Introduction
IAM (Identity and Access Management) is a web service offered by Amazon Web Services (AWS) that enables users to manage access to their AWS resources. It provides a centralised way to control and manage user identities, permissions, and credentials that are used to access AWS products and services.
The significance of IAM lies in its ability to improve security and compliance within the AWS environment. By implementing IAM, AWS users can have full visibility and control over who can access their resources, how they can access them, and what actions they can perform. This level of control helps to prevent unauthorised access and reduce the risk of data breaches.
One of the major benefits of using IAM is the ability to implement granular permissions. This means that users can define specific permissions for individual AWS resources, rather than granting broad and unrestricted access. Granular permissions allow for fine-tuned control over resource access, helping to limit potential damage and secure sensitive data.
Furthermore, by using IAM, organisations can ensure compliance with regulatory requirements and industry standards. IAM enables users to create and enforce strong password policies, implement multi-factor authentication, and monitor access activity. These security measures help to demonstrate compliance with different regulations, such as GDPR, HIPAA, and PCI DSS.
In addition to security and compliance, IAM also helps to improve operational efficiency. By using IAM, organizations can easily manage access to their AWS resources, reduce the risk of errors and misconfigurations, and improve auditing and reporting capabilities. This, in turn, can lead to cost savings and improved overall management of AWS resources.
Creating a New IAM User for the Finance Controller Role
To create a new IAM user for the finance controller role, follow these steps:
Access the AWS Management Console and log in as IAM administrator.
Navigate to the IAM dashboard by typing “IAM” in the search bar or selecting it from the list of services.
In the left menu, click on “Users” and then click on the “Add User” button at the top.
In the “Set User Details” page, enter “FinanceController” as the username.
Under “Select AWS Access Type”, select “Programmatic access” and “AWS Management Console access”.
Click on the “Next: Permissions” button at the bottom.
On the “Set Permissions” page, select “Attach existing policies directly”.
In the search bar, type “AmazonEC2FullAccess” and select it.
Look for other policies that are relevant to the finance controller role, such as “AWSBillingFullAccess” or “AmazonS3FullAccess”, and add them as well.
Click on the “Next: Tags” button at the bottom or skip this step if you don’t want to add any tags.
On the “Add tags” page, you can add tags to the user if desired.
Click on the “Next: Review” button.
On the “Review” page, review all the details and click on “Create user” at the bottom.
On the “Success” page, you will see the Access Key ID and the Secret Access Key (Warning: This is the only time you will see the secret access key, so make sure to securely store it).
Click on “Download .csv” to save the credentials on your computer.
Click on “Close”.
You can now provide the Access Key ID and Secret Access Key to the finance controller for them to use in their AWS management console or when making API calls. It is important to securely store these credentials since they provide access to your AWS resources.
Defining a Custom Policy for Billing Details Access
As an AWS account owner or administrator, you can create custom policies to control access to specific resources and services within your account. This allows you to fine-tune the permissions of your users and ensure that they have only the necessary access to perform their tasks. In this guide, we will walk you through the steps of creating a custom policy for the role of Finance Controller, in order to restrict access to billing details and reports.
Step 1: Understanding IAM Policies and Permissions
Before creating a custom policy, it is important to understand how IAM (Identity and Access Management) policies work. IAM is a service that allows you to manage access to AWS resources within your account. Policies are essentially documents that define the permissions of a user, group, or role. These permissions determine what actions are allowed or denied on AWS resources. IAM policies can be attached to users, groups, or roles, and multiple policies can be attached to a single entity.
Step 2: Crafting a Custom Policy for Finance Controller Role
In this step, we will create a custom policy for the Finance Controller role that will restrict access to billing details and reports. The policy will be in JSON format and can be created using the AWS management console or through the AWS CLI. The following are the key elements that need to be included in the policy:
- Specifying permissions to view billing details and reports: The first part of the policy will specify the actions that the Finance Controller role is allowed to perform. In this case, we want to allow the role to only view billing details and reports. This can be achieved by adding the following statement:
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"aws-portal:*CostExplorer"
],
"Resource": "*"
}
- Restricting access to only billing-related resources: Next, we need to restrict access to only the billing-related resources. This can be done by specifying the “Resource” section in the policy. In this case, we want to allow access to all billing-related resources within the account. Therefore, the “Resource” section will be set to “*”.
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"aws-portal:*CostExplorer"
],
"Resource": "*"
}
Step 3: Attaching the Custom Policy to the FinanceController User
Once the custom policy has been created, it needs to be attached to the FinanceController user. This can be done through the AWS management console or through the AWS CLI. To attach the policy using the console, follow these steps:
Log in to the AWS Management Console with the root account credentials.
Go to the IAM service.
Select the “Users” tab and click on the FinanceController user.
Click on the “Permissions” tab and then click on “Attach Policy”.
Search for the custom policy that was created in Step 2 and select it.
Click on “Attach Policy” to confirm.
To attach the policy using the AWS CLI, use the following command:
aws iam attach-user-policy --user-name FinanceController --policy-arn arn:aws:iam::123456789012:policy/CustomBillingAccessPolicy
Note: Replace the “123456789012” with your AWS account ID and “CustomBillingAccessPolicy” with the name of the custom policy.
Step 4: Testing the Policy
To test the policy, log in to the AWS Management Console using the FinanceController user credentials. You should only be able to view billing details and reports. Any attempt to access other AWS resources will result in an “access denied” error.
Verifying Billing Access
Go to the AWS Management Console and log in using the credentials for the FinanceController user.
Once logged in, navigate to the “Billing Dashboard” page by clicking on the “Services” dropdown menu in the top left corner and selecting “Billing & Cost Management”.
On the Billing & Cost Management page, click on the “Billing Dashboard” link on the left side menu.
This will bring you to the Billing Dashboard, where you should see a breakdown of your current month’s charges and projected charges.
To confirm that the FinanceController user has access to view billing details and reports, click on the “Reports” tab on the top menu.
Under the “Cost and Usage Report” section, click on the “View Reports” button.
This will bring you to the “Reports” page, where you can see a list of your available reports. From here, you can view and download reports on your usage and costs.
You can also click on the “Cost Explorer” tab on the top menu to access more detailed reports and analytics on your AWS costs.
If you are able to access and view these reports, it confirms that the FinanceController user has full access to view billing details and reports in AWS.
Repeat these steps for any other users who may need to have billing access in AWS.
Top comments (0)