๐งฉ AWS IAM (Identity and Access Management)
1. What Is IAM?
IAM stands for Identity and Access Management.
Itโs a global AWS service that helps you securely control access to your AWS resources.
You use IAM to:
- Create and manage users, groups, and permissions.
- Control who can access AWS resources and what actions they can perform.
2. The Root User
When you first create your AWS account, AWS automatically creates a root user โ the account owner.
Use it only once to:
- Set up billing
- Enable MFA (Multi-Factor Authentication)
- Create your admin user
After setup:
โ Do not use or share the root account again.
3. Users and Groups
Each user represents a real person or application.
You can group users logically โ for example:
Group Name | Members | Purpose |
---|---|---|
Developers | Alice, Bob, Charles | Build & deploy |
Operations | David, Edward | Manage infra |
Audit Team | Charles, David | Review access |
Notes:
- Groups contain only users (no nested groups).
- Users can belong to multiple groups.
- Some users can exist without a group, though not best practice.
4. IAM Policies (Permissions)
To control what users can do, IAM uses policies โ JSON documents that define permissions.
Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"cloudwatch:Describe*"
],
"Resource": "*"
}
]
}
This policy allows access to:
- EC2 (describe instances)
- Elastic Load Balancing
- CloudWatch
5. Principle of Least Privilege
Always follow the Least Privilege Principle:
Give each user only the permissions they need to perform their job โ nothing more.
This reduces:
- Security risks
- Unnecessary costs
6. Summary
Concept | Description |
---|---|
IAM | Global service to manage identities and access |
Root User | Full access; use only for initial setup |
Users | Represent people or apps |
Groups | Logical collections of users |
Policies | JSON permissions attached to users/groups |
Least Privilege | Give minimal access required |
๐งฉ AWS IAM Hands-On: Creating Users and Groups
๐ฏ Goal
Youโll create a new IAM user and admin group in AWS โ instead of using the root account, which is unsafe for daily operations.
๐ชช Step 1: Open the IAM Console
- Sign in to your AWS Management Console using your root account (only for setup).
- In the search bar, type IAM, then open IAM.
๐ Youโll land on the IAM Dashboard.
Notice:
- Thereโs no region selector (top-right corner). IAM is a global service.
๐ฅ Step 2: Go to Users
- On the left-hand menu โ click Users.
- Then click โCreate user.โ
๐ง Step 3: Add a User
-
User name:
stephane
(you can use your own name). - Select โProvide user access to the AWS Management Console.โ
Then choose:
- IAM user (not Identity Center โ simpler for now).
-
Set a password:
- Choose Custom password.
- Uncheck โUser must create a new password at next sign-inโ if this is your own test user.
Click Next.
๐งฉ Step 4: Add Permissions (Create a Group)
- Choose โAdd user to group.โ
- Click Create group.
-
Group name:
admin
- Search for and attach the AdministratorAccess policy.
- Create the group.
โ
Now your user stephane
will belong to the admin group.
Click Next.
๐ท๏ธ Step 5: Add Tags (Optional)
Tags help you organize and track resources. Example:
Key | Value |
---|---|
Department | Engineering |
Click Next โ Review the configuration โ Create user.
๐ Step 6: Save the Credentials
After creation, youโll see:
- A link to download a
.csv
file with the credentials. - Or email sign-in instructions to your user.
Save these securely.
๐งโ๐ป Step 7: Verify the User and Group
Go to Users โ stephane โ check Permissions tab.
Youโll see AdministratorAccess (inherited from group admin).Go to User groups โ admin โ check Permissions tab.
Youโll see the AdministratorAccess policy.
โ
This confirms that stephane
inherits permissions from the admin
group.
๐ Step 8: Create an Account Alias
To make login easier:
- Go to IAM Dashboard โ Account alias โ Create alias.
Example:
aws-stephane-v5
- The new sign-in URL will be:
https://aws-stephane-v5.signin.aws.amazon.com/console
๐ Step 9: Sign in as IAM User
- Open a private/incognito window in your browser.
- Paste the sign-in URL.
- Choose IAM user.
- Enter:
- Account alias or Account ID
-
Username:
stephane
- Password: the one you set
You are now logged in as IAM user stephane.
In the top-right corner, youโll see:
IAM user: stephane
- Your Account ID
โ ๏ธ Step 10: Keep Both Accounts Safe
Account | Usage |
---|---|
Root User | Only for initial setup and billing |
IAM User (Admin) | For all daily AWS operations |
โ If you lose both credentials, only AWS Support can recover your account โ so store them safely.
โ Summary
Concept | Description |
---|---|
IAM | Global service for managing users & permissions |
Root User | Full access โ use only for setup |
IAM User | Individual identity for people or apps |
Groups | Logical containers for users (simplify management) |
Policies | JSON documents defining permissions |
Alias | Custom URL for easier login |
๐งฉ AWS IAM Practice Lab โ Creating a User and Group
๐ฏ Goal
In this lab, youโll learn how to:
- Create an IAM user
- Create an admin group
- Assign permissions through a policy
- Log in as the new user using a custom sign-in URL
๐น Step 1 โ Open the IAM Console
- Sign in to AWS with your root account.
