"sync_test.go","path":"modules/ssh-grunt/src/sync_test.go","sha":"2ddb07aedec67d1698af022e4e1391ea60636f9e"},{"name":"url.go","path":"modules/ssh-grunt/src/url.go","sha":"0af5ddc5f3e27af95d6f6ddd41acf0c229962f7f"},{"name":"url_test.go","path":"modules/ssh-grunt/src/url_test.go","sha":"606974cac1eee3f309a951c1d9e11ed389088836"},{"name":"users.go","path":"modules/ssh-grunt/src/users.go","sha":"6c3a8a22006a91656fcc5fd31d684271cdf129e3"},{"name":"users_test.go","path":"modules/ssh-grunt/src/users_test.go","sha":"fdd9f7f99466c223b9abdd4951147c8febc0b3fb"}]}]},{"name":"ssh-iam","children":[{"name":"README.md","path":"modules/ssh-iam/README.md","sha":"4aa06d6a729e53384b6d2a43c06ee38807092f32"}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"modules/ssm-healthchecks-iam-permissions/README.md","sha":"005260025ae51ed9e13f1b6c6f9d737a02d5db68"},{"name":"main.tf","path":"modules/ssm-healthchecks-iam-permissions/main.tf","sha":"6b6b91fa59bc86de7521264ff34217cc88ae3842"},{"name":"variables.tf","path":"modules/ssm-healthchecks-iam-permissions/variables.tf","sha":"731aa1c2f275f723272114ef0357a8c3a246b47e"}]},{"name":"tls-cert-private","children":[{"name":"Dockerfile","path":"modules/tls-cert-private/Dockerfile","sha":"2d8683d51957cb17ffef180dd57b43651b1e9d23"},{"name":"README.md","path":"modules/tls-cert-private/README.md","sha":"c6996ec25d7d9b1ab4f79d8164a14e86e1ac844f"},{"name":"docker-compose.yml","path":"modules/tls-cert-private/docker-compose.yml","sha":"f872026e8d51ceaab2e1c11cc9cf9c35ba81f29c"},{"name":"files","children":[{"name":"openssl.cnf","path":"modules/tls-cert-private/files/openssl.cnf","sha":"2542542c80ab180c47d3e0a27dbded65bed572de"}]},{"name":"scripts","children":[{"name":"generate-ca-keypair.sh","path":"modules/tls-cert-private/scripts/generate-ca-keypair.sh","sha":"395ee97c0e499c660efac5c5cf1f79dfcdbb69f8"},{"name":"generate-tls-keypair.sh","path":"modules/tls-cert-private/scripts/generate-tls-keypair.sh","sha":"f1c3577437fd589087704a9c003de416cb87d232"},{"name":"main.sh","path":"modules/tls-cert-private/scripts/main.sh","sha":"dc7af965ffb783bbef449010818e69294fa2ef75"}]}]}],"toggled":true},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"b44e2152ea21d65a8c51bb58321e18ec7527c22e"},{"name":"common","children":[{"name":"test_helpers.go","path":"test/common/test_helpers.go","sha":"d42b5149d99dd3fce84a7cef158a8cea44be3c99"}]},{"name":"go.mod","path":"test/go.mod","sha":"f89000aa7b89d75f19bb6cbe600bdc6643b5d4da"},{"name":"go.sum","path":"test/go.sum","sha":"a9bb6350331b345bf2c2e485ce60a79647c7f9e5"},{"name":"landingzone","children":[{"name":"account_baseline_test.go","path":"test/landingzone/account_baseline_test.go","sha":"8dddcb1e89bf902aad10b09fb7417f11fb3e4b6e"},{"name":"aws_config_test.go","path":"test/landingzone/aws_config_test.go","sha":"7043cc2aad1142f93fa388eae0bdb8611bd4300f"},{"name":"aws_organizations_config_rules_test.go","path":"test/landingzone/aws_organizations_config_rules_test.go","sha":"741f7204dff6e030f99decfc0fc1ab48257afa4f"},{"name":"aws_organizations_test.go","path":"test/landingzone/aws_organizations_test.go","sha":"b8b2a9d87d27b48adf3190d9254fe565e27e2834"},{"name":"guardduty_test.go","path":"test/landingzone/guardduty_test.go","sha":"417a1243767ad1098b1f497f9f4c47ca9f097b9c"},{"name":"kms_master_key_multiregion_test.go","path":"test/landingzone/kms_master_key_multiregion_test.go","sha":"4f718b41f6f1f0d4c1a0daded1a42f1