Getting Started with AWS (Part 6)

If you would like to read the other parts in this article series please go to:

Introduction

We’ve been examining AWS Identity and Access Management (IAM), a web service that enables you to create and manage users and assign user permissions using policies for controlling access to your AWS cloud environment. In the last article we familiarized ourselves with the features of the IAM Console. We also created a friendly alias for our AWS account ID and we made sure that we haven’t generated any access keys for our AWS root account. We’re now ready to continue with setting up a typical IAM infrastructure for your AWS environment, and the step we’re going to cover today is how you can create a new user that has administrator privileges so you can use this user instead of your root account for managing your AWS environment.

IAM tasks to perform

Figure 1 below which we saw previously in the last article of this series lists five tasks you should perform using the IAM Console in order to secure your AWS environment before you begin using it for the purposes you plan on using it for your business.

Image
Figure 1:
Tasks you should perform with the IAM Console when first setting up your AWS environment.

The five tasks you should perform are as follows:

  1. Delete your root account access keys – This is important because these keys provide unrestricted access to your AWS resources.
  2. Activate multi-factor authentication (MFA) on your AWS root account – It’s a good idea to do this so you can add another layer of protection to help keep your root account secure.
  3. Create individual IAM users – It’s important not to use your AWS root account for day-to-day operations since this account provides unrestricted access to all of your AWS resources. You should therefore create at least one new user and assign this user administrator privileges to your AWS environment.
  4. Use groups to assign permissions – As in the familiar Active Directory model, you should assign permissions to groups, not to users. You can then grant permissions to users by making them members of the appropriate groups.
  5. Apply an IAM password policy – You should configure a password policy that requires your users to have strong passwords. You may also want users to change their passwords regularly.

Of these five tasks, the first one is done by default since no access keys were generated for your root account when you first signed up for the AWS Free Tier. For the second task you need a supported MFA device before you can do this. MFA devices can be of two types:

  • Hardware MFA devices – An example would be a smart card or key fob such as those offered by Gemalto.
  • Virtual MVA devices – An example would be a smartphone app like Google Authenticator that can be used to generate a time-based one-time password (TOTP).

For the rest of this article we’ll focus on the last three tasks in Figure 3. Here’s what we’re going to do:

  1. Create a new group that has administrator privileges
  2. Create a new user and add it to the group we created
  3. Configure a password policy for IAM users
  4. Log on to the AWS Management Console using our new user and verify the user has full administrator privileges for our AWS environment.

Creating a group

We’ll start by creating a new IAM group called Admins that grants administrative privileges to users who are members of the group. Begin by selecting the Groups page in the IAM Consoles:

Image
Figure 2: Step 1 of creating a new group in IAM.

You can see from the above that unlike Active Directory there are no default or built-in groups in IAM. Click the Create New Group button to launch the Create New Group Wizard. Then type “Admins” in the Group Name field as shown here:

Image
Figure 3: Step 2 of creating a new group in IAM.

Clicking the Next Step button takes us to the Set Permissions page where we can select or create a policy template that assigns permissions to members of the new group. We’ll select the Administrator Access template which will provide members of the group with full access to all services and resources in your AWS environment:

Image
Figure 4: Step 3 of creating a new group in IAM.

The wizard page changes to display the JSON (JavaScript Object Notation) scripting that makes the IAM policy you selected effective:

Image
Figure 5: Step 4 of creating a new group in IAM.

The final wizard step is to review the results before creating the group. Note that a timestamp has been appended to the permissions policy to indicate the date and time when the policy was applied to the new group:

Image
Figure 6: Step 5 of creating a new group in IAM.

Once the new group has been created, you can view it’s properties on the Groups page of the IAM Console:

Image
Figure 7: The Admins group has been created.

Now that we’ve created the Admins group, our next step is to create a new user and add it to the group.

Creating a user

Begin by selecting the Users page in the IAM Console. Once again you can see that unlike Active Directory there are no default or built-in users in IAM. Click the Create New User button to launch the Create User Wizard:

Image
Figure 8: Step 1 of creating a new user in IAM.

We’ll name our new user Bob_Smith. Note that user names in IAM cannot include spaces and they must contain only alphanumeric characters and/or the following: +=,[email protected]_

We’ll also clear the “Generate an access key for each user” checkbox because our new user will only need access to the AWS Management Console and will not be used to programmatically access AWS services. If we left this checkbox selected (which it is by default) then this would constitute a security risk because if an attacker could somehow obtain the access key for Bob_Smith then the attacker would have full programmatic access to all of our AWS resources.