- In the AWS search bar, type IAM โ click IAM.
- Youโll see the IAM Dashboard.
- Some security recommendations appear โ ignore for now.
-
Notice in the top-right corner: thereโs no Region selector.
โ IAM is a global service, not tied to any region.
๐น Step 2 โ Check Current User
- Look at the top-right corner of the console.
- If it shows only the account ID, youโre signed in as the root user.
โ ๏ธ The root account has unlimited power and should be used only for setup.
Weโll now create an admin IAM user to use instead.
๐น Step 3 โ Create a New IAM User
- In the left menu, click Users โ Create user.
-
User name:
stephane
(or your own name). - Under Console access, select:
- โ โProvide user access to the AWS Management Consoleโ
-
Choose IAM user (not Identity Center โ simpler for now).
- Set a password:
Option A โ Auto-generate (for other people)
Option B โ Custom password (enter your own)
-
Uncheck โUser must create a new password at next sign-inโ if itโs your test account.
- Click Next.
๐น Step 4 โ Create an Admin Group
- Choose Add user to group โ Create group.
-
Group name:
admin
- Search and attach the AdministratorAccess policy.
- Click Create group.
- Ensure your user (
stephane
) is added to that group. - Click Next.
๐น Step 5 โ Add Optional Tags
Tags add metadata for organization (optional).
Example:
Key | Value |
---|---|
Department | Engineering |
Click Next โ Create user.
๐น Step 6 โ Save the Credentials
- Download the .csv file (contains user credentials).
- Or email the sign-in instructions. Keep these safe โ youโll need them for login.
๐น Step 7 โ Verify User and Group
- Go to Users โ stephane โ Permissions โ Youโll see AdministratorAccess (inherited from admin group).
- Go to User groups โ admin โ Permissions โ Confirms AdministratorAccess attached.
โ The user inherits the groupโs permissions.
๐น Step 8 โ Create an Account Alias
A custom alias makes sign-in easier.
- On the IAM Dashboard โ Account alias โ Create alias
Example:
aws-stephane-v5
- Now your console URL becomes:
https://aws-stephane-v5.signin.aws.amazon.com/console
๐น Step 9 โ Sign In as IAM User
- Open a private/incognito window.
- Visit your sign-in URL.
- Choose IAM user.
- Enter:
- Account alias or Account ID
-
User name:
stephane
-
Password: the one you set.
- Click Sign In.
Now, at the top-right corner youโll see:
Account ID | IAM user: stephane
You can keep:
- Root account in one browser window (normal mode)
- IAM user in another (private mode) to work with both simultaneously.
๐น Step 10 โ Best Practices
Account | When to Use | Notes |
---|---|---|
Root User | Only for billing & initial setup | Enable MFA, keep credentials safe |
IAM Admin User | Everyday management | Add more users and policies here |
โ ๏ธ Losing both the root and admin credentials requires AWS Support recovery.
โ Summary
Concept | Description |
---|---|
IAM | Global service to manage identities and permissions |
Root User | Highest-privilege account, use sparingly |
IAM User | Individual identity for people or apps |
Groups | Simplify permission management |
Policies | JSON rules that define allowed actions |
Account Alias | Friendly URL for sign-in |
๐งฉ AWS Multi-Session Support (Multiple Accounts in One Browser)
๐ฏ Goal
Learn how to use multi-session support in the AWS Console โ a new feature that lets you stay signed in to multiple AWS accounts or roles simultaneously in the same browser.
๐น Step 1 โ Enable Multi-Session Support
- In the AWS Management Console, look at the top-right corner of your screen.
- Click on your account name or ID.
- Select Multi-Session Support โ Turn on.
โ This allows you to manage separate sessions within one browser tab group.
๐น Step 2 โ Add a New Session
- Click Add session.
- Youโll be asked to sign in again โ using:
- Another account ID, alias, or role, and
- The corresponding IAM user credentials.
- Once logged in, AWS opens a second session within the same browser.
Now, at the top of your screen youโll notice each session clearly labeled with a different account ID or role name.
๐น Step 3 โ Verify the Sessions
To confirm youโre truly using separate accounts:
- In Session 1, open the EC2 โ Volumes page.
- Create a quick EBS volume (1 GiB) just for testing.
You donโt need to know EBS yet โ this is just a proof of concept.
- In Session 2, open EC2 โ Volumes again.
- Youโll see no volumes listed, because this is a different account.
โ Result: Both sessions are independent โ same browser, different accounts.
๐น Step 4 โ Why Itโs Useful
Before multi-session support, engineers had to:
- Use different browsers (Chrome + Firefox + Safari), or
- Use private/incognito windows for each AWS account.
Now you can:
- Quickly switch between accounts or roles,
- Manage dev / staging / prod environments from one browser,
- Avoid repeated log-ins and MFA prompts.
๐ก This is especially helpful for DevOps engineers or admins who manage multiple AWS environments or customer accounts.
