arun-yadav

Working with AWS Identity & Access Management (IAM)

Arun Yadav's photo
Arun Yadav
·

6 min read

Overview

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.

During this lab experience, you will learn how to create IAM users and groups with specific policies.

What Will You Learn?

  • Learn how to navigate to different options in IAM Management console

  • Create new IAM User Group

  • Assign restricted permission policies to User group

  • Create new IAM User and assign a User Group to an IAM User

  • Login to AWS console using new IAM user creds

Prerequisites

User should have basic understanding of below:

  • Basic understanding of Users & Groups

Lab Details

  • Duration: 45 minutes

  • AWS Region: US East (N. Virginia) us-east-1

  • Domain : Networking

Introduction

IAM provides the infrastructure necessary to control authentication and authorization for your account.

This lab experience involves Amazon Web Services (AWS), and you will use the AWS Management Console to complete all the lab steps.

The AWS Management Console is a web control panel for managing all your AWS resources, from EC2 instances to SNS topics. The console enables cloud management for all aspects of the AWS account, including managing security credentials, and even setting up new IAM Users.

An IAM user doesn't have to represent an actual person; you can create an IAM user in order to generate an access key for an application that runs in your corporate network and needs AWS access.

Warning: Because of our strict policy, you have to use the same names provided in the lab for each resource that needs to be created (group, users, etc.).

Lab Steps

Task 1: Create an IAM User Group

  • Launching Lab

  • Click on Start Lab to generate credentials for AWS, it will start the lab.

  • Once the Lab is started, you will be provided with IAM Username, Password, & Login URL.

  • Click on the open console, AWS Management Console will open in a new tab.

  • In the AWS sign in page, the Account ID will be present by default.

  • Leave the Account ID as default. Do not remove or change the Account ID otherwise you cannot proceed with the lab.

  • Use the same IAM Username and Password into AWS Console that is generated on your QuikSkills dashboard. Click on Sign in to log into the AWS Console.

  • Search for IAM in AWS Management Console search bar

![A screenshot of a computer

Description automatically generated with medium confidence](lh7-rt.googleusercontent.com/docsz/AD_4nXdY.. align="left")

  • Now choose User groups as shown below from the side menu

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXcv.. align="left")

  • In order to create new group choose Create Group

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXcU..omaEH6lm4f4-Vd0f7eQjVpndSo1o4SoRCL5mAcAkG3nDoS7QZSHHBQopzX-9dId_3nTaXZGSpzi5KoG45LQ?key=wnyFEbnjD8g95FVQX9Zk2xuJ align="left")

  • For user group name enter qwikskills-usergroup and then Attach permission policies to group. Although it is optional, but we can use this to give restricted permissions to the user group.

![Graphical user interface, text, application

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXeu.. align="left")

![Graphical user interface, application

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXdM.. align="left")

  • In the search bar enter AmazonS3ReadOnlyAccess & select the policy

![Graphical user interface, text, application

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXcb.. align="left")

  • Choose Create Group, then you can see your newly created user group in the console & can also assign this to any user.

![Graphical user interface, text, application

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXcb.. align="left")

Task 2: Create an IAM User and assign it to a User Group

  • In the IAM console choose Users from side menu

![Graphical user interface, text, application, chat or text message

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXfA.. align="left")

  • Now choose Add user in order to create a new IAM user:

![Graphical user interface, application, Teams

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXfu.. align="left")

  • There are 5 stages to create an IAM user, Use below configs to fill in the required details and leave rest configurations as default:

  • User name : quikskills-labuser

  • For AWS Access type select Access key - Programmatic access and Password - AWS Management Console access

  • Choose Autogenerated password for Console password check box

  • Choose Next: Permission to proceed to stage 2

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXf6.. align="left")

  • Select Add user to group to attach this user to an existing user group. Choose the user group : qwikskills-usergroup
  • Click on Next: Tags to proceed to Stage 3

*leave rest fields as default

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXdC.. align="left")

  • Skip stage 3, at this step we can attach tags to the user but it’s not required at this point of time

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXco.. align="left")

  • Review the details & choose Create User button at below

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXdD.. align="left")

  • At this stage you can download/copy the new IAM user credential details. Click on Download .csv to download the file containing security credentials and then choose Close

*remember to download the credentials from this window only, these won’t be available later

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXdS.. align="left")

  • You can now have a look into the new user qwikskills-labuser visible in the IAM Console:

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXez.. align="left")

**

Task 3: Using new IAM user to login into AWS console**

  • In the IAM console choose Users from side menu

![Graphical user interface, text, application, chat or text message

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXfA.. align="left")

  • Search for qwikskills-labuser and click on this username

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXeu.. align="left")

  • Switch to the Security Credentials tab and then open the link present in Console sign-in link

![Graphical user interface, text, application, email

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXd_.. align="left")

  • Here, use the credentials which you downloaded in the user creation step and click on Sign in. Explore Amazon the S3 service in the console now.

*You will get Access Denied message if you try to access any other resource because of the restricted access which is applied to your user group

![Graphical user interface, text, application

Description automatically generated](lh7-rt.googleusercontent.com/docsz/AD_4nXc_.. align="left")

Conclusion

Through this lab you have learnt how to navigate to different options in IAM console, create new user, groups & attach permissions to it. The restricted permission which you used in the IAM user group makes sure that users have limited access to the resources & it is a best practice to follow.

Lab Completion

  • You have successfully created an IAM User Group & assigned restricted permissions

  • You have successfully created a new IAM User

  • You have assigned a User group to IAM user & have successfully logged into AWS console using with new user

Lab Ending

  • Delete the IAM group you created
  • Delete IAM user & credentials
  • Sign out of AWS account
  • Once you have completed the lab click on the end lab from your learning dashboard.
AWSIAMSecurity