bdf99993b"},{"name":"test_helpers.go","path":"test/landingzone/test_helpers.go","sha":"7cae38c41b797e010bb9da6af616c534d919cab6"}]},{"name":"security","children":[{"name":"auto_update_test.go","path":"test/security/auto_update_test.go","sha":"c55fc7bde4cdd3ff7301d6b066133a3b00393677"},{"name":"cloudtrail_test.go","path":"test/security/cloudtrail_test.go","sha":"edc8c48c4679c11ebf7f46dd8d763d3fbae65179"},{"name":"cross_account_iam_roles_test.go","path":"test/security/cross_account_iam_roles_test.go","sha":"6369a2973c7abc7a7fd466538ac33b8a1edba4ff"},{"name":"custom_iam_entity_test.go","path":"test/security/custom_iam_entity_test.go","sha":"514a06c2e5bab3c0537b67e9c75e33629248cfcd"},{"name":"fail2ban_test.go","path":"test/security/fail2ban_test.go","sha":"261978b73bec743d6bb3a74e1062366cff61ab5f"},{"name":"iam_groups_test.go","path":"test/security/iam_groups_test.go","sha":"e0a7ae52a0b0edcb1aee42db4eff686c994f263b"},{"name":"iam_ssm_test.go","path":"test/security/iam_ssm_test.go","sha":"20268ac744df04c901a1cbf81d042c1f535e5371"},{"name":"iam_user_password_policy_test.go","path":"test/security/iam_user_password_policy_test.go","sha":"e6eea3e767a427352fe9f0226e7fa3c39ed338d6"},{"name":"iam_users_test.go","path":"test/security/iam_users_test.go","sha":"d71b6d7f8f215a05afbd84e5043fe5b0baf9f012"},{"name":"ip-lockdown-test-scripts","children":[{"name":"allow-several-users.sh","path":"test/security/ip-lockdown-test-scripts/allow-several-users.sh","sha":"2f75dbe0880ed0907b43db58b6ac030a0d0e9bd4"},{"name":"common.sh","path":"test/security/ip-lockdown-test-scripts/common.sh","sha":"cdfe11aca76607a4feaf254a394f32273b738c5c"},{"name":"index.html","path":"test/security/ip-lockdown-test-scripts/index.html","sha":"557db03de997c86a4a028e1ebd3a1ceb225be238"},{"name":"restrict-all-users.sh","path":"test/security/ip-lockdown-test-scripts/restrict-all-users.sh","sha":"a37c1ffc90f2532e7cc3f9f5a859b75c98661dc6"},{"name":"restrict-one-user.sh","path":"test/security/ip-lockdown-test-scripts/restrict-one-user.sh","sha":"4214e1c15102f4568d1e995aa82add46ee430237"},{"name":"sanity-check.sh","path":"test/security/ip-lockdown-test-scripts/sanity-check.sh","sha":"542ed72f4f0952ace67c9cbf2e5ac07e81e6870c"}]},{"name":"ip_lockdown_test.go","path":"test/security/ip_lockdown_test.go","sha":"14d5236b574215f568131ba7f915ba2812d92c55"},{"name":"kms_master_key_test.go","path":"test/security/kms_master_key_test.go","sha":"b9addac57172419069956f4fb2db8424d32fa2ff"},{"name":"ntp_test.go","path":"test/security/ntp_test.go","sha":"38c92a6ecc39a49629d6ff2f072e849da17ff2ec"},{"name":"os_hardening_test.go","path":"test/security/os_hardening_test.go","sha":"c50ac78e1b70a8b1cea2ac4b56de433795ef3a1e"},{"name":"saml_iam_roles_test.go","path":"test/security/saml_iam_roles_test.go","sha":"cb46695a61e6c093860004b7b19fc5c25d9326cd"},{"name":"ssh_grunt_houston_test.go","path":"test/security/ssh_grunt_houston_test.go","sha":"d5f07e8ffc33add2341d2a6a4f39fbff1ad3d8c6"},{"name":"ssh_grunt_iam_test.go","path":"test/security/ssh_grunt_iam_test.go","sha":"a4d5c3b5a3d302b7213cf2a1b103c7effa70c75b"},{"name":"test_helpers.go","path":"test/security/test_helpers.go","sha":"fcd91c0059f4ab6701db6368fc2acda8b9d1dd60"},{"name":"test_helpers_aws_auth.go","path":"test/security/test_helpers_aws_auth.go","sha":"de42c70f5e1b875f994b433cf94f1ff6bacc7de7"},{"name":"tls_cert_private_test.go","path":"test/security/tls_cert_private_test.go","sha":"455501c058664b1066381be8c1423e68ba436fdf"}]}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"aws-auth-helper\">AWS