โ Summary
Feature | Description |
---|---|
Multi-Session Support | Lets you open multiple AWS accounts/roles in one browser |
Enabled From | Account Menu โ Multi-Session Support |
Use Case | Manage several AWS environments side-by-side |
Old Method | Separate browsers / incognito windows |
Now | Tabs or sessions in one browser with clear labels |
๐งฉ AWS IAM Policies โ In Depth
๐ฏ Goal
Understand how IAM policies work โ how they are structured, attached, and evaluated across users, groups, and roles.
๐ฅ Step 1 โ How Policies Are Applied
Letโs start with an example organization:
Group | Members | Description |
---|---|---|
Developers | Alice, Bob, Charles | Have developer-level access |
Operations | David, Edward | Manage infrastructure |
Audit Team | Charles, David | Read-only audit access |
Now:
- If you attach a policy to the Developers group, โ Alice, Bob, and Charles all inherit that policy.
- The Operations group will have its own separate policy.
- A user like Fred may exist without a group, โ but can still have permissions using an inline policy.
๐น Inline policy: A policy attached directly to one user (not reusable).
๐น Managed policy: A reusable policy you can attach to multiple users/groups.
Example of Policy Inheritance
User | Gets Policy From |
---|---|
Charles | Developers + Audit |
David | Operations + Audit |
Fred | Inline Policy only (optional) |
โ This is how AWS permissions layer together.
๐งฉ Step 2 โ IAM Policy Structure (JSON)
Every IAM policy is a JSON document that follows a standard format.
Hereโs an example:
{
"Version": "2012-10-17",
"Id": "PolicyExample1",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:root" },
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-example-bucket"
}
]
}
Letโs break it down ๐
Key | Meaning | Example |
---|---|---|
Version | Defines the policy language version (always "2012-10-17" ) |
"Version": "2012-10-17" |
Id | Optional identifier for the policy | "Id": "PolicyExample1" |
Statement | Main policy rules โ one or more blocks | [ {...} ] |
Sid | Optional statement ID (for reference) | "Sid": "1" |
Effect |
"Allow" or "Deny" the actions listed |
"Effect": "Allow" |
Principal | Who this policy applies to (user, account, or role) | "Principal": {"AWS": "arn:aws:iam::123456789012:root"} |
Action | The API actions being allowed or denied | "Action": "s3:ListBucket" |
Resource | The resources these actions apply to | "Resource": "arn:aws:s3:::my-example-bucket" |
Condition | (Optional) Adds logic for when to apply | e.g., "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
|
๐ง Step 3 โ The Most Important Four
For the AWS Certified Solutions Architect or DevOps Engineer exams,
you must clearly understand these 4 key fields:
Element | Description |
---|---|
Effect | Whether access is allowed or denied |
Principal | The identity the policy applies to |
Action | The specific AWS API calls allowed or denied |
Resource | The specific AWS resources those actions apply to |
๐ก AWS always evaluates policies by combining explicit denies and allows:
- Explicit deny always wins.
- Explicit allow grants permission if no deny exists.
๐งฉ Step 4 โ Optional Elements
- Condition: Controls when a policy applies. Example: Allow access only if MFA is enabled or if access is from a specific IP.
- Sid (Statement ID): Label for identifying specific rules in a policy.
โ Summary
Concept | Description |
---|---|
IAM Policy | JSON document defining permissions |
Group Policy | Shared by all users in a group |
Inline Policy | Attached to one user only |
Managed Policy | Reusable policy managed by AWS or you |
Main Elements | Effect, Principal, Action, Resource |
Optional Elements | Condition, Sid |
Best Practice | Apply the Least Privilege Principle |
๐งฉ AWS IAM Policies โ Hands-On Lab
๐ฏ Goal
In this lab, you will:
- Explore how policies affect user permissions
- Understand policy inheritance (from groups vs direct attachment)
- Create and test a custom IAM policy
- Verify AdministratorAccess and ReadOnlyAccess behaviors
๐น Step 1 โ Check Current User Permissions
- Go to IAM โ Users.
- Youโll see the user Stephane โ currently in the admin group.
- The admin group has the AdministratorAccess policy.
- So
Stephane
can do anything in AWS.
โ As the Stephane IAM user, open IAM Console โ Users โ youโll see your own user listed.
๐น Step 2 โ Remove the User from the Admin Group
- From the root account or another admin, go to IAM โ User groups โ admin โ Users tab.
-
Remove
Stephane
from this group.
Now refresh the IAM โ Users page while logged in as Stephane.
โ Youโll see:
โAccess Denied: iam:ListUsersโ
โ Because Stephane no longer has permission to view users.
This demonstrates that removing a user from a group immediately revokes its policies.
๐น Step 3 โ Attach a Read-Only Policy
- As an admin, open IAM โ Users โ Stephane โ Add permissions.
- Choose Attach policies directly.
- Search for IAMReadOnlyAccess โ Add permission.
Now, refresh the Stephane userโs IAM console.
โ
Stephane can view users, groups, and policies again.
โ But cannot create or modify anything.
Try:
- Create group โ โdevelopersโ โ Youโll see Access denied. โ This is exactly what read-only means.
๐น Step 4 โ Add the User to a New Group
Letโs test multiple policy sources.
- Go to IAM โ User groups โ Create group
-
Name:
developers
- Add user: Stephane
-
Attach any sample policy (e.g.,
AlexaForBusinessFullAccess
) - Create group
- Go back to admin group โ Add user โ Stephane.
