Prerequisites
1.AWS Account: Ensure you have an active AWS account.
- IAM Permissions: You need sufficient permissions to create IAM users, roles, and groups.
- MFA Device: Set up Multi-Factor Authentication (MFA) for enhanced security.
Security Best Practices
- Use MFA: Enable MFA for all IAM users to add an extra layer of security.
- Least Privilege Principle: Grant only the permissions necessary for users to perform their tasks.
- Regular Audits: Regularly review and remove unused IAM users, roles, and permissions.
- Strong Password Policies: Enforce strong password policies for all IAM users.
- Temporary Credentials: Use temporary credentials for applications and services instead of long-term access keys12.
Steps to Create IAM User, Role, and Group
1. Login to AWS Console
- Navigate to the AWS Management Console.
- Enter your credentials and complete MFA if enabled. 2. Create IAM Group
- In the IAM dashboard, click on User Groups > Create New Group.
- Enter a group name.
- Attach policies to the group to define permissions.
- Review and create the group.
Example Use Case: Create a group named Developers and attach the AmazonEC2FullAccess policy. Add all developer IAM users to this group to manage EC2 instances without needing to assign permissions individually.
3. Create IAM User
- In the IAM Service, Click on Users > Add user.
- Enter a username and select the type of access (Programmatic access, AWS Management Console access).
- Set permissions by attaching policies directly or adding the user to a group.(Here we are adding user to the group created in the previous step)
- Review and create the user. Download the .csv file with access keys if programmatic access is enabled.
Example Use Case: An IAM user named John-Doe is created for a new developer joining your team. This user is granted programmatic access to interact with AWS services via the AWS CLI.
4. Create an IAM Role
- Open the IAM Console:
- Create Role: In the navigation pane, choose Roles and then Create role.
- Select Trusted Entity: Choose AWS service and select EC2.
- Attach Policies: Choose Next: Permissions. Attach a policy like AmazonS3FullAccess.
- Role Name: Enter a Role name (e.g., S3AccessRole) and choose Create role. this is how a policy looks like in JSON
5. Create an S3 bucket
- Create an s3 bucket that we will access through the ec2 instance.
- ACLs : Disabled
- Unblock all public access.
- Upload a few images to s3 bucket
6. accessing s3 bucket using ec2 instance
- launch an ec2 instance that will be used to access the s3 bucket.
- use an ssh agent like (Putty/Mobaxterm) to connect to you instance. (steps for the above are depicted in my other posts)
- modify the IAM role of the instance by selecting the instance > security > modify IAM role attach the role we created earlier.
7. Install AWS CLI (if not already installed)
- Install AWS CLI:
If the AWS CLI is not installed, you can install it using the following
commands:
sudo yum update -y
sudo yum install aws-cli -yConfigure AWS CLI:
You don’t need to configure the AWS CLI with access keys because the
instance will use the IAM role. However, you can verify the
configuration:
aws configure
Leave the access key and secret access key fields empty and set the
default region and output format.Access the S3 Bucket
List Buckets:
Verify that you can list your S3 buckets:
aws s3 ls
- Access Your Specific Bucket:
- List the contents of your specific bucket:
aws s3 ls s3://your-bucket-name
- You can also copy files to and from the bucket. For example, to copy a file from your bucket to your instance:
aws s3 cp s3://your-bucket-name/your-file.txt /path/to/destination
Conclusion
In this project, we successfully demonstrated how to manage AWS Identity and Access Management (IAM) by creating an IAM user, role, and group. We also explored how to assign an IAM role to an EC2 instance to enable it to access an S3 bucket. These tasks are fundamental for ensuring secure and efficient management of AWS resources, which is crucial for any cloud-based project.
Top comments (0)