DEV Community


Posted on

IAM Best Practices - AWS

Hey everyone! Hope you're doing well and getting ready to read my yet another tech blog on IAM Best Practices - AWS. Let's discuss here on this.

Step 1 - Login to the Console

  1. Visit

  2. Choose Sign in to the console.

  3. Choose Root user. Enter the Root user email address.

  4. Choose Next

  5. Enter the Password for the root user. Choose Sign in.

Step 2 - Enable MFA (optional)

  1. At the top right, choose your account name. Then choose My Security Credentials from the drop down menu.
  2. Expand Multi-factor authentication (MFA). Choose Activate MFA.
  3. On the Manage MFA device pop-up window. Choose Virtual MFA device and choose Continue.

Note: You will need a virtual MFA application installed on your device or computer. You can see a list of applications on step 1 on the Set up virtual MFA device pop-up window. There is a hyperlink which shows a list of compatible applications. Before continuing to the next step make sure you have one of these applications installed on your mobile device or computer.

  1. Choose Show QR code and scan the code using your device.

Note: If you are using a computer you can choose Show secret key and type the secret key into your MFA application.

  1. Type the first MFA code into the MFA code 1 field. Then type the second generated number into the MFA code 2 field. Choose Assign MFA.
  2. You should see a pop-up indicating that you have successfully assigned a virtual MFA device. Choose Close.
  3. Expand Access keys (access key ID and secret access key).

Note: There should be no access keys listed. If an access key exists (for your new account) choose Delete under Actions. Choose Deactivate. Enter in the access key ID in the confirmation field. Choose Delete.

Step 3 - Create an IAM user

  1. In the service search bar, type in Identity and Access Management (IAM) dashboard. On the left side panel, choose Users.
  2. Choose Add user. Paste in Admin for the User name. Next to Access type, choose Programmatic access and AWS Management Console access.
  3. Choose Add user. Paste in Admin for the User name. Next to Access type, choose Programmatic access and AWS Management Console access.
  4. Uncheck Require password reset.
  5. Choose Next: Permissions.
  6. Choose Attach existing policies directly. Next to Filter policies, search for administrator. Under Policy name, choose AdministratorAccess. Choose Next: Tags.
  7. Choose Next: Review. Choose Create user.
  8. You can sign in with the new IAM user by clicking the hyperlink at the bottom of the Success window.

Note: It should look similar to the following: Your account number will be different :)

  1. Log in using the Admin user and password that you created.

Step 4 - Set up an IAM role for EC2 instance

  1. Now that you are logged in as the Admin user, search for IAM again in the service search bar. On the left side panel, choose Roles. Then, choose Create role.
  2. Choose AWS service. Choose EC2. Choose Next: Permissions.
  3. Next to Filter policies, search for amazons3full and choose AmazonS3FullAccess.
  4. Next to Filter policies search for amazondynamodb and choose AmazonDynamoDBFullAccess.
  5. Choose Next: Tags. Choose Next: Review.
  6. For Role name paste in S3DynamoDBFullAccessRole. Choose Create role. Note: Using full access policies are not something recommended you should do in a production environment. We are using these policies as a proof of concept to get your demo up and running quickly. Once your Amazon S3 bucket and Amazon DynamoDB table are created, you can come back and modify this IAM Role to have more specific and restrictive permissions. More on this later.

Congratulations you successfully completed the exercise...🎉🎉🎉

🚀 If you read something interesting from this article, please like and follow me for more posts.

Top comments (0)