DEV Community

Aisalkyn Aidarova
Aisalkyn Aidarova

Posted on

IAM in AWS

๐Ÿงฉ AWS IAM (Identity and Access Management)

1. What Is IAM?

IAM stands for Identity and Access Management.
Itโ€™s a global AWS service that helps you securely control access to your AWS resources.

You use IAM to:

  • Create and manage users, groups, and permissions.
  • Control who can access AWS resources and what actions they can perform.

2. The Root User

When you first create your AWS account, AWS automatically creates a root user โ€” the account owner.
Use it only once to:

  • Set up billing
  • Enable MFA (Multi-Factor Authentication)
  • Create your admin user

After setup:

โŒ Do not use or share the root account again.


3. Users and Groups

Each user represents a real person or application.
You can group users logically โ€” for example:

Group Name Members Purpose
Developers Alice, Bob, Charles Build & deploy
Operations David, Edward Manage infra
Audit Team Charles, David Review access

Notes:

  • Groups contain only users (no nested groups).
  • Users can belong to multiple groups.
  • Some users can exist without a group, though not best practice.

4. IAM Policies (Permissions)

To control what users can do, IAM uses policies โ€” JSON documents that define permissions.

Example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "cloudwatch:Describe*"
      ],
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

This policy allows access to:

  • EC2 (describe instances)
  • Elastic Load Balancing
  • CloudWatch

5. Principle of Least Privilege

Always follow the Least Privilege Principle:

Give each user only the permissions they need to perform their job โ€” nothing more.

This reduces:

  • Security risks
  • Unnecessary costs

6. Summary

Concept Description
IAM Global service to manage identities and access
Root User Full access; use only for initial setup
Users Represent people or apps
Groups Logical collections of users
Policies JSON permissions attached to users/groups
Least Privilege Give minimal access required

๐Ÿงฉ AWS IAM Hands-On: Creating Users and Groups

๐ŸŽฏ Goal

Youโ€™ll create a new IAM user and admin group in AWS โ€” instead of using the root account, which is unsafe for daily operations.


๐Ÿชช Step 1: Open the IAM Console

  1. Sign in to your AWS Management Console using your root account (only for setup).
  2. In the search bar, type IAM, then open IAM.

๐Ÿ‘‰ Youโ€™ll land on the IAM Dashboard.

Notice:

  • Thereโ€™s no region selector (top-right corner). IAM is a global service.

๐Ÿ‘ฅ Step 2: Go to Users

  1. On the left-hand menu โ†’ click Users.
  2. Then click โ€œCreate user.โ€

๐Ÿง Step 3: Add a User

  1. User name: stephane (you can use your own name).
  2. Select โ€œProvide user access to the AWS Management Console.โ€

Then choose:

  • IAM user (not Identity Center โ€“ simpler for now).
  • Set a password:

    • Choose Custom password.
    • Uncheck โ€œUser must create a new password at next sign-inโ€ if this is your own test user.

Click Next.


๐Ÿงฉ Step 4: Add Permissions (Create a Group)

  1. Choose โ€œAdd user to group.โ€
  2. Click Create group.
  3. Group name: admin
  4. Search for and attach the AdministratorAccess policy.
  5. Create the group.

โœ… Now your user stephane will belong to the admin group.

Click Next.


๐Ÿท๏ธ Step 5: Add Tags (Optional)

Tags help you organize and track resources. Example:

Key Value
Department Engineering

Click Next โ†’ Review the configuration โ†’ Create user.


๐Ÿ“„ Step 6: Save the Credentials

After creation, youโ€™ll see:

  • A link to download a .csv file with the credentials.
  • Or email sign-in instructions to your user.

Save these securely.


๐Ÿง‘โ€๐Ÿ’ป Step 7: Verify the User and Group

  • Go to Users โ†’ stephane โ†’ check Permissions tab.
    Youโ€™ll see AdministratorAccess (inherited from group admin).

  • Go to User groups โ†’ admin โ†’ check Permissions tab.
    Youโ€™ll see the AdministratorAccess policy.

โœ… This confirms that stephane inherits permissions from the admin group.


