Step-by-Step Guide to Creating IAM Users and Groups on AWS
A Beginner's Guide to Setting Up Secure IAM Users and Groups on AWS
# Introduction
In this guide, I’ll walk you through setting up and managing IAM users and groups in AWS, a crucial part of securing your AWS environment. By using IAM (Identity and Access Management), you can grant specific permissions to users, reducing security risks while maintaining efficient access control. This setup is essential for AWS administrators looking to enforce best practices and manage permissions effectively.
# What Will You Do?
Create a new IAM user and assign appropriate permissions.
Set up an IAM group with pre-defined policies and add users to the group.
Configure a custom login URL using an AWS account alias for user convenience.
Verify user permissions and test IAM access with the newly created login URL.
# What Will You Learn?
How to create and manage IAM users and groups in AWS.
Best practices for securing your AWS environment by limiting root account usage.
Setting up custom sign-in URLs to simplify IAM user access.
How to assign permissions through IAM groups to streamline user management.
# Pre-requisites
Basic knowledge of AWS and its services.
Access to the AWS Management Console with root account credentials.
Familiarity with general cloud computing and security practices is beneficial, but not required.
# Getting Started
IAM allows you to securely control access to AWS services and resources by creating specific users, assigning permissions, and organizing these users into groups with shared policies. This initial setup will streamline your AWS account management and enforce security best practices. Once logged in, you’ll be ready to create and configure IAM users and groups for secure access control. To get started with this activity on the AWS Management Console, log in to your account and navigate to the IAM (Identity and Access Management) service.
Log in to the AWS root user account to access the management console.
After logging in, search the IAM (Identity and Access Management) service to create and manage users and groups.
Within IAM, click on Users from the left sidebar to view, add, or manage users.
In the Users section, click on Create user to create a new IAM user.
You’ll then specify the user details like username and permissions. Then click Next.
In AWS, adding a user to a user group helps manage permissions efficiently by applying permissions to the group rather than each individual user.
In this guide, we'll create a new user group, "admin_group," with Administrator Access permissions. If the existing user group name (e.g., "admin") already had the required permissions, we could add the user (e.g., "jefelix") to that group directly. However, since we’re defining new permissions, we’ll create a new group for this purpose.
To proceed:
\> Select Create group to define the new "admin_group" with the Administrator Access policy.
Enter a user group name, select a policy or the necessary policies, review permissions, and click Create user group.
User group list displaying the newly added user group.
To add the user "jefelix" to the "admin_group," select admin_group. A user can belong to multiple groups, but for this guide, we will only add "jefelix" to the "admin_group" with the Administrator Access policy. Then click Next to proceed.
Now review the user details and permissions for the account. You can optionally add a tag to help organize and manage your AWS resources. For example, using "Department" as the key and "Arts and Sport" as the value helps categorize the user by department. After reviewing the details, click Create user to finish the process.
You’ll receive an option to download the user’s Access Key ID and Secret Access Key. It’s crucial to download these credentials as you won’t be able to view them again. After downloading, click on ‘return to users list’.
Verify in the IAM Users list that your new IAM user, "jefelix" is listed with only one group in the Group column.
Verify in the User Group list that your new Group Name, "admin_group" is listed with only one user in the Users column.
Then Click on admin_group to confirm that the user "jefelix" is listed in the Users tab within the group.
This confirms that the user “jefelix” exists in the “admin_group” User group tab.
In the group's Permissions tab, confirm the policies attached to the user group that the user will inherit.
To see all permissions for the specific user “jefelix”, go to the Users section. Then click on the user.
Next, review the attached permission policies. In this case, the user "jefelix" has the AdministratorAccess policy, which he inherited from the admin_group user group assigned to him.
Click Dashboard to navigate to the IAM dashboard, select Create to set up a custom URL for user login.
Enter your preferred alias and click Create alias to confirm.
An alias helps simplify your login process by providing a user-friendly name for your AWS root account, making it easier to remember and access, rather than using the default account ID or email address.
Once the alias is created, it will be displayed on the dashboard. Copy this link for your IAM users to access.
Open an Incognito (or private) browser tab to ensure the AWS root account session remains separate, then paste the copied alias link in the Incognito window.
Enter the IAM username and password to log in through the alias URL.
Once logged in, verify the IAM user is signed in by checking the username at the top right corner. Then click on the IAM user name at the top right to toggle a view of Account ID and IAM user details.
# Challenge
Now that you've learned how to create and manage IAM users and groups, try implementing them in your own AWS account! Set up a new users, assign them to a group, and configure permissions for various AWS services.
Image Credit:
The challenge image is credited to Ashis Patel.
Great job setting up IAM users and groups! By using IAM users instead of the root account for daily tasks, you’re following a key security best practice. The root account has unlimited access and should only be used when absolutely necessary. Losing access to it would mean contacting AWS Support for recovery—a process best avoided. With IAM users, you can manage access securely and keep your AWS environment safer. Got questions about AWS IAM users? Drop a comment below—I’m here to help!