Auth Helper</h1><div class=\"preview__body--border\"></div><p>This module is a small wrapper script for the <a href=\"https://aws.amazon.com/cli/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS CLI</a> that makes it much easier to\nauthenticate to AWS when:</p>\n<ol>\n<li><a href=\"https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/\" class=\"preview__body--description--blue\" target=\"_blank\">Multi-factor authentication (MFA)</a> is\nenabled, and/or</li>\n<li><a href=\"http://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html\" class=\"preview__body--description--blue\" target=\"_blank\">You want to assume an IAM Role</a>, such as an\nIAM role that gives you access to another AWS account.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"motivation\">Motivation</h2>\n<p>Normally, if MFA is enabled, setting up your credentials as environment variables is a multi-step process. First, you\nmake the call to fetch the temporary STS credentials:</p>\n<pre><span class=\"hljs-string\">aws </span><span class=\"hljs-string\">sts </span><span class=\"hljs-built_in\">get-session-token</span> <span class=\"hljs-built_in\">--serial-number</span> <span class=\"hljs-string\">arn:aws:</span><span class=\"hljs-string\">iam:</span>:<span class=\"hljs-string\">123456789011:mfa/</span><span class=\"hljs-string\">jondoe </span><span class=\"hljs-built_in\">--token-code</span> <span class=\"hljs-string\">123456\n</span></pre>\n<p>Which returns a blob of JSON:</p>\n<pre>{\n <span class=\"hljs-attr\">\"Credentials\"</span>: {\n <span class=\"hljs-attr\">\"AccessKeyId\"</span>: <span class=\"hljs-string\">\"AAA\"</span>,\n <span class=\"hljs-attr\">\"SecretAccessKey\"</span>: <span class=\"hljs-string\">\"BBB\"</span>,\n <span class=\"hljs-attr\">\"SessionToken\"</span>: <span class=\"hljs-string\">\"CCC\"</span>,\n <span class=\"hljs-attr\">\"Expiration\"</span>: <span class=\"hljs-string\">\"DDD\"</span>\n }\n}\n</pre>\n<p>Next, you have to copy and paste each part of that JSON output into the proper environment variable:</p>\n<pre><span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_ACCESS_KEY_ID</span>=<span class=\"hljs-string\">'AAA'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SECRET_ACCESS_KEY</span>=<span class=\"hljs-string\">'BBB'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SESSION_TOKEN</span>=<span class=\"hljs-string\">'CCC'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SESSION_EXPIRATION</span>=<span class=\"hljs-string\">'DDD'</span>\n</pre>\n<p>If you want to assume an IAM role, you have to make another API call:</p>\n<pre>aws sts assume-<span class=\"hljs-keyword\">role</span> <span class=\"hljs-title\">--role-arn</span> arn:aws:iam::<span class=\"hljs-number\">123456789011</span>:role/my-<span class=\"hljs-keyword\">role</span> <span class=\"hljs-title\">--role-session-name</span> my-name \n</pre>\n<p>Which returns another blob of JSON:</p>\n<pre>{\n <span class=\"hljs-attr\">\"Credentials\"</span>: {\n <span class=\"hljs-attr\">\"AccessKeyId\"</span>: <span class=\"hljs-string\">\"EEE\"</span>,\n <span class=\"hljs-attr\">\"SecretAccessKey\"</span>: <span class=\"hljs-string\">\"FFF\"</span>,\n <span class=\"hljs-attr\">\"SessionToken\"</span>: <span class=\"hljs-string\">\"GGG\"</span>,\n <span class=\"hljs-attr\">\"Expiration\"</span>: <span class=\"hljs-string\">\"HHH\"</span>\n }\n}\n</pre>\n<p>Which you again have to copy into the proper environment variable:</p>\n<pre><span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_ACCESS_KEY_ID</span>=<span class=\"hljs-string\">'EEE'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SECRET_ACCESS_KEY</span>=<span class=\"hljs-string\">'FFF'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SESSION_TOKEN</span>=<span class=\"hljs-string\">'GGG'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SESSION_EXPIRATION</span>=<span class=\"hljs-string\">'HHH'</span>\n</pre>\n<p>With this script, all of this can be done in a single command!</p>\n<h2 class=\"preview__body--subtitle\" id=\"quick-start\">Quick start</h2>\n<h3 class=\"preview__body--subtitle\" id=\"install-aws-auth\">Install aws-auth</h3>\n<p>To install the script, you can either copy it manually to a location on your <code>PATH</code> or use the\n<a href=\"/repos/gruntwork-installer\" class=\"preview__body--description--blue\">gruntwork-install</a> command:</p>\n<pre><span class=\"hljs-string\">gruntwork-install </span><span class=\"hljs-built_in\">--module-name</span> <span class=\"hljs-string\">'aws-auth'</span> <span class=\"hljs-built_in\">--repo</span> <span class=\"hljs-string\">'https://github.com/gruntwork-io/module-security'</span> <span class=\"hljs-built_in\">--tag</span> <span class=\"hljs-string\">'v0.6.5'</span>\n</pre>\n<h3 class=\"preview__body--subtitle\" id=\"usage\">Usage</h3>\n<p><em>WARNING! Before running the following commands, authenticate to the AWS account that contains your IAM User using your\nstatic API Access Key ID and Secret Key.</em></p>\n<p><em>We strongly recommend using a password manager like <a href=\"https://1password.com/\" class=\"preview__body--description--blue\" target=\"_blank\">1Password</a> or <a href=\"https://www.passwordstore.org/\" class=\"preview__body--description--blue\" target=\"_blank\">pass</a> to store any static credentials so they don't sit unencrypted on your local disk.\nInternally, the Grunts at Gruntwork use pass with a unique GPG Key for each set of secrets.</em></p>\n<h4 id=\"authenticate-to-an-aws-account-using-mfa\">Authenticate to an AWS Account using MFA</h4>\n<pre>aws-auth --serial-number <span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">123456789011</span><span class=\"hljs-symbol\">:mfa/jondoe</span> --token-code <span class=\"hljs-number\">123456</span>\n</pre>\n<p>Find the Serial Number ARN by viewing your IAM User profile in the AWS web console.</p>\n<h4 id=\"authenticate-to-an-aws-account-using-mfa-and-assume-an-iam-role-in-another-account\">Authenticate to an AWS Account using MFA and Assume an IAM Role in another Account</h4>\n<pre>aws-auth --serial-number <span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">123456789011</span><span class=\"hljs-symbol\">:mfa/jondoe</span> --token-code <span class=\"hljs-number\">123456</span> --role-arn <span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">123456789011</span><span class=\"hljs-symbol\">:role/my-role</span>\n</pre>\n<h4 id=\"assume-an-iam-role-in-another-account-and-configure-the-credentials-to-not-expire-for-12-hours\">Assume an IAM Role in another Account and configure the credentials to not expire for 12 hours</h4>\n<pre>aws-auth --serial-number <span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">123456789011</span><span class=\"hljs-symbol\">:mfa/jondoe</span> --token-code <span class=\"hljs-number\">123456</span> --role-arn <span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">123456789011</span><span class=\"hljs-symbol\">:role/my-role</span> --role-duration-seconds <span class=\"hljs-number\">43200</span>\n</pre>\n<h4 id=\"required-iam-policy\">Required IAM Policy</h4>\n<p>You must have the <code>iam:AssumeRole</code> permission on the "primary" AWS account in order to assume an IAM Role in a "secondary"\nAWS account. Furthermore, you must have the <code>iam:AssumeRole</code> permission on the specific IAM Role you wish to assume or\non all resources (<code>*</code>).</p>\n<h4 id=\"wrap-the-output-in-eval\">Wrap the output in <code>eval()</code></h4>\n<p>When finished running, the <code>aws-auth</code> script will write a series of <code>export XXX=YYY</code> statements to <code>stdout</code>:</p>\n<pre>aws-auth --serial-number arn:aws:iam::123456789011:mfa/jondoe --token-code 123456\n\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_ACCESS_KEY_ID</span>=<span class=\"hljs-string\">'AAA'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SECRET_ACCESS_KEY</span>=<span class=\"hljs-string\">'BBB'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SESSION_TOKEN</span>=<span class=\"hljs-string\">'CCC'</span>\n<span class=\"hljs-builtin-name\">export</span> <span class=\"hljs-attribute\">AWS_SESSION_EXPIRATION</span>=<span class=\"hljs-string\">'DDD'</span>\n</pre>\n<p><strong>NOTE</strong>: <code>AWS_SESSION_EXPIRATION</code> environment variable is not used by any official libraries (i.e. aws cli, boto, etc.). It's only exported for your convenience, for example a wrapper that renews once expired.</p>\n<p>To setup your AWS environment variables in one command, all you have to do is eval the result!</p>\n<pre><span class=\"hljs-built_in\">eval</span> <span class=\"hljs-string\">\"<span class=\"hljs-variable\">$(aws-auth --serial-number arn:aws:iam::123456789011:mfa/jondoe --token-code 123456)</span>\"</span>\n</pre>\n<h4 id=\"switching-between-multiple-accounts\">Switching Between multiple accounts</h4>\n<p>A typical account switching workflow might be:</p>\n<ol>\n<li>Authenticate to "primary" AWS account using static credentials</li>\n<li>Use <code>aws-auth</code> to authenticate to "dev" account.</li>\n<li>Authenticate to "primary" AWS account using static credentials</li>\n<li>Use <code>aws-auth</code> to authenticate to "prod" account.</li>\n</ol>\n<p>Notice that you must re-authenticate to the "primary" AWS account before you can use <code>aws-auth</code> again.</p>\n<h2 class=\"preview__body--subtitle\" id=\"combining-it-with-password-managers\">Combining it with password managers</h2>\n<p>To be fair, using <code>aws-auth</code> isn't <em>really</em> a one-liner, since you have to set your permanent AWS credentials first:</p>\n<pre>export AWS_ACCESS_KEY_ID='<PERMANENT_ACCESS_KEY>'\nexport AWS_SECRET_ACCESS_KEY='<PERMANENT_SECRET_KEY>'\neval <span class=\"hljs-constructor\">$(<span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">auth</span> --<span class=\"hljs-params\">serial</span>-<span class=\"hljs-params\">number</span> <span class=\"hljs-params\">arn</span>:<span class=\"hljs-params\">aws</span>:<span class=\"hljs-params\">iam</span>::123456789011:<span class=\"hljs-params\">mfa</span><span