Now Stephane belongs to:
-
admin
(AdministratorAccess) -
developers
(AlexaForBusiness) - plus a directly attached policy (IAMReadOnlyAccess)
๐น Step 5 โ View Policy Inheritance
Go to IAM โ Users โ Stephane โ Permissions tab
Youโll see:
- AdministratorAccess (inherited from admin group)
- AlexaForBusinessFullAccess (from developers group)
- IAMReadOnlyAccess (attached directly)
โ This shows how IAM merges permissions from all attached sources.
๐น Step 6 โ Inspect Built-in Policies
a) AdministratorAccess
- Click on Policies โ AdministratorAccess โ JSON tab
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
โญ *
means all actions on all resources โ full admin rights.
b) IAMReadOnlyAccess
- Go to Policies โ IAMReadOnlyAccess โ JSON
- Youโll see:
{
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*"
],
"Resource": "*"
}
โญ Get*
= any API starting with Get
โญ List*
= any API starting with List
โ Read-only access to IAM resources.
๐น Step 7 โ Create a Custom Policy
Letโs build one manually.
- IAM โ Policies โ Create policy
- Choose Visual editor
- Service: IAM
- Actions:
ListUsers
-
GetUser
-
Resources: All resources (
*
) -
Review โ Name:
MyIAMPermissions
โ Create policy
-
Resources: All resources (
Now open the JSON tab of your new policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:GetUser"
],
"Resource": "*"
}
]
}
โ You just created a custom IAM policy that allows only two specific actions.
๐น Step 8 โ Clean Up
- Delete the developers group.
- Remove the IAMReadOnlyAccess policy directly from
Stephane
. - Keep
Stephane
only in the admin group (AdministratorAccess).
Refresh โ all permissions restored. โ
โ Summary
Concept | Description |
---|---|
Group Policies | Shared permissions for all users in a group |
Inline Policies | Attached directly to one user |
Managed Policies | AWS-created or reusable policies |
AdministratorAccess |
Action: * , Resource: * โ Full control |
IAMReadOnlyAccess | Only Get* and List* actions |
Custom Policy | Define your own actions & resources |
Least Privilege Principle | Always give minimal required permissions |
๐งฉ AWS IAM Password Policy & Multi-Factor Authentication (MFA)
๐ฏ Goal
Learn how to:
- Enforce strong password policies for IAM users
- Understand and configure Multi-Factor Authentication (MFA)
- Recognize different types of MFA devices supported by AWS
๐น Step 1 โ IAM Password Policy
AWS lets you define a password policy for all IAM users.
This ensures passwords are strong, regularly updated, and hard to guess.
๐ง You can enforce:
- Minimum password length (e.g., 8โ12 characters)
- Character types:
- Uppercase letters
- Lowercase letters
- Numbers
-
Non-alphanumeric characters (e.g.,
!@#$%
)- Password expiration:
-
Example: users must change their password every 90 days
- Password reuse prevention:
-
Users cannot reuse previous passwords
- Allow or disallow password changes:
Admins can restrict users from changing their own passwords
๐ก๏ธ Why it matters
A strong password policy protects your AWS environment from brute-force attacks and unauthorized access.
๐น Step 2 โ Multi-Factor Authentication (MFA)
Even strong passwords are not enough โ
thatโs where Multi-Factor Authentication (MFA) comes in.
๐ What is MFA?
MFA adds a second layer of security:
- Something you know โ your password
- Something you have โ your security device
โ Users must provide both to log in.
Example:
Alice knows her password and has an MFA token on her phone.
Even if her password is stolen, the hacker cannot log in without the device.
๐น Step 3 โ MFA Benefits
Risk | Without MFA | With MFA |
---|---|---|
Password stolen | Account compromised | Still secure |
Shared workstation | Others can log in | Protected |
Remote access | High risk | MFA required |
Compliance | Weak security | Meets best practices |
๐น Step 4 โ Types of MFA Devices in AWS
AWS supports several MFA device types. You must know these for the exam.
Type | Description | Example |
---|---|---|
Virtual MFA Device | App-based MFA using your smartphone | Google Authenticator, Authy |
U2F Security Key | Physical USB security key | YubiKey by Yubico |
Hardware Key Fob (Gemalto) | Physical device that generates codes | Provided by Gemalto |
GovCloud Key Fob (SurePassID) | Specialized device for AWS GovCloud users | SurePassID hardware token |
๐น Step 5 โ Virtual MFA (Most Common)
๐ฑ Virtual MFA Device Examples
- Google Authenticator (one account per device)
- Authy (multiple accounts on a single device)
๐ก Why Virtual MFA is Best
- Free and easy to set up
- Supports multiple users or accounts
- Works across all AWS account types (root & IAM)
๐น Step 6 โ Physical Security Key (U2F)
If you prefer hardware:
- Use a U2F Security Key (e.g., YubiKey)
- Plug it into your computerโs USB port when logging in
- Can be shared across multiple AWS users or accounts
This is ideal for admins managing multiple environments.
๐น Step 7 โ Government-Grade MFA
If your AWS account is part of AWS GovCloud (U.S.),
you must use an approved hardware MFA token (e.g., SurePassID).
