Featured image of post AWS 1: Identity and Access Management

AWS 1: Identity and Access Management

learning AWS IAM: user, group, policy,

AWS Management Console

The AWS Management Console is a web-based user interface provided by Amazon Web Services (AWS) to manage and interact with AWS cloud resources.

AWS Management Console

How to login

  1. open https://aws.amazon.com/console/
  2. on the top right, click Sign In to the Console
  3. create a new AWS account if do not have an account yet
  4. login as root using root email or login with IAM user.

What is IAM? Why we need it?

  • IAM = Identity and Access Management, Global Service
  • Root account created by default, shouldn’t be used or shared
  • Users are people within your organization, and can be grouped
  • Groups only contain users, not other groups
  • Users don’t have to belong to a group, and user can belong to multiple group.
  • Users or Groups can be assigned JSON documents called policies.
  • These policies define the permissions of the users
  • In AWS you apply the least privilege principle: don’t give more permissions than a user need

How to create IAM user

  1. login as root
  2. on the search bar, type “IAM” and press enter
  3. on the left bar, click Users
  4. click Create user
  5. fill the user name, e.g. alice
  6. check “Provide user access to the AWS Management Console”

IAM Roles

  • Some AWS service will need to perform actions on your behalf
  • To do so, we will assign permissions to AWS services with IAM Roles
  • Common roles:
    • EC2 Instance Roles
    • Lambda Function Roles
    • Roles for CloudFormation

Hands-on

Create new user

  1. Create another user, e.g. adi. For simplify, uncheck option “User must create a new …”

aws-iam-create-user

  1. Set permission to the user. you may play around with these two options later. For now just skip this step by clicking “Next”

aws-iam-set-permission

  1. Then you will get review step with “no resources” in the permissions summary and click “Create user”.
  2. Then the success page will show up like this

aws-iam-success-create-user

Test the new user

  1. you can test the new user by logging in with the new credential. There are two option to do this:
    1. open another browser
    2. turn on multi-session support on the top right menu, then menu “add session” will appear.
aws-iam-multisession
  1. login with new account

aws-iam-user-login

  1. open the IAM dashboard and you’ll see some restriction due to lack permission

aws-iam-user-restriction

  1. now let’s add permission to the new user. from root or admin account window, go to IAM dashboard menu > Users > adi. Then click “Add permissions” option

aws-iam-add-permission

  1. Then choose “Attach policies directly”, then search for “IAMReadOnlyAccess” and check the box. Click “Next”
  2. On the review page, click “Add permissions”
  3. Back to user tab / windows, and open the IAM dashboard (see step 3) or refresh the browser. Now you can see the information.

Aws Cli

Configure Access

  1. create an access key for user that you want to login via cli aws-iam-config-access-cli
  2. check use case “Command Line Interface (CLI)” option and “I understand …”, then click “Next” button
  3. then click “Create access key” button
  4. then you will get the access key and secret key. copy them and save them in a secure place.

Use Access Key

  1. install aws cli on your local machine (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
  2. you may play around with aws cli by running aws --version or aws help
  3. to access the cli via access key, run aws configure and input the access key and secret key.
  4. now try to run aws iam list-users and you should see the list of users. If it does not work, check permission of the user.
Aws
Licensed under CC BY-NC-SA 4.0
comments powered by Disqus