Image
Figure 9: Step 2 of creating a new user in IAM.

Once the Create User wizard finishes, we’re returned to the IAM Console. Here we can see that the new user Bob_Smith has been successfully created. We can also see that Bob_Smith belongs to no groups yet (unlike in Active Directory where new user accounts automatically belong to the Domain Users security group); has no password yet (again unlike in Active Directory where a password must be assigned to the user when the user account is created); and has no access keys. The Console also shows when the new user was created which is useful for auditing purposes:

Image
Figure 10: The user Bob_Smith has been created.

Let’s now add user Bob_Smith to the Admins group to grant him administrative privileges over our AWS environment. Click the User Actions button and select Add User To Groups from the drop-down menu that appears:

Image
Figure 11: Step 1 of adding user Bob_Smith to the Admins group.

In the Add User To Groups wizard, select the checkbox beside the Admins group as shown here:

Image
Figure 12: Step 2 of adding user Bob_Smith to the Admins group.

After clicking Add To Groups, we’re returned to the Users page and can see that Bob_Smith now belongs to one group:

Image
Figure 13: User Bob_Smith is now a member of the Admins group.

Similarly, if we select the Groups page we can see that the Admins group now has one member:

Image
Figure 14: The Admins group has one member.

Configuring a password policy

Before we assign a password to our new user, we should first configure a suitable password policy for our AWS environment. The password policy controls the type of password that you can set for each user in the environment. Selecting the Password Policy page in the IAM Console shows that the default password policy is pretty weak:

Image
Figure 15: Step 1 of configuring a password policy.

Let’s make our password policy a strong one as shown by the next screenshot:

Image
Figure 16: Step 2 of configuring a password policy.

Clicking the Apply Password Policy button generates a confirmation message that the changes have been applied:

Image
Figure 17: The password policy has been configured.

Now let’s set Bob’s password. Open the Users page in the IAM Console and select the checkbox beside Bob_Smith, then click User Actions and select Manage Password from the drop-down menu that appears:

Image
Figure 18: Step 1 of setting a password for user Bob_Smith.

The Manage Password wizard gives you two options to choose from:

  • Allow IAM automatically generate a random password for the user
  • Manually specify a custom password for the user

You also have an option for requiring the user to reset their password the first time they sign into AWS:

Image
Figure 19: Step 2 of setting a password for user Bob_Smith.

Since we’re going to be using Bob_Smith (instead of our AWS root account) as our identity for all future administration of our AWS environment, we’ll opt to assign a lengthy but easily remembered custom password to this user:

Image
Figure 20: Step 3 of setting a password for user Bob_Smith.

As you can see from the next figure, the Users page now shows that a password has been configured for user Bob_Smith but the password has not yet been used because Bob_Smith has not yet signed into AWS:

Image
Figure 21: User Bob_Smith now has a password.

All that remains is for us to verify that we can use the Bob_Smith user to perform our administration tasks. We’ll do this next.

Verifying permissions

Select the Dashboard page of the IAM Console and click Copy Link to the right of the IAM users sign-in link, then press CTRL+C to copy the link to the clipboard:

Image
Figure 22: Step 1 of verifying that Bob_Smith has administrative permissions.

Open a new browser window or tab on your computer and press CTRL+V to paste your IAM users sign-in link into the address bar. Press ENTER to open the IAM users sign-in page. The Account field will be populated with your AWS account ID, or with the alias for your account if you created one. Type Bob_Smith in the User Name field, and type Bob’s password in the Password field:

Image
Figure 23: Step 2 of verifying that Bob_Smith has administrative permissions.

Note:
If you ever need to sign in to your AWS environment again using your AWS root account, you can click the link that says “Sign-in using root account credentials” to do this.

Clicking Sign In will open the AWS Management Console, and you will see “Bob_Smith @ <account ID>” in the menu bar where <account ID> is either your AWS account ID or your alias if you have one:

Image
Figure 24: Bob_Smith has administrative permissions.

At this point you can easily demonstrate that Bob_Smith has full access to all of your AWS services and resources. For example, you can click the Identity & Access Management icon shown above to demonstrate that Bob_Smith can create additional users and add them to the Admins group to configure more administrators for your environment.

You might have noticed that when you signed in as Bob_Smith you were automatically signed out from your root account:

Image
Figure 25: You were automatically signed out of your root account.

If desired you can click Reload to sign back in with your root account.

One final note: selecting the Users page in the IAM Console now shows the date and time when Bob_Smith last signed into the AWS Management Console. This is a useful piece of information for auditing purposes:

Image
Figure 26: Auditing a user’s access to the AWS console.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top