โ Summary
Concept | Description |
---|---|
Password Policy | Enforces strong password rules (length, characters, expiration, reuse prevention) |
MFA (Multi-Factor Authentication) | Adds an extra verification layer beyond passwords |
Virtual MFA | App-based (Google Authenticator, Authy) |
Physical MFA | Hardware key fob (Gemalto, YubiKey) |
Best Practice | Enable MFA for root and all IAM users |
Exam Tip | Memorize the 4 MFA device types (Virtual, U2F, Gemalto, SurePassID) |
๐งฉ AWS IAM Hands-On: Password Policy & MFA Setup
๐ฏ Goal
In this lab, youโll:
- Define a strong password policy for all IAM users
- Enable Multi-Factor Authentication (MFA) for the root user
- Understand how to use an authenticator app to secure your AWS account
๐น Step 1 โ Set a Password Policy
- In the AWS Console, open IAM.
- On the left menu, click Account settings.
- Under Password policy, click Edit.
You can:
- โ Use the default IAM policy, or
- ๐ง Customize it yourself.
Recommended settings
Setting | Example / Description |
---|---|
Minimum length | 8 โ 12 characters |
Require uppercase | AโZ |
Require lowercase | aโz |
Require numbers | 0โ9 |
Require non-alphanumeric | !@#$% |
Expire passwords | Every 90 days |
Prevent password reuse | Yes |
Allow users to change own password | Yes |
๐ก This helps protect against brute-force and dictionary attacks.
Click Save changes when done.
๐น Step 2 โ Enable MFA for the Root Account
- In the top-right corner, click your account name โ choose Security credentials.
- Youโll see: โMy security credentials (root user)โ.
- Scroll to Multi-factor authentication (MFA) โ click Activate MFA.
๐น Step 3 โ Select MFA Device Type
AWS offers several device types:
Type | Example | Use Case |
---|---|---|
Authenticator app (Virtual MFA) | Google Authenticator, Authy, Twilio Authenticator | Most common, free |
Security key (U2F) | YubiKey USB key | Hardware-based, very secure |
Hardware TOTP token | Gemalto key fob | Physical token for enterprises |
For this demo, select Authenticator App (virtual MFA).
๐น Step 4 โ Set Up the Authenticator App
- Open your authenticator app (e.g., Authy or Google Authenticator).
- Click Show QR code in AWS.
- In your app, tap Add account โ Scan QR code.
- The app now displays a 6-digit code that changes every 30 seconds.
๐น Step 5 โ Verify the MFA Setup
- AWS will ask for two consecutive codes from your app:
-
Example:
- First code โ
301935
- Second code โ
792843
(Your codes will differ.)- Enter both codes and click Add MFA.
- First code โ
โ
Youโll see the device listed, for example:
MFA device: my iPhone
You can register up to 8 MFA devices per account.
๐น Step 6 โ Test the MFA Login
- Sign out of AWS.
- Sign back in with your root email + password.
- Youโll now be prompted for your MFA code.
- Open your authenticator app โ enter the current 6-digit code โ Submit.
โ Login succeeds โ MFA is working!
โ ๏ธ Important Notes
- ๐ Never lose access to your MFA device โ youโll need AWS Support to recover the account.
- ๐ฑ If you replace your phone, disable MFA first, then re-enable it on the new device.
- ๐งฉ You can remove or replace MFA devices any time from the same Security Credentials page.
โ Summary
Concept | Description |
---|---|
Password Policy | Enforces strong passwords and expiration rules |
MFA (Multi-Factor Auth) | Adds a second layer of security |
Virtual MFA | App-based (Authy / Google Authenticator) |
Physical MFA | Hardware key (YubiKey / Gemalto) |
Best Practice | Enable MFA for root and all admin users |
Exam Tip | Know the different MFA types and their use cases |
๐งฉ Accessing AWS: Console, CLI, and SDK
๐ฏ Goal
Understand the three main ways to access and manage AWS resources:
- AWS Management Console (Web UI)
- AWS CLI (Command Line Interface)
- AWS SDK (Software Development Kit)
๐น Step 1 โ AWS Management Console (Web Interface)
The AWS Management Console is the web interface youโve been using so far.
How it works:
- Accessed through your browser at https://aws.amazon.com/console
- Protected by your username, password, and optionally Multi-Factor Authentication (MFA)
- Easiest option for beginners โ graphical and intuitive
Best for:
- Visual learners
- Beginners exploring AWS
- Manual configurations and demonstrations
๐น Step 2 โ AWS CLI (Command Line Interface)
The CLI (Command Line Interface) allows you to interact with AWS directly from your terminal or command prompt.
๐ง What It Is
A tool that lets you run commands to manage AWS resources.
Every command starts with the word aws
.
Example:
aws s3 ls
aws ec2 describe-instances
aws iam list-users
๐ Authentication
The CLI uses access keys:
- Access Key ID โ like your username
- Secret Access Key โ like your password
Youโll generate these keys from the Management Console, under your IAM user settings.
โ ๏ธ Important:
- Never share your access keys.
- Store them securely (they provide full programmatic access to AWS).
