This article will discuss the Identity and Access Management (IAM) in Amazon AWS.
IAM is a service in Amazon AWS which allows customers to control access to the AWS resources and services they provide to their users. Using IAM, one can create users and groups and establish permissions based on which different resources the users can access in Amazon AWS.
This article will show you how to create users and groups, and how to assign users to different groups. Also, you will see how you can connect to AWS console and access only those resources you have permission to. The scope of this article is not very broad, so there is not that much theoretical information that we need to discuss.
Let’s start by accessing the IAM service. Click IAM from the Deployment and Management section of the AWS console:
On the IAM page, go to the Users section from the left menu to create a user:
Click on Create New Users, input the username that you want to create, and check the box to generate the access keys. We won’t be using that here since we’re not logging in to AWS using CLI, but only to the console. This is just for you to know what other login options you have. You can create up to five users at once:
Click on Create to create the user and to receive the access key. You can either copy the access key or download it.
Now that the user was created, it’s time to assign it to a group. However, there is no group yet by default, so we have to create one. From the IAM dashboard, click on the left menu on Groups and then on Create New Group and specify a name for your group:
Continue to the Permissions section and choose Amazon EC2 Full Access:
You will be shown the permissions from the policy that you selected:
You can continue and create the group:
Once the group is created, select the group and from the Users tab, select Add Users to Group to add the user that we created previously to this new group:
You need to confirm that the users inherited the permissions that were set when we created the group. For this, from the IAM dashboard, select Users from the left menu and then select the Permissions tab. You should see that the user has inherited the policy of the group. If we add another policy specific to this user and set a permission that has a different value than the one specified by the group, then the permission assigned to the user will take precedence.
It’s time to create a password so that we could log in to the Amazon AWS console. For this, on the same Users menu, go to the Security Credentials tab. Click on Manage Password from the right menu, under Sign-in Credentials:
Once you do that, you will be asked if you want to set a custom generated password or one generated by AWS. Choose whatever you want and click Apply. I chose an auto-generated password:
The password is generated and shown on the screen:
Now that you have the password, it’s time to log in to the AWS console. The page where you should use the sign-in credentials is something like this:
where 06XXXXXXXXXX is your account number.
I logged in using the username user_ec2 and the password previously generated:
As you can see, the name has changed. You can compare it to the first screenshot in this article.
If you can remember, the policy that we attached to the group allows full access to EC2 resources. Let’s see if we can access the EC2 dashboard and see if there are any EC2 instances running:
Yes, it works as expected.
But let’s see if we have access to a resource we shouldn’t have. Let’s try CloudFormation from the AWS console:
As expected, we don’t have access there and the message is clear enough to understand why.
And that’s it.
It seems simple, but this is because we didn’t try to use many of the features that IAM provides.
While the user/group creation has nothing to do with the actual login to AWS, when you create a user, you can specify that the user can log in in multiple ways to AWS.
Also, what we did in this article was only for the AWS console. If you intend to use AWS CLI and log in like that, then you need to make sure that when you create the user, you specify that you want the access key as well. Another login method is through the use of certificates.