Immersion Day

IAM Hands-On Lab

Getting Started with Identity & Access Management

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity & Access Management (IAM) Overview
AWS Identity and Access Management (IAM) is a free service that enables you to manage access to AWS services
and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to
allow and deny their access to AWS resources.

In the following lab, you will create one of each of the three types of AWS IAM entities: groups, users, and roles.
You will also learn about IAM policy documents, which you can attach to entities in order to give them
permissions to access AWS resources and services.

Create an IAM Group

1. To get started, go to the IAM dashboard in the AWS console.

An IAM group is a collection of users. Groups are often based on job function or role. They allow you to manage
permissions by applying policies to each group rather than individual users.

2. Go to Groups in the sidebar and click on Create New Group.

3. Type in Power_Users as the Group Name. Go to the Next Step.

Now we will attach a policy to the group. Policies are what give IAM entities permissions. AWS provides managed
policies for many common access needs, but you can also write your own custom policies if needed.

For this lab, we are attaching an AWS managed policy called PowerUserAccess. This policy allows all AWS actions
except for most IAM actions. This will prevent Power_Users from giving themselves more permissions.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
4. Attach this policy to your group by typing power into the search bar, and then selecting the correct policy.
Go to the Next Step and then Create Group.

The group Power_Users is now created and you are back on the Groups page. Click on the Power_Users group
and go to the Permissions tab.

We’re not going in depth on IAM policy documents in this lab, but if you’re curious, you should view the JSON
content of the PowerUserAccess policy by clicking on Show Policy.

Awesome! You just created an IAM group with a policy attached which will give any user in this group permissions
to do anything except for most IAM actions, such as giving themselves or others additional permissions. Next, we
will create a user to put into this group.

Create an IAM User

It is best practice to create a different user for each person who needs AWS access. A user is associated with
permanent credentials and has permissions based off of policies attached directly to the user or policies attached
to a group to which the user belongs.

1. Go to Users in the sidebar and click on Add user.

Enter a unique name as the User name. In this walkthrough, I chose Emily as the username.
For this lab, we will choose to give this user both Programmatic access and AWS Management Console access. In
practice, follow the principle of least privilege and only give users the type(s) of access necessary for their work.
This prevents unnecessary extra credentials from being created.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
For console access, you can choose to have AWS autogenerate a password or you can type in a custom password
here. Either way, you have the option of emailing this password to the user at the end of this process. Click Next.

Now we will Add user to the group we made in the previous step, Power_Users. There are other options which
would attach policies directly to this user, but as mentioned before, using IAM groups is a best practice in order to
simplify policy management.

If the top of your page doesn’t look like the screenshot below, you need to scroll up.

Go to Next: Review and then Create user.

After clicking create user, you will be presented with all of the information you will need to get that user started
working in AWS.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
For programmatic access, the user will need their Access key ID and Secret access key. Take note of the Secret
access key now or Download .csv. You will never be able to retrieve the secret key once you leave this page.

For console access, the user will need the IAM users sign-in link: https://[account ID or
alias].signin.aws.amazon.com/console. Or, they can go to https://console.aws.amazon.com and login as long as
they know the account ID or alias.

They will also need to know their username and password. Take note of the password, Download .csv, or Send an
email to the user with their login information. If you decide to go down the email route, remember to fill in the
username in the pre-written email and send the password in a separate email. You will not be able to see the
password once you leave this page.

For this lab, you will need to have the account ID/alias, username, and password.
Once you’re done, Close out of this page.

Back on the Users page, click on the User name of the user that you just created.

Go to the Security credentials tab. If you forgot to take note of the access keys or password before, or if
credentials have been compromised, here is where you can reset the password (click on Manage password),
change access keys to inactive, and create new access keys.
Great! You have just created an IAM user with both programmatic and console access. You didn’t have to attach

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
policy permissions directly to the user since you had a group created already with the correct permissions.

Test IAM User Access

In this section, we will put your IAM User to the test. You will want to stay logged in as you currently are while at
the same time testing the user’s access. To do this, you will need to either open a different browser or open
private browsing in your current browser. You will use this new window to sign in as the user you just created. If
you didn’t take note of the password or login link previously, now is the time to do so.

Go to your account’s IAM user sign-in page. You could also just go to console.aws.amazon.com and enter your
account ID or alias. Sign in using the IAM User username and password.

You can tell which user you are signed in as by looking at the top right corner of the console. The dropdown menu
will now be titled User @ Account ID/Alias.

We know from the IAM Group section that this user has access to everything except most IAM permissions. Go to
the IAM dashboard to see this in action.

Now instead of seeing a summary of IAM users, groups, and roles, you will see multiple errors.

Now we will give the user extra permissions in order to allow access to IAM.

Go to your other browser. You should still be in the Users dashboard on this user’s page. Go to the Permissions
tab and click on Add permissions. Adding permissions this way will attach policies directly to the user rather than
to the entire group.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
This time, we will Attach existing policies directly. Type IAM into the search bar to find a managed policy which
will give this user access to IAM. Select the IAMFullAccess policy and click on Next: Review and then Add
permissions.

Go back to the browser where you are signed in as the user. IAM policies are evaluated every time an action is
attempted, so we just need to refresh the page to see the changes we made take effect. The IAM dashboard
should now show content rather than errors.

Congrats! You just tested an IAM user’s access to the console and modified their
privileges as needed.

Create an IAM Role

IAM Roles can be assumed by AWS services, IAM users, or applications. They are assigned temporary rather than
permanent credentials whenever assumed. Using roles for privileged permissions sets (such as the
PowerUserAccess policy) can help improve your security posture since credential exposure is minimized.

1. Go to Roles in the sidebar and click on Create Role.

2. On the Select type of trusted identity page, you decide who or what will be able to assume this role. For

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
this lab, we will create a role that allows an EC2 instance to read files in S3. Therefore, we will stay on the
AWS service tab and select EC2. Go to Next: Permissions.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3. Attach a managed policy with S3 Read Only access to the role by typing s3 into the search bar, and then
selecting the AmazonS3ReadOnlyAccess policy. Go to the Next: Review.

4. Give your role a descriptive name, such as EC2_S3ReadOnly and edit the role description to be a helpful
summary of what this role is. When you’re done, Create Role.

5. You are now back on the Roles page. Enter the name of the role you just created into the search bar and
click on the role name.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
6. You are now on the Summary page of the role you just created. Here you can view and edit attributes of
the role, such as how long the role’s temporary credentials last. The default value as you can see below is
1 hour but can be as long as 12 hours.

Awesome! You’ve just created an IAM role which will allow EC2 instances to read
objects in S3.

Clean Up Lab Resources

If you want to clean up your account to get rid of everything we created during this lab, follow the instructions in
this section. You can also leave your lab environment running if you want to test other AWS IAM concepts.

Go to Groups in the sidebar. Select the Power_Users group and go to the Group Actions dropdown. Select Delete
Group and then Yes, Delete.

Go to Users in the sidebar. Select the user you created and select Delete user. Select the checkbox and then Yes,
delete.

Go to Roles in the sidebar. Type in EC2_S3ReadOnly in the search bar. Select the role and then click on Delete
role. Since we didn’t actually use this role and there was no recent activity, the pop-up window will not ask for a
confirmation. Click Yes, delete.

Additional Resources

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Introduction: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
IAM Best Practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
IAM Policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
IAM Tutorials: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorials.html

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.