- Each IAM user should have their own access keys.
Once created, you can download them once in .csv
format.
Youโll configure them on your system using:
aws configure
and provide:
AWS Access Key ID: ***************
AWS Secret Access Key: ***************
Default region name: us-east-1
Default output format: json
After setup, you can use the CLI to automate deployments, run scripts, and manage services faster.
๐ก Why Use the CLI?
- Automate repetitive tasks
- Manage infrastructure without using the web UI
- Integrate AWS commands into scripts (e.g., Bash, PowerShell)
๐น Step 3 โ AWS SDK (Software Development Kit)
The SDK is used by developers to call AWS services directly from within application code.
โ๏ธ What It Does
It provides programming libraries to integrate AWS services into your applications โ the same APIs used by the console and CLI.
Supported languages:
- Python (
boto3
) - JavaScript / Node.js
- Java
- Go
- C++
- .NET
- PHP
- Ruby
There are also Mobile SDKs (for Android/iOS) and IoT SDKs (for connected devices).
Example
The AWS CLI itself is built on the AWS SDK for Python, called Boto3.
So when you use a command like:
aws s3 cp file.txt s3://mybucket/
youโre indirectly using the AWS SDK for Python behind the scenes.
๐น Summary
Access Method | Interface | Authentication | Use Case |
---|---|---|---|
Management Console | Web UI | Username + Password + MFA | Visual management, beginners |
CLI (Command Line Interface) | Terminal | Access Key ID + Secret Key | Automation, scripting, DevOps |
SDK (Software Development Kit) | Application Code | Access Keys | Programmatic AWS integration |
โ ๏ธ Security Reminder
Rule | Reason |
---|---|
Never share access keys | Equivalent to giving away full AWS control |
Rotate keys regularly | Reduces risk of compromise |
Use IAM roles for apps | Avoid hardcoding credentials |
Protect root account with MFA | Prevent unauthorized access |
โ Key Takeaways
- AWS can be accessed via Console, CLI, or SDK.
- CLI is ideal for automation.
- SDK is for integrating AWS into your applications.
- Always follow least privilege and MFA best practices.
๐งฉ Installing AWS CLI (Version 2) on Windows
๐ฏ Goal
Learn how to download, install, and verify the AWS Command Line Interface (CLI) on a Windows machine.
๐น Step 1 โ Search for the Installer
- Open your browser and search for:
aws cli install windows
- Click the official AWS link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- Find the section โInstall the AWS CLI version 2 on Windows.โ
๐น Step 2 โ Download the MSI Installer
- Scroll to โInstall or update the AWS CLI version 2 on Windowsโ
- Click the MSI installer download link:
https://awscli.amazonaws.com/AWSCLIV2.msi
- Once downloaded, open the file to begin installation.
๐น Step 3 โ Run the Installer
Follow the setup wizard:
- Next โ continue
- Accept License Agreement โ Next
- Install
- Confirm Windows security prompts (โYesโ)
- Wait for installation to complete
- Click Finish
โ The AWS CLI is now installed.
๐น Step 4 โ Verify the Installation
- Open Command Prompt (cmd).
- Press Start โ type
cmd
โ Enter.- Run the command:
aws --version
โ
Expected output:
aws-cli/2.x.x Python/3.x.x Windows/10 botocore/2.x.x
If you see something like this, AWS CLI is correctly installed.
๐น Step 5 โ Upgrade (Optional)
If you want to upgrade to a newer version later:
- Simply re-download the latest MSI installer
- Run it again โ it will automatically update your CLI version.
๐น Step 6 โ Verify the PATH (if command not found)
If aws
isnโt recognized:
- Restart your Command Prompt or PC.
- If still not detected:
-
Add the following to your Windows PATH:
C:\Program Files\Amazon\AWSCLIV2\
Then reopen Command Prompt and test again.
โ Summary
Step | Action |
---|---|
1 | Search for โaws cli install windowsโ |
2 | Download the MSI installer (Version 2) |
3 | Run the installer |
4 | Verify with aws --version
|
5 | Optional: upgrade anytime with a re-install |
๐งฉ Installing AWS CLI (Version 2) on macOS
๐ฏ Goal
Install and verify the AWS Command Line Interface (CLI) on a Mac, so you can access AWS services from your terminal.
๐น Step 1 โ Find the Official Installer
- Open your browser and search:
install aws cli version 2 mac
- Click the official AWS documentation link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- Scroll to the macOS section titled: โInstall or update the AWS CLI version 2 on macOS.โ
๐น Step 2 โ Download the Installer
Click the .pkg
installer link:
https://awscli.amazonaws.com/AWSCLIV2.pkg
This downloads a graphical installer for macOS.
๐น Step 3 โ Run the Installer
- Open the downloaded
.pkg
file. - Follow the steps in the installation wizard:
- Continue
- Continue
- Agree to the license
- Install for all users on this computer
- Click Install
- Enter your Mac password if prompted.
- Wait for installation to complete.
- When finished, click Close, then Move to Trash to clean up.
โ The AWS CLI is now installed.
๐น Step 4 โ Verify Installation
- Open Terminal (or iTerm2, which is a free alternative).