class=\"hljs-operator\">/</span><span class=\"hljs-params\">jondoe</span> --<span class=\"hljs-params\">token</span>-<span class=\"hljs-params\">code</span> 123456)</span>\n</pre>\n<p>If you store your secrets in a CLI-friendly password manager, such as <a href=\"https://www.passwordstore.org/\" class=\"preview__body--description--blue\" target=\"_blank\">pass</a>,\n<a href=\"https://github.com/lastpass/lastpass-cli\" class=\"preview__body--description--blue\" target=\"_blank\">lpass</a> or\n<a href=\"https://support.1password.com/command-line-getting-started/\" class=\"preview__body--description--blue\" target=\"_blank\">1Password CLI</a>, then you can reduce this even further! Instructions on how to set this up for Lastpass / <code>lpass</code> can be found <a href=\"/repos/v0.36.3/module-security/modules/aws-auth/AWS-AUTH-LASTPASS.md\" class=\"preview__body--description--blue\">here</a> and 1Password / <code>op</code> <a href=\"/repos/v0.36.3/module-security/modules/aws-auth/AWS-AUTH-1PASSWORD.md\" class=\"preview__body--description--blue\">here</a>.</p>\n<p>First, store your permanent AWS credentials in <code>pass</code>:</p>\n<pre>pass <span class=\"hljs-keyword\">insert</span> aws-<span class=\"hljs-keyword\">access</span>-<span class=\"hljs-keyword\">key</span>-<span class=\"hljs-keyword\">id</span>\nEnter <span class=\"hljs-keyword\">password</span> <span class=\"hljs-keyword\">for</span> aws-<span class=\"hljs-keyword\">access</span>-<span class=\"hljs-keyword\">key</span>-<span class=\"hljs-keyword\">id</span>: <PERMANENT_ACCESS_KEY>\n\npass <span class=\"hljs-keyword\">insert</span> aws-secret-<span class=\"hljs-keyword\">access</span>-<span class=\"hljs-keyword\">key</span>\nEnter <span class=\"hljs-keyword\">password</span> <span class=\"hljs-keyword\">for</span> aws-secret-<span class=\"hljs-keyword\">access</span>-<span class=\"hljs-keyword\">key</span>: <PERMANENT_SECRET_KEY>\n</pre>\n<p>Next, store your MFA ARN in <code>pass</code> as well:</p>\n<pre>pass insert aws-mfa-arn\nEnter password <span class=\"hljs-keyword\">for</span> aws-mfa-<span class=\"hljs-symbol\">arn:</span> <span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">123456789011</span><span class=\"hljs-symbol\">:mfa/jondoe</span>\n</pre>\n<p>If you will be assuming an IAM Role ARN, put that in <code>pass</code> too:</p>\n<pre>pass insert aws-iam-role-arn\nEnter password <span class=\"hljs-keyword\">for</span> aws-iam-role-<span class=\"hljs-symbol\">arn:</span> <span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">123456789011</span><span class=\"hljs-symbol\">:role/my-role</span>\n</pre>\n<p>Now, you can store a script in <code>pass</code> that ties all of this together. Run the <code>insert</code> command with the <code>-m</code> parameter\nso you can enter multiple lines:</p>\n<pre>pass <span class=\"hljs-keyword\">insert</span> -m aws-sts-env-vars\nEnter <span class=\"hljs-keyword\">contents</span> <span class=\"hljs-keyword\">of</span> aws-sts-env-vars <span class=\"hljs-keyword\">and</span> press Ctrl+D <span class=\"hljs-keyword\">when</span> finished:\n</pre>\n<p>And now enter the following script:</p>\n<pre>read -p <span class=\"hljs-string\">\"Enter your MFA token: \"</span> token\neval <span class=\"hljs-constructor\">$(AWS_ACCESS_KEY_ID=$(<span class=\"hljs-params\">pass</span> <span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">access</span>-<span