Skip to content

Amazon Web Services (AWS)

Cloud infrastructure and services configuration guide with security-first credential management.

Overview

AWS provides scalable cloud computing services. This section covers secure setup, CLI configuration, and best practices for managing AWS credentials with proper scope isolation.

Quick Start: Create a Bedrock User via CloudShell

If you have access to the AWS Console, the fastest way to create a Bedrock IAM user and generate credentials is to run aws-bedrock-user.sh directly in AWS CloudShell — no local AWS CLI setup required, since CloudShell is already authenticated as your console account.

Steps

  1. Open the AWS Console and sign in
  2. Click the CloudShell icon in the top navigation bar (or search for "CloudShell")
  3. Paste and run this one-liner:
1
bash -c "$(curl -fsSL https://raw.githubusercontent.com/dirkpetersen/dok/main/scripts/aws-bedrock-user.sh)"

Or if you have cloned this repo, run it directly:

1
bash scripts/aws-bedrock-user.sh
  1. Enter your username when prompted — the script will prefix it with bedrock-
  2. Copy the credentials block from the output into ~/.aws/credentials on your local machine

What the script does

  • Creates an IAM user named bedrock-<yourname>
  • Attaches the AmazonBedrockFullAccess managed policy
  • Generates a permanent access key pair
  • Prints a ready-to-paste [bedrock] credentials block

Output example

1
2
3
4
5
╭──────────────────────────────────────────────────────────────────╮
│ [bedrock]                                                        │
│ aws_access_key_id = AKIAIOSFODNN7EXAMPLE                         │
│ aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY│
╰──────────────────────────────────────────────────────────────────╯

Paste this block into ~/.aws/credentials, then follow the profile configuration steps below to add the matching region entry to ~/.aws/config.

Credential security

The secret access key is shown once — it cannot be retrieved again. Save it immediately. If you lose it, delete the key in IAM and generate a new one.

AmazonBedrockFullAccess scope

This managed policy grants access to all Bedrock models and features. For production environments, consider creating a custom policy restricted to the specific model ARNs and actions your application needs.

Installing AWS CLI v2

AWS CLI v2 is the recommended command-line interface for AWS services.

Linux/WSL Installation

One-liner to download, extract (using Python's built-in zipfile — no unzip required), install to user directory, and verify:

1
curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && python3 -c "import zipfile,sys; zipfile.ZipFile(sys.argv[1]).extractall()" awscliv2.zip && ./aws/install -i ~/.local/aws-cli -b ~/.local/bin && aws --version && rm -rf aws awscliv2.zip

This installs AWS CLI to ~/.local/aws-cli with the aws command in ~/.local/bin (no sudo required, no unzip dependency).

Requirements: - Ensure ~/.local/bin is in your PATH (see Shell Setup)

macOS Installation

Using Homebrew (Recommended):

1
brew install awscli && aws --version

Or manually (user directory installation):

One-liner to download, extract, install to user directory, and verify:

1
curl -fsSL "https://awscli.amazonaws.com/awscli-exe-macos.zip" -o "awscliv2.zip" && unzip awscliv2.zip && ./aws/install -i ~/.local/aws-cli -b ~/.local/bin && aws --version && rm -rf aws awscliv2.zip

This installs AWS CLI to ~/.local/aws-cli with the aws command in ~/.local/bin (no sudo required).

AWS Credential Setup

Understanding Credential Files

AWS uses two configuration files:

  • ~/.aws/credentials - Contains access keys (API credentials)
  • ~/.aws/config - Contains region and profile configuration

Creating AWS Credentials via CLI

The easiest way to set up credentials is using the AWS CLI interactive configuration:

1
aws configure

This prompts for: 1. AWS Access Key ID 2. AWS Secret Access Key 3. Default region 4. Default output format

However, this creates a default profile with broad permissions. For better security, follow the profile-based approach below.

Security-First Credential Management

Critical Security Principle

Never use static credentials with broad AWS permissions as your default profile. Instead:

  1. Use temporary credentials or IAM roles when possible
  2. Keep static credentials in separate, narrowly-scoped profiles
  3. Grant only the minimum permissions needed for each profile

Setting Up Service-Specific Profiles

Create isolated credential profiles for each service. For example, to set up a Bedrock-only profile:

1
aws configure --profile bedrock

Enter your credentials when prompted. This creates:

In ~/.aws/credentials:

1
2
3
[bedrock]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

In ~/.aws/config:

1
2
3
[profile bedrock]
region = us-west-2
output = json

Complete Profile Configuration Example

For multiple services with proper isolation:

~/.aws/credentials

1
2
3
4
5
6
7
8
9
# Bedrock (Claude API access only)
[bedrock]
aws_access_key_id = AKIA...
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG...

# S3 (Storage only)
[s3-user]
aws_access_key_id = AKIA...
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG...

~/.aws/config

1
2
3
4
5
6
7
8
9
# Bedrock Profile - Bedrock service only
[profile bedrock]
region = us-west-2
output = json

# S3 Profile - S3 access only
[profile s3-user]
region = us-west-2
output = json

IAM Policy Examples

When creating AWS access keys for a profile, apply strict IAM policies:

Bedrock-Only Policy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    }
  ]
}

S3-Only Policy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Using Profiles with AWS CLI

Override Default Profile

Use any configured profile with the --profile flag:

1
2
3
4
5
# Use bedrock profile
aws s3 ls --profile bedrock

# Use s3-user profile
aws s3 ls --profile s3-user

Set Default Profile for Session

1
2
export AWS_PROFILE=bedrock
aws s3 ls  # Uses bedrock profile

Using Profiles with AWS SDKs

Most AWS SDKs (Python boto3, Node.js, etc.) respect the AWS_PROFILE environment variable:

1
2
export AWS_PROFILE=bedrock
python script.py  # Script uses bedrock credentials

Credentials File Security

Ensure proper permissions on credential files:

1
2
3
chmod 700 ~/.aws
chmod 600 ~/.aws/credentials
chmod 600 ~/.aws/config

Never commit credential files to version control:

1
2
3
# In .gitignore
~/.aws/credentials
~/.aws/config

Best Practices

Profile Isolation

  • DO: Create separate profiles for each service/application
  • DON'T: Use default profile with full AWS permissions

Credential Rotation

  • DO: Rotate access keys regularly (quarterly minimum)
  • DON'T: Reuse the same credentials across multiple systems

Least Privilege

  • DO: Grant only the permissions each service needs
  • DON'T: Attach broad policies like AdministratorAccess

Monitoring

  • DO: Enable CloudTrail to audit credential usage
  • DO: Check CloudWatch for unusual activity
  • DON'T: Ignore access logs

Temporary Credentials

  • PREFER: Temporary credentials via STS AssumeRole (when possible)
  • AVOID: Long-lived static credentials for high-privilege access