- Run this command:
aws --version
- You should see an output similar to:
aws-cli/2.x.x Python/3.x.x Darwin/23.x.x botocore/2.x.x
โ If you see a version number starting with 2, the AWS CLI installed successfully.
๐น Step 5 โ Troubleshooting
If you get a โcommand not foundโ error:
- Restart your terminal and try again.
- If it still doesnโt work, check that AWS CLI is in your PATH:
which aws
It should return something like:
/usr/local/bin/aws
- If not, you can reinstall the
.pkg
file โ it will automatically fix the path.
๐น Step 6 โ Upgrade Later (Optional)
To upgrade the CLI in the future:
- Simply re-download the latest
.pkg
installer. - Run it again โ it will replace the existing version.
โ Summary
Step | Action |
---|---|
1 | Search โInstall AWS CLI v2 macOSโ |
2 | Download the .pkg installer |
3 | Run the graphical installer |
4 | Verify with aws --version
|
5 | Troubleshoot PATH if needed |
6 | Reinstall to upgrade |
๐งฉ Installing AWS CLI (Version 2) on Linux
๐ฏ Goal
Learn how to download, install, and verify the AWS Command Line Interface (CLI) on a Linux system (Ubuntu, Debian, Fedora, CentOS, or Amazon Linux).
๐น Step 1 โ Find the Official Installer
- Open Google and search:
install aws cli version 2 linux
- Click the official AWS documentation link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- Scroll to the section โInstall or update the AWS CLI version 2 on Linux.โ
๐น Step 2 โ Download the Installer
Run the following command in your terminal to download the AWS CLI zip file:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
๐ก For ARM-based systems (like Raspberry Pi), use:
curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
โ This downloads the AWS CLI installer package.
๐น Step 3 โ Unzip the Installer
Next, unzip the downloaded file:
unzip awscliv2.zip
If unzip
is not installed, use:
sudo apt install unzip -y
or on RHEL/CentOS:
sudo yum install unzip -y
๐น Step 4 โ Run the Installer
Now run the installer as root:
sudo ./aws/install
Enter your password when prompted.
The installer will copy all necessary files into /usr/local/bin/aws
.
๐น Step 5 โ Verify the Installation
To make sure AWS CLI is correctly installed, run:
aws --version
โ
Expected output:
aws-cli/2.x.x Python/3.x.x Linux/5.x.x botocore/2.x.x
If you see version 2.x, everything is working correctly.
๐น Step 6 โ (Optional) Upgrade AWS CLI
If you already have an older version and want to update:
sudo ./aws/install --update
๐น Step 7 โ Uninstall AWS CLI (Optional)
If you ever need to remove it:
sudo ./aws/uninstall
โ Summary
Step | Command | Description |
---|---|---|
1 | curl "..." -o "awscliv2.zip" |
Download installer |
2 | unzip awscliv2.zip |
Extract files |
3 | sudo ./aws/install |
Install AWS CLI |
4 | aws --version |
Verify installation |
5 | sudo ./aws/install --update |
Update CLI (optional) |
6 | sudo ./aws/uninstall |
Remove CLI (optional) |
๐ง Tip
If you get command not found
:
- Restart your terminal, or
- Check if
/usr/local/bin
is in your PATH:
echo $PATH
It should include /usr/local/bin
.
๐งฉ AWS Access Keys and CLI Configuration
๐ฏ Goal
Learn how to:
- Create Access Keys for an IAM user
- Configure them using the AWS CLI
- Verify permissions and test CLI commands
๐น Step 1 โ Create Access Keys
- Sign in to the AWS Management Console as your IAM user (
Stephane
). - Click on your username (top right corner) โ select Security credentials.
- Scroll down to Access keys and click Create access key.
๐น Step 2 โ Choose Key Purpose
When prompted:
- Select Command Line Interface (CLI) as your use case.
- AWS may suggest alternatives (like AWS CloudShell or IAM Identity Center) โ you can ignore those for now.
- Check the box: โ โI understand the above recommendationโฆโ
- Then click Create access key.
๐น Step 3 โ Save the Credentials
Youโll see two values:
- Access Key ID (like your username)
- Secret Access Key (like your password)
โ ๏ธ This is the only time you can view or download them.
Click Download .csv or copy them securely to your password manager.
Never share these keys โ they grant direct access to your AWS account.
๐น Step 4 โ Configure the AWS CLI
Now open your terminal (on Windows, macOS, or Linux).
Run:
aws configure
Youโll be prompted to enter:
AWS Access Key ID [None]: <your-access-key-id>
AWS Secret Access Key [None]: <your-secret-access-key>
Default region name [None]: <your-region>
Default output format [None]: json
Example:
AWS Access Key ID [None]: AKIAEXAMPLE123
AWS Secret Access Key [None]: abCDeFghIjKLmnopQRstuVwxyz12345
Default region name [None]: eu-west-1
Default output format [None]: json
โ
CLI stores these settings under:
~/.aws/credentials
~/.aws/config
๐น Step 5 โ Test Your Connection
Run:
aws iam list-users
If your IAM user has permissions, youโll see output similar to:
{
"Users": [
{
"UserName": "Stephane",
"UserId": "AIDAEXAMPLE123",
"Arn": "arn:aws:iam::123456789012:user/Stephane",
"CreateDate": "2024-10-01T14:32:00Z"
}
]
}
โ This confirms your CLI setup works and your credentials are valid.
