Managing and Securing Access to AWS Resources Using IAM

BVS KARTHIK — Sun, 22 Dec 2024 18:59:45 +0000

Objective:

In this blog, we’ll explore the basics of AWS Identity and Access Management (IAM), a powerful web service that helps you securely manage access to your AWS resources. The purpose of this post is to guide you through the process of creating IAM users, adding them to IAM groups, and applying permission policies to control access to various services in your AWS account. By the end of this blog, you'll have a solid understanding of how to manage user access efficiently and ensure your AWS environment stays secure.

Let's dive in and learn together! 🚀

Pre-Requisites:

Before you begin, make sure you have the following:

AWS Account: You need an AWS account to access the AWS Management Console and use IAM services. If you don’t have one, you can create it by visiting the AWS website. How to Create AWS Account.
Basic Understanding of AWS: Familiarity with basic AWS services such as EC2, S3, and IAM is helpful, but not required. This guide will walk you through all the necessary steps.
Administrator Access to the AWS Account: To manage IAM, you'll need to have administrator access or the necessary IAM permissions to create and manage users, groups, and policies.
Access to the AWS Management Console: You’ll need to sign in to the AWS Management Console to perform the steps outlined in this guide.

With these prerequisites in place, you're ready to start managing and securing access to your AWS resources using IAM.

Steps to Complete the Project:

1. Sign in to the AWS Management Console

First, you need to sign in to your AWS account. Navigate to the AWS Management Console and enter your login credentials. Once signed in, you will have access to the broad range of AWS services, including IAM.

2. Set Up IAM Users

IAM users are the entities that allow individuals to access AWS resources. Each user in IAM can have a set of permissions that define their level of access.

To create an IAM user:

Go to the IAM dashboard.
Click on Users in the left-hand menu.

Click on the Create user button.

Specify user details as follows:

User name: Enter your preferred name for the user (Virat)
Check the Provide user access to the AWS Management Console - optional checkbox
Select I want to create an IAM user checkbox
Select Custom password under Console Password and Enter desired password for the user
Uncheck the Users must create a new password at the next sign-in (recommended) checkbox.
Click Next: Permissions to move to the next step.

In the Set permissions section, keep things as default. Click on the Next button.
Scroll down and Under Tags, Click on the Add new tag button:

Click on the Create User button.
Save the user credentials to use them later in this lab.
Click on the Return to users list button and then on the Continue button.

Repeat the same steps and tags (Dev-Team) for the IAM user by another name (Rohit).
Repeat the steps to create IAM users by the name Dravid and Sachin with the following tags, [Key: Ops-Team Value: Ops]

Now we have created 4 IAM users

3. Set Up IAM User Groups and add IAM Users

IAM groups allow you to organize users and assign them specific permissions collectively. Rather than managing individual permissions for each user, groups simplify the process by applying common permissions to all users within a group.

To create an IAM group:

In the IAM dashboard, click on Groups in the left-hand menu.
Click the Create Group button.

User group name: Enter 'Dev-Team'
Scroll down and select 'Virat' and 'Rohit' under Add Users to the group.

Scroll down to the Attach permissions Policies section and search for AmazonEC2ReadOnlyAccess and AmazonS3ReadOnlyAccess policies. These policies provide read access for EC2 and S3 to the added users in the group.

Review all details and click on the Create group button.
Repeat the same steps to create an Ops-Team group.
Click on the Create group
User group name: Ops-Team
Scroll down and select remaining 2 Users to add them to the
group.
Under Attach permissions Policies, select the
AmazonEC2FullAccess and AmazonS3FullAccess policy.
These policies Provides full access to Amazon EC2 and S3 to the
added users in the group.
Now we have created 2 User groups (Dev-Team & Ops-Team)

Validation:

Let's log in using one of the Dev-Team users (Virat) and try to delete an S3 bucket and terminate an EC2 instance that already exists in the account. Since the Dev-Team group only has read-only permissions, these actions should not be allowed.

Here’s what to do:

Log in to the AWS Account using the Dev-Team User credentials.
Open the S3 Service in the AWS Management Console.
Try to delete the S3 bucket. You should see a "Permission Denied" error because the Dev-Team user doesn’t have the required permissions to delete the bucket.

Navigate to EC2 Console and try terminating the Instance

This will confirm that the read-only permissions are working as expected and prevent any modifications to resources in the account.

Now, let’s log in using an Ops-Team user (Sachin) and try the same actions. This time, the operations should succeed because the Ops-Team group has full permissions for EC2 and S3.

Here’s what to do:

Log in to the AWS Account using the Ops-Team User credentials (Sachin).
Navigate to the S3 Service in the AWS Management Console.
Try to delete the S3 bucket.

The bucket deleted successfully as the Ops-Team group has the necessary permissions.

Navigate to the EC2 Service in the AWS Management Console.
Select an EC2 instance and terminate it.

The instance terminated successfully, confirming that the full permissions are applied correctly for this group.

This demonstrates how IAM policies can be used to enforce different levels of access for various user groups based on their roles.

Conclusion

AWS IAM is a powerful tool for securely managing access to your AWS resources. By following the steps outlined in this blog, you’ve learned how to create IAM users, organize them into groups, and apply permission policies to control access to various AWS services. Proper use of IAM ensures that you have fine-grained control over who can access your AWS resources and what actions they can perform.

Thank you for reading, and I hope this blog has helped you gain a deeper understanding of how to manage and secure access to your AWS resources using IAM. Feel free to explore more AWS services and stay tuned for more tips on managing your cloud infrastructure securely!

DEV Community: BVS KARTHIK