Cl⛅d Security Lab: Securing Your AWS Free Tier Account With — IAM USER|| AWS for Beginners-Series II
INTRODUCTION
As an AWS beginner, it’s recommended that you create an IAM (Identity and Access Management) user account rather than using the root user account. The IAM user account provides a more secure way to access and manage AWS resources and services.
When you create an IAM user account, you can specify the user’s permissions and limit their access to only the necessary AWS resources and services. This way, you can control who has access to your AWS account and ensure that they can only perform authorized actions.
Security Issues with Root Account
The root user account has unlimited access to all AWS resources and services, which can pose a security risk if the credentials fall into the wrong hands. By creating an IAM user account, you can reduce the risk of unauthorized access and potential security breaches.
As demonstrated in Series I of Cloud Security Lab: Enabling MFA on AWS Root Account, you have to enable multi-factor authentication (MFA) on your IAM user accounts and enforce strong password policies, which will enhance the security of your AWS environment.
WHO IS AN IAM USER?
AWS IAM user is an entity created in AWS that lets you interact with AWS resources. They usually represent a physical person who needs access to your AWS account. However, sometimes they may represent an application that needs to interact with AWS services.
Disclaimer
The AWS Management Console is subject to updates and changes over time. The information provided in this lab write-up is based on the console’s state at the time of writing and may not reflect the current user interface or functionality. It is recommended to refer to the official AWS documentation for the most up-to-date instructions when using the AWS Management Console
In a few steps, I’ll demonstrate how to create an IAM user on the AWS Management Console. Let's dive in 🚀
📍 Navigate to your IAM dashboard.
📍 On your IAM dashboard, you should have marked "green" as shown below from our previous Lab Series I. (SETTING UP MFA)
📍 At the left-hand side of the Menu, Under “Access Management”, click on “Users”.
📍 on the “Users Page”, navigate to the top right and click on “Add User” to create an IAM USER.
STEP I: Specify user details
📍 Specify a user name of your choice and tick the box “Provide user access to the AWS Management Console.”
Under “Are you providing console access to a person?” If you select the first option: “Specify a user in identity center — recommended,”, that means you want to create another root privilege account, which requires creating an AWS Organization so as to have an AWS identity center control (credential management) for all accounts in your organization and invite existing accounts to join the organization. READ MORE
But if you select the second option: “I want to create an IAM user”, that means you want to create an IAM user to enable programmatic access through access keys, service-specific credentials for AWS CodeCommit or Amazon Keyspaces, or a backup credential for emergency account access.
In this lab, we just want to create an IAM user account. Thus, we select the second option: “I want to create an IAM user”
📍 Password Configuration is very Important. You, as an administrator, can allow any of the options shown in the image below. but it is recommended to select “Autogenerated password”. These settings mandate that “users are required to create a new password at the next sign-in”. This configuration enables the IAM user to create his or her own password based on the IAM password policy set by you.
Once DONE, Click NEXT.
STEP II: Set permissions
There are three options for setting permissions for the new IAM user that you just created. You can organize IAM users into IAM groups and attach a policy to the group. In that case, individual users still have their own credentials, but all the users in the group have the permissions that are attached to the group. READ MORE.
For this lab, we select “Add user to group” which allows attaching policies to a group.
Next, Click CREATE GROUP.
📍 Next, we want to give full Administrator Access to the IAM user to be created. As shown below, you can specify a “user group name[1]” of your choice, e.g., Admin, Developer etc. Next, search for the Permission policy type “Admin” [2] and tick the Permission name “AdministratorAccess[3]”
Once DONE, click on “Create user group” at the bottom. This policy provides full access to AWS services and resources.
NB: Make sure you check the box “Admin”
Once DONE, Click NEXT.
STEP III: Review and create
Carefully review your choices. After you create the user, you can view and download the autogenerated password.
STEP IV: Retrieve the password
You can view and download the autogenerated password or email the instructions for signing in to the AWS Management Console.
NOTE: This is the only time you can view and download this password in CSV file.
📍 You can log in with your IAM user credentials.
NB: you will be promoted to change your password since we choose “Users must create a new password at next sign-in”.
It is recommended you repeat the same steps that was used to setup MFA on your newly created IAM account. Check Lab Series I.
Security Tips
It’s a good security practice to protect your AWS account ID along with any other sensitive information, as well as regularly review your AWS security controls and settings to ensure that your account remains secure.
