This tutorial will take you through creating a simple todo API using AWS serverless, NodeJS and DynamoDB. You need some familiarity with the command line. No prior experience with AWS is needed. In Part I we will go through the process of creating an IAM user and grant them some permissions and secure the root account.
Sign up for AWS access
Amazon offers free tier of their services which includes several services you can try for a year. Some are always free. Details here
Login to AWS console
After signing up, logon to AWS console https://console.aws.amazon.com/
AWS console is one of the interfaces through which you can manage cloud resources. I will refer to it console for the rest of the tutorial.
Secure your account
The first thing we want to do is secure our new AWS account. This involves creating an IAM (Identity and Access Management) user and deleting root access keys which provide unrestricted access to your AWS account. You can read more about security best practices here
Create an IAM user
Navigate to IAM screen, click services on the top left of AWS console and find IAM under the Security, Identity & Compliance sub section. Typing IAM in the autocomplete should filter the list of services
On the IAM dashboard click users on the services menu on the left of your screen to get to the user management section. Click add user to add an IAM user
Enter a username and check the access type boxes for “programmatic access” and “AWS management console” boxes
Click through the next steps, keep defaults. On step five reveal your password and secret key, store these somewhere safe.
We are now ready to setup permissions for the new IAM user.
To make managing these permissions easier, we’ll create an IAM policy, attach it to an IAM group and add our IAM user to the IAM group. This approach makes granting new users the same set of permissions easier since all you would need to do is add them to the same IAM group.
Create an IAM policy
Select policies from the menu on the right and click create to start the process. You should see an autocomplete box where you can start entering a service name. Type lambda here and select Lambda; these steps will be repeated for all the services we need to grant permissions in our IAM policy.
Clicking “add additional permissions” allows us to repeat the process above for other AWS services, repeat the steps above to add permissions for the services below.
- API Gateway
When finished click review policy at the bottom right and in the next screen name your IAM policy API-Devs, create the IAM policy.
Best practice would be to tweak the permissions for each services so that the policy contains just what API-Devs need and nothing more, the principle of least privilege. We add all for simplicity in this tutorial
Create an IAM group
Click groups in left navigation menu to start the wizard, then click “create new group”. Name the group API-Developers, when asked for a policy to attach select the one we just created
Delete root access keys
Go back to IAM dashboard, you should see the security recommendation. Delete your root access keys below by visiting the manage security credentials below.
Take a note of your account name, top right of console menu bar. You will need this account name besides IAM user credentials to login with an IAM user. If you need to change this, go ahead and do that under “My Account”, the change can only be made by root user.
Login with IAM user
Logout the root user and login with your new IAM user. On console, enter your account id or account name to avoid logging in as root user (with the email you used to create the AWS account)