AWS IAM: Ditch your Lab Sandbox

So, you have your AWS Certification!

Let’s start with an AWS Serverless Side Project!

For many cloud developers this is their initial thought after passing their first AWS Exam. Just like many developers, you might find that your initial challenge is figuring out how to set up the right user for both console and programmatic access.

Fortunately, Identity Access Management is here to help.

I’ll guide you through the simple steps to create an admin user, so you can move beyond the sandbox and start crafting your own cloud projects on AWS with confidence.

Backstory

Up until a year ago, the go-to move was to set up an IAM User, crafting a safer pathway for cloud development that kept the all-powerful root account securely on the sidelines.

Then at the AWS re:Invent 2022 the Identity team rolled out one of the most awkward and poorly conveyed presentations about the new IAM Identity Center (link if you want to give it a watch). This technology, formerly known as AWS Single Sign-On (SSO), now grants you access to a single login across all AWS accounts and cloud-based applications. While the presentation did make us squirm a bit, it certainly delivered some key takeaways.

No longer did you have to log in separately to assume the Identity of different accounts.

This leap forward has made it a breeze to scale up and grant console access to more team members, paving the way for development with cutting-edge tools like AWS CodeWhisperer.

Let’s Begin!

1. Enable Identity Center in the region you most frequently use.

2. Then Click Create AWS Organization -> from here it should take you to the IAM Identity Center Dashboard

a. Like in the first Diagram if you were to travel to your AWS Organization Dashboard you would see your AWS accounts with a structure like Root -> management account (root account) This is correct!

3. Navigate to Users

a. Here is where you create a User that can leverage multiple accounts using the AWS access portal *We will touch on this later*

b. Important to Note this user is different than an IAM User as it sits at a higher level

4. Click on “Add user”

5. Specify User details and Then Click Next

a. Provide a username, email address, first and last name (if this is for yourself use your own name)

b. Skip all other Optional drop downs

6. Skip groups for now and click next

7. Then Click “Add user”

FROM HERE COPY THE ONE TIME PASSWORD AND PORTAL URL TO A NOTEPAD FOR LATER

Creating Permission Sets

Now that we have our User, navigate back to the IAM Identity Center Dashboard

1. Click on Permission Sets

a. These will specify the level of access that our user will be given

2. Click Predefined permission set (Thank you AWS for managing these policies)

3. Click on AdministratorAccess and then Click Next

a. Since this is our first user that we are creating we will give it admin access to do everything you want to create a first project

4. Fill in description “Admin setup for my Admin users” and then Click Next

5. Then Click Create

With our User created and their permissions defined, the next step is to incorporate that User into a group for streamlined management.

Creating a Group

1. Click on Groups

2. Navigate and Click in the top right corner to Create Group

3. Add Group Name as Admin and fill in Description “Group containing all my Admin users!”

4. Then select the user we just created.

5. Click Create Group

By now, you’re likely getting the hang of setting up users. We’ve created a User, assigned their permissions, established a Group, and added our User to it. The final piece of the puzzle is to bring everything together, granting our User access to the management account in our AWS Organization.

I want to highlight something that’s often overlooked. Right now, our organization has just one management account- the root account. By assigning our Admin user with a predefined permission set, we’re essentially extending the capabilities of this solitary management account. If you need a visual cue, glance back at the first diagram, or bookmark this topic for a deeper dive later on.

Setting Up Account Access

1. On the left-hand panel click on AWS accounts

a. You should see a structure of Root -> management account

2. Select your management account

3. Click Assign users or groups

a. Think about what this button means for a moment. We are assigning the Admin group (and thus the users within the group) access to this management account

4. Select our Admin Group and Click Next

5. Then Select our AdministratorAccess permission sets and Click next

6. Then click Submit

Viola! Now you have your very own Admin user that you can use to start developing. To confirm that this worked, navigate to the AWS access portal URL that you copied into your notepad and sign in!

This access portal will display the management account and in the drop down you will be able to select AdministratorAccess and be able to click Management console.

BONUS

If you are still reading fantastic! One question I often get is, “Why am I unable to view Cost and usage from the dashboard with my Admin account”.

Traditionally, peeking and tweaking Billing settings was a privilege reserved for the root account and for good reason, since a tiny slip-up here could lead to a not-so-tiny bill!

If you’re ready to dive into customizing your permission sets to ‘view only’ access to your Billing console here is how you can enable access for those permissions to take effect.

1. Sign into your root user account

2. On the main Dashboard navigate to the top right hand corner and click on the username

3. In the drop down select Account

4. Scroll down to “IAM user and role access to Billing Information”

5. Click “Edit”

6. Select Activate and Update

Now, any permissions you set for your user base regarding Billing will be active within the Billing console, ensuring they have the access they need. My suggestion is only use this when you are more comfortable with IAM Permission Sets and have MFA set up for your users.

Happy Coding!