class=\"hljs-params\">key</span>-<span class=\"hljs-params\">id</span>)</span> AWS_SECRET_ACCESS_KEY=<span class=\"hljs-constructor\">$(<span class=\"hljs-params\">pass</span> <span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">secret</span>-<span class=\"hljs-params\">access</span>-<span class=\"hljs-params\">key</span>)</span> aws-auth --serial-number <span class=\"hljs-constructor\">$(<span class=\"hljs-params\">pass</span> <span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">mfa</span>-<span class=\"hljs-params\">arn</span>)</span> --token-code <span class=\"hljs-string\">\"$token\"</span>)\n</pre>\n<p><em>Using <a href=\"https://fishshell.com/\" class=\"preview__body--description--blue\" target=\"_blank\">Fish Shell</a>? Use the following modified script instead:</em></p>\n<pre><span class=\"hljs-comment\"># For Fish Shell users only</span>\necho <span class=\"hljs-string\">\"Enter your token:\"</span>;\nread -p <span class=\"hljs-string\">\"\"</span> token;\neval (export AWS_ACCESS_KEY_ID=(pass aws-access-key-id); export AWS_SECRET_ACCESS_KEY=(pass lotus/aws-secret-access-key); aws-auth --serial-number (pass aws-mfa-arn) --token-code <span class=\"hljs-string\">\"$token\"</span>)\n</pre>\n<p>If you want the script to assume an IAM role, just add the <code>--iam-role</code> parameter at the end:</p>\n<pre>read -p <span class=\"hljs-string\">\"Enter your MFA token: \"</span> token\neval <span class=\"hljs-constructor\">$(AWS_ACCESS_KEY_ID=$(<span class=\"hljs-params\">pass</span> <span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">access</span>-<span class=\"hljs-params\">key</span>-<span class=\"hljs-params\">id</span>)</span> AWS_SECRET_ACCESS_KEY=<span class=\"hljs-constructor\">$(<span class=\"hljs-params\">pass</span> <span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">secret</span>-<span class=\"hljs-params\">access</span>-<span class=\"hljs-params\">key</span>)</span> aws-auth --serial-number <span class=\"hljs-constructor\">$(<span class=\"hljs-params\">pass</span> <span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">mfa</span>-<span class=\"hljs-params\">arn</span>)</span> --token-code <span class=\"hljs-string\">\"$token\"</span> --role-arn <span class=\"hljs-constructor\">$(<span class=\"hljs-params\">pass</span> <span class=\"hljs-params\">aws</span>-<span class=\"hljs-params\">iam</span>-<span class=\"hljs-params\">role</span>-<span class=\"hljs-params\">arn</span>)</span>)\n</pre>\n<p>Now, to setup your temporary STS credentials is <em>truly</em> a one-liner!</p>\n<pre><span class=\"hljs-built_in\">eval</span> <span class=\"hljs-string\">\"<span class=\"hljs-variable\">$(pass aws-sts-env-vars)</span>\"</span>\n</pre>\n<p><em>Note: the double quotes around the <code>$()</code> are required.</em></p>\n","repoName":"module-security","repoRef":"v0.34.0","serviceDescriptor":{"serviceName":"ssh-grunt","serviceRepoName":"module-security","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/ssh-grunt","cloudProviders":["aws"],"description":"Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).","imageUrl":"grunt.png","licenseType":"subscriber","technologies":["Terraform","Go"],"compliance":[],"tags":[""]},"serviceCategoryName":"SSH access","fileName":"README.md","filePath":"/modules/aws-auth","title":"Repo Browser: ssh-grunt","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}