Amazon’s Identity Access Management(IAM) allows you to manage users and their level of access to your resources. It provides you with the ability to control a number of things including:
- Multifactor authentication
- Control over password rotation
- Ability to control user permissions
Break Down Of IAM Key Words
Users
These are the people that will be interacting with your resources. In other words, anyone that you want to have the ability to log into the AWS console.
Groups
Groups are a collection of users. For example, you can organize your users who are in the business development team to a group named BisDev. By grouping all the users into a group you are able to assign group permissions, and therefore can only allow access to the resources needed by the group.
Roles
An IAM role defines a set of permissions that can be attributed to users, groups, or services such as EC2.
Policies
A policy is a document that defines one or more permissions.
Step 1: Navigate To IAM
Go to the Services dropdown menu and search for IAM.
Click on IAM. You should be navigated to the IAM Dashboard.
Now we’ll go through the actions in the Security Status section.
Notice that ‘Delete your root access key’ is done for you. If it is not done, then it is recommended that you delete your root access key(s). It is bad practice to use root access keys to access your resources.
Step 2: Activate Multifactor Authentication
Expand “Activate MFA on your root account.”
We will use a “Virtual MFA device.” I will be using Google authenticator, but you have multiple options. You can click on the “list of compatible applications” to choose the one you like.
Scan the QR code with the application of your choosing. Then enter the MFA codes, one after the other.
Navigate back to the IAM Dashboard. You should now see the green checkmark next to the MFA tab.
Step 3: Create an IAM User
Expand “Create individual IAM users.”
Click “Add user”
Enter a user name. In this case, the user name is “tom”
We will give this user programmatic access meaning they will be able to access resources through an AWS SDK or CLI using the access key ID and Secret key(these will be created and saved when the user creation is finalized in later steps).
We will also give the user AWS Management Console access to allow them to log into the AWS Console using their username and password.
Check the “Require password reset” to allow users to reset their password on sign-in.
We will also create a group to add the user to. Tom is a part of the Business Development team so we will create a group called BisDev with limited permissions. Let’s give the group the ability to only read S3 files. Search for the policies related to S3 then choose the one called “AmazonS3ReadOnly.”
Now, download the user credentials and save them. You will need the Access Key and Secret access key to connect programmatically to your AWS resources. If you lose the secret access key you will have to create another.
Now navigate back to the IAM Dashboard. You should have a green checkmark next to create a user. Since we created a group in the process, another checkmark should appear next to “Use groups to assign permissions.”
Step 4: Apply IAM password policy
Expand “Apply an IAM password policy.”
Here you can choose a set of requirements for the user’s passwords.
Navigate back to the IAM Dashboard. All checkmarks should now be present.
Step 5: Get a password for your new user
Navigate to the Users tab, and click on your new user.
Go to the “Security credentials” tab and click “Manage” next to the “Console password.”
Check Autogenerated password and Require password reset. This will allow the user to change their password when they first log in.
Copy/download the autogenerated password and send it over to the new user.
Direct the user to the AWS console sign-in link located in the IAM Dashboard.
They will now be able to sign-in using their username and password.
Congrats now you can go on and explore the potential of AWS IAM.
Good luck on your journey!
