In this video, Jeff Winesett demonstrates creating a new IAM user, adding this user to a group, and customizing the permissinon policy associated with the group.
- [Instructor] Now that I am logged in to my account, the first thing to do is follow an AWS recommended security practice and immediately setup a separate user within the account, so that I do not continue to access the account as the account owner. The account owner has access to every single resource, including all billing information. This information should be protected. The recommended practice is to setup users within the account using the identity and access management feature, or IAM.
And I keep the account owner credentials secret. The IAM service is found by just searching for IAM right up here in the services. There it is. The IAM dashboard allows for the management of IAM resources such as users, groups, roles, and permission policies. Since I'm going to create a new user, I click on the Users in the left hand menu and then Add User from above.
The first thing I do is give the user a name. Why not my name, Jeff? It allows me to add multiple users if I like. I don't need to do that at this time. Since I'll be using this user to login to the Management Console, I do need AWS Management Console access. However, at this time, I'm not going to be using this user for API access, so I don't need to generate my keys at this time. Since I'm going to be using this user myself throughout the rest of the demos in this course, I'm going to go ahead and create a custom password for myself.
You can have it autogenerated as well. And I'm gonna go ahead and uncheck the option that I must recreate this password upon my next sign in. But that's an option for you as well if you're creating users for other people. Next, I configure permissions. On this screen, we can choose to add the user to a group, we can copy permissions from other existing users, or we can attach existing policies directly to the user.
I'm gonna be using this user to login and do everything else throughout the rest of this course, so I need to make this user an administrative user. And since I may want to create other users with that same set of permissions, I'm gonna create a group. I do that by clicking Create Group. The first thing to do is give the group a name. I'll call it Admin. The next thing to do is give that group permissions. AWS provides many preconfigured permission policies that help with setting up permissions.
Since I want this user to have full access to our resources, I could simply use the preconfigured administrator access policy that's right here up front. However, to show a little more about policies, let's choose Create Policy. When creating a new policy, I can start with one of the Managed Policy templates and customize it, or I can use the Policy Generator to choose from a list of specific actions and resources to either allow or deny. Additionally, if I really know what I'm doing, I could just type in the desired policy from scratch.
Since I want full administrative access, I'm going to start with that AWS managed policy. So, I'm gonna choose Copy an AWS Managed Policy and I'm gonna search for administrative access. There it is, I'll select that one. Now I'm presented with the screen allowing me to make customizations. Here, I can customize the policy name, I can provide a description, and I can also customize the policy permissions. A policy lets us define actions, resources, and effects.
Each AWS service has its own set of actions. For example, you might allow a user to use the Amazon S3 list bucket action, which returns information about the items in a bucket. Any actions that you don't explicitly allow are denied. Resources specify which AWS resources you want to allow the actions on. For example, what specific Amazon S3 buckets on which to allow the user to perform the list bucket action. Users cannot access any resources that you have not explicitly granted permissions to.
And the effect specifies what will be the effect when the user requests the access. This is either allow or deny. Because the default is that resources are denied to users, you typically specify that you will allow users access to a resource. These policies are created using JSON, as we can see here, and a policy consists of one or more statements. So, I can see that this admin policy is allowing us to perform all actions on all resources, but suppose I want to allow these admins to perform all actions on all resources expect managing other IAM resources like users, roles, and groups.
I can make this customization to the policy by adding another statement to deny IAM. Here I would do that by just putting a comma right after the first statement, creating a new statement, giving it an Effect, and I want to deny the action. Give it a description.
Upon having created this new policy, it actually kicks me out in a new tab where I'm back to the identity and access management homepage. Don't let this throw you off. You can go back to the tab where you've got the Create Group still going. So, now I've created that policy and I can do a search for that policy. As you can see, because I was already in the other tab, I needed to do a refresh to see the actual results of that previous policy I created.
So, now I can choose administrator access, no IAM, and continue to create the group. Great, I've created the new group and attached the policy and now I'm gonna continue to review this new user. It gives me a moment to review the information I entered and I can click Create User. It tells me that I'm complete and that the creation of the user was successful. I can close out of here and let me go back to the main dashboard.
Now, one other thing I'd like to do before leaving this section and logging out as the root user and logging in as the new user I just created is to take a look at the URL that this new user has to use to login. When we created the user, we gave the user credentials to login and they would need to do so using this URL here. This consists of our account identifier and then signin.aws.amazon.com and a bunch of stuff that's gonna be hard to remember.
A nice thing is that you can create an account alias to make things a lot easier for your users to remember. To do so, click on Customize and I can create an account alias. I'll try the account alias, linkedinaws. These have to be unique, so I need to see if it's available. Looks like it was. So, now I can remember linkedinaws.signin.aws.amazon.com rather than having to remember that long identifier to begin with.
So, now let me copy that link just to have it. And now I can log out as the master account. Put that into the browser to sign into the account that I created. Jeff and the password I added. Now it logs me into the console as the new user. So, one thing I wanna show is that when I created this new user, I added them to the administrative group, which you might be thinking gives access to everything, but, in fact, it does not.
One thing it does not give access to is the billing information, which is exactly why we created this new user and why we don't wanna use the master account. To demonstrate that, if I try to go into the billing dashboard, I'm met with an accessed denied message telling me that I don't have permissions to access the billing information. Additionally, you may recall that we adjusted the policy to indicate that I was supposed to be denied all access to the identity access management service. So, if I try to go to the IAM service as this user, I'm met with a bunch of information that tells me I don't have authorization to perform any of these actions, because I've denied star to anything that's in the IAM resource.
So, it shows me that my policy is working and is in place. Now, since I'm going to be using this account to do everything else that we want to be doing throughout this course, I don't wanna be restricted by this. I just showed the change in the policy to demonstrate how to make that change. So, let me quickly demonstrate how you go edit it, because, well, I'd like to have access to IAM as we go throughout the course. To do that, of course, I have to log back in as the master account, or at least with the user that has access to the IAM service.
So, we go back to our URL. This time, I wanna choose sign in using the root credentials. This was the first user I created upon the initial account creation. I'll go back into IAM. I can look at customer managed policies, which is the policy that I've changed. There's my policy. No IAM. Look at the JSON, click Edit, and just get rid of this here.
Go ahead and validate that. Nice, it worked. It shows me that I still kept in a comma when I didn't need it. Let's validate again, policy is valid, great. Let me save. It was updated successfully. Let's do a final test just to make sure I can login as my Jeff user and still get access to IAM.
Back into IAM and, alright, I'm no longer met with those information that tells me I don't have access, so I'm back in, perfect, that's exactly where I wanna be.
- Benefits of cloud services
- Making architectures scalable
- Examining cloud constraints
- Virtual servers, EC2, and Elastic IP
- Using the Amazon machine image
- Elastic load balancing
- Using CloudWatch for monitoring
- Security Models
- Elastic block storage
- S3, CloudFront, and Elastic Beanstalk
- Handling queues, workflows, and notifications
- Caching options and services
- Identity and access management
- Creating a custom server image
- Application deployment strategies
- Serverless architectures