Step-by-Step Guide to Creating IAM Users and Groups on AWS

Step-by-Step Guide to Creating IAM Users and Groups on AWS

A Beginner's Guide to Setting Up Secure IAM Users and Groups on AWS

# Introduction

In this guide, I’ll walk you through setting up and managing IAM users and groups in AWS, a crucial part of securing your AWS environment. By using IAM (Identity and Access Management), you can grant specific permissions to users, reducing security risks while maintaining efficient access control. This setup is essential for AWS administrators looking to enforce best practices and manage permissions effectively.

# What Will You Do?

  • Create a new IAM user and assign appropriate permissions.

  • Set up an IAM group with pre-defined policies and add users to the group.

  • Configure a custom login URL using an AWS account alias for user convenience.

  • Verify user permissions and test IAM access with the newly created login URL.

# What Will You Learn?

  • How to create and manage IAM users and groups in AWS.

  • Best practices for securing your AWS environment by limiting root account usage.

  • Setting up custom sign-in URLs to simplify IAM user access.

  • How to assign permissions through IAM groups to streamline user management.

# Pre-requisites

  • Basic knowledge of AWS and its services.

  • Access to the AWS Management Console with root account credentials.

  • Familiarity with general cloud computing and security practices is beneficial, but not required.

# Getting Started

IAM allows you to securely control access to AWS services and resources by creating specific users, assigning permissions, and organizing these users into groups with shared policies. This initial setup will streamline your AWS account management and enforce security best practices. Once logged in, you’ll be ready to create and configure IAM users and groups for secure access control. To get started with this activity on the AWS Management Console, log in to your account and navigate to the IAM (Identity and Access Management) service.

AWS management console dashboard

Log in to the AWS root user account to access the management console.

AWS IAM service search on management console global search

After logging in, search the IAM (Identity and Access Management) service to create and manage users and groups.

AWS Users List CTA Section

Within IAM, click on Users from the left sidebar to view, add, or manage users.

AWS IAM Create User button

In the Users section, click on Create user to create a new IAM user.

AWS IAM User Details

You’ll then specify the user details like username and permissions. Then click Next.

AWS Users Groups With Setting Permissions

In AWS, adding a user to a user group helps manage permissions efficiently by applying permissions to the group rather than each individual user.

In this guide, we'll create a new user group, "admin_group," with Administrator Access permissions. If the existing user group name (e.g., "admin") already had the required permissions, we could add the user (e.g., "jefelix") to that group directly. However, since we’re defining new permissions, we’ll create a new group for this purpose.

To proceed:

\> Select Create group to define the new "admin_group" with the Administrator Access policy.

AWS User Group Permission Policies

Enter a user group name, select a policy or the necessary policies, review permissions, and click Create user group.

AWS Users Group with newly created user group name

User group list displaying the newly added user group.

AWS Users Group Permissions Options

To add the user "jefelix" to the "admin_group," select admin_group. A user can belong to multiple groups, but for this guide, we will only add "jefelix" to the "admin_group" with the Administrator Access policy. Then click Next to proceed.

AWS Users Group Creation Review

Now review the user details and permissions for the account. You can optionally add a tag to help organize and manage your AWS resources. For example, using "Department" as the key and "Arts and Sport" as the value helps categorize the user by department. After reviewing the details, click Create user to finish the process.

AWS Access Key Id and Secret Access Key

You’ll receive an option to download the user’s Access Key ID and Secret Access Key. It’s crucial to download these credentials as you won’t be able to view them again. After downloading, click on ‘return to users list’.

AWS IAM Users Group List

Verify in the IAM Users list that your new IAM user, "jefelix" is listed with only one group in the Group column.

AWS User Groups

Verify in the User Group list that your new Group Name, "admin_group" is listed with only one user in the Users column.

Then Click on admin_group to confirm that the user "jefelix" is listed in the Users tab within the group.

AWS User Groups With Users

This confirms that the user “jefelix” exists in the “admin_group” User group tab.

AWS User Groups

In the group's Permissions tab, confirm the policies attached to the user group that the user will inherit.

AWS Users List

To see all permissions for the specific user “jefelix”, go to the Users section. Then click on the user.

AWS IAM Users Permissions Policies

Next, review the attached permission policies. In this case, the user "jefelix" has the AdministratorAccess policy, which he inherited from the admin_group user group assigned to him.

AWS IAM Dashboard

Click Dashboard to navigate to the IAM dashboard, select Create to set up a custom URL for user login.

Enter your preferred alias and click Create alias to confirm.

An alias helps simplify your login process by providing a user-friendly name for your AWS root account, making it easier to remember and access, rather than using the default account ID or email address.

Once the alias is created, it will be displayed on the dashboard. Copy this link for your IAM users to access.

Open an Incognito (or private) browser tab to ensure the AWS root account session remains separate, then paste the copied alias link in the Incognito window.

Enter the IAM username and password to log in through the alias URL.

Once logged in, verify the IAM user is signed in by checking the username at the top right corner. Then click on the IAM user name at the top right to toggle a view of Account ID and IAM user details.

# Challenge

Now that you've learned how to create and manage IAM users and groups, try implementing them in your own AWS account! Set up a new users, assign them to a group, and configure permissions for various AWS services.

Ashis Patel's AWS IAM Challenge

Image Credit:

The challenge image is credited to Ashis Patel.

Great job setting up IAM users and groups! By using IAM users instead of the root account for daily tasks, you’re following a key security best practice. The root account has unlimited access and should only be used when absolutely necessary. Losing access to it would mean contacting AWS Support for recovery—a process best avoided. With IAM users, you can manage access securely and keep your AWS environment safer. Got questions about AWS IAM users? Drop a comment below—I’m here to help!