๐น Step 6 โ Permissions Check (Demo)
Now letโs test how permissions affect CLI access.
From your root account, remove
Stephane
from the admin group.Try running:
aws iam list-users
Youโll get an AccessDenied error or no response:
An error occurred (AccessDenied) when calling the ListUsers operation
โ This proves that CLI permissions = IAM user permissions.
- Add
Stephane
back into the admin group to restore access:
- Go to IAM โ Groups โ admins โ Add user
- Select
Stephane
- Click Add to group
โ Permissions restored.
๐น Step 7 โ Key Takeaways
Concept | Description |
---|---|
Access Key ID | Identifies your IAM user |
Secret Access Key | Private credential (like a password) |
aws configure | Stores credentials and default region locally |
Permissions | Same in CLI and Console |
Best Practice | Never share access keys โ rotate them regularly |
๐ง Quick Tip
If you ever lose or expose your access keys:
- Delete them immediately from the Security credentials page.
- Create a new key pair.
- Update your CLI configuration using
aws configure
.
Perfect โ this is your AWS CloudShell lecture, and it fits perfectly after your CLI configuration session.
Hereโs the polished, ready-to-teach version โ you can use it directly in your Bootcamp or post it as a full written tutorial.
๐งฉ Using AWS CloudShell
๐ฏ Goal
Learn how to use AWS CloudShell โ a built-in, browser-based terminal that lets you run AWS CLI commands directly in the AWS Management Console without installing anything locally.
๐น Step 1 โ What Is CloudShell?
AWS CloudShell is a browser-based command line environment preconfigured with:
- The AWS CLI (v2)
- Python, bash, zsh, and PowerShell
- Persistent storage for your files and scripts
โ Itโs free to use and runs securely in your AWS account.
๐น Step 2 โ Launching CloudShell
- In the AWS Management Console, look at the top-right corner for the CloudShell icon (a small terminal symbol).
- Click it to open a new CloudShell session.
โ ๏ธ If you donโt see the icon, CloudShell may not be available in your region.
Visit: AWS CloudShell Regional Availability
Choose a region where itโs supported (for example,us-east-1
,us-west-2
,eu-west-1
).
๐น Step 3 โ How CloudShell Works
When CloudShell starts:
- It automatically provisions a Linux shell inside your AWS account.
- It uses temporary credentials tied to your logged-in IAM user or role.
- The AWS CLI is already installed and ready to use.
To verify:
aws --version
Example output:
aws-cli/2.1.0 Python/3.8.8 Linux/5.10.0 botocore/2.0.0
โ You can now run any AWS CLI command โ no setup required!
๐น Step 4 โ Running AWS CLI Commands
Example:
aws iam list-users
This command works the same way as on your local CLI โ using your IAM credentials for authentication.
๐ก The default region in CloudShell matches the AWS region youโre currently logged into in the console.
You can change it anytime by adding:
--region <region-code>
Example:
aws s3 ls --region us-west-2
๐น Step 5 โ Persistent File Storage
CloudShell provides 1 GB of persistent storage per region.
Try this:
echo "test file from CloudShell" > demo.txt
Now run:
ls
โ
Youโll see demo.txt
.
Even if you close or restart CloudShell, this file remains saved.
๐น Step 6 โ Uploading and Downloading Files
CloudShell lets you easily transfer files between your computer and AWS.
๐ค Upload a file:
Click the Actions menu (โฎ) โ Upload file โ select a local file.
๐ฅ Download a file:
- Get the full path:
pwd
- Right-click the file in the CloudShell file list โ Download file.
Example:
- File:
demo.txt
- Path:
/home/cloudshell-user/demo.txt
- Action: Download โ file will be saved to your computer.
๐น Step 7 โ Customizing CloudShell
You can personalize CloudShell appearance and layout:
- Themes: Light or Dark mode
- Font size: Small, Medium, Large
-
Split panes:
- New tab
- Split horizontally or vertically for multitasking
๐ก Example: Split CloudShell into two panes โ run aws s3 ls
in one, and aws ec2 describe-instances
in the other.
๐น Step 8 โ When to Use CloudShell
Use Case | Recommendation |
---|---|
You need quick access to AWS CLI | โ Use CloudShell |
You donโt want to install the CLI locally | โ Use CloudShell |
You need automation or scripting on your local environment | โ Use AWS CLI on your machine |
Your region doesnโt support CloudShell | โ Use local CLI instead |
โ Summary
Feature | Description |
---|---|
CloudShell | Browser-based AWS CLI environment |
Availability | Only in supported regions |
Credentials | Automatically uses your IAM session |
Persistence | 1 GB of file storage per region |
File Actions | Upload, download, and manage files |
Customization | Adjustable font, theme, and tabs |
Alternative to CLI | No installation required |
Bottom Line:
You can use CloudShell or your local CLI โ both work the same way.
Choose whichever is more convenient for your workflow or available in your region.
Top comments (0)