๐ŸŒ Step 8: Create an Account Alias

To make login easier:

  1. Go to IAM Dashboard โ†’ Account alias โ†’ Create alias. Example: aws-stephane-v5
  2. The new sign-in URL will be:
   https://aws-stephane-v5.signin.aws.amazon.com/console
Enter fullscreen mode Exit fullscreen mode

๐Ÿ” Step 9: Sign in as IAM User

  1. Open a private/incognito window in your browser.
  2. Paste the sign-in URL.
  3. Choose IAM user.
  4. Enter:
  • Account alias or Account ID
  • Username: stephane
  • Password: the one you set

You are now logged in as IAM user stephane.

In the top-right corner, youโ€™ll see:

  • IAM user: stephane
  • Your Account ID

โš ๏ธ Step 10: Keep Both Accounts Safe

Account Usage
Root User Only for initial setup and billing
IAM User (Admin) For all daily AWS operations

โ— If you lose both credentials, only AWS Support can recover your account โ€” so store them safely.


โœ… Summary

Concept Description
IAM Global service for managing users & permissions
Root User Full access โ€” use only for setup
IAM User Individual identity for people or apps
Groups Logical containers for users (simplify management)
Policies JSON documents defining permissions
Alias Custom URL for easier login

๐Ÿงฉ AWS IAM Practice Lab โ€” Creating a User and Group

๐ŸŽฏ Goal

In this lab, youโ€™ll learn how to:

  • Create an IAM user
  • Create an admin group
  • Assign permissions through a policy
  • Log in as the new user using a custom sign-in URL

๐Ÿ”น Step 1 โ€“ Open the IAM Console

  1. Sign in to AWS with your root account.
  2. In the AWS search bar, type IAM โ†’ click IAM.
  3. Youโ€™ll see the IAM Dashboard.
  • Some security recommendations appear โ€” ignore for now.
  • Notice in the top-right corner: thereโ€™s no Region selector.

    โœ… IAM is a global service, not tied to any region.


๐Ÿ”น Step 2 โ€“ Check Current User

  1. Look at the top-right corner of the console.
  2. If it shows only the account ID, youโ€™re signed in as the root user.

โš ๏ธ The root account has unlimited power and should be used only for setup.

Weโ€™ll now create an admin IAM user to use instead.


๐Ÿ”น Step 3 โ€“ Create a New IAM User

  1. In the left menu, click Users โ†’ Create user.
  2. User name: stephane (or your own name).
  3. Under Console access, select:
  • โœ… โ€œProvide user access to the AWS Management Consoleโ€
  • Choose IAM user (not Identity Center โ€“ simpler for now).

    1. Set a password:
  • Option A โ€“ Auto-generate (for other people)

  • Option B โ€“ Custom password (enter your own)

  • Uncheck โ€œUser must create a new password at next sign-inโ€ if itโ€™s your test account.

    1. Click Next.

๐Ÿ”น Step 4 โ€“ Create an Admin Group

  1. Choose Add user to group โ†’ Create group.
  2. Group name: admin
  3. Search and attach the AdministratorAccess policy.
  4. Click Create group.
  5. Ensure your user (stephane) is added to that group.
  6. Click Next.

๐Ÿ”น Step 5 โ€“ Add Optional Tags

Tags add metadata for organization (optional).
Example:

Key Value
Department Engineering

Click Next โ†’ Create user.


๐Ÿ”น Step 6 โ€“ Save the Credentials

  • Download the .csv file (contains user credentials).
  • Or email the sign-in instructions. Keep these safe โ€” youโ€™ll need them for login.

๐Ÿ”น Step 7 โ€“ Verify User and Group

  1. Go to Users โ†’ stephane โ†’ Permissions โ†’ Youโ€™ll see AdministratorAccess (inherited from admin group).
  2. Go to User groups โ†’ admin โ†’ Permissions โ†’ Confirms AdministratorAccess attached.

โœ… The user inherits the groupโ€™s permissions.


๐Ÿ”น Step 8 โ€“ Create an Account Alias

A custom alias makes sign-in easier.

  1. On the IAM Dashboard โ†’ Account alias โ†’ Create alias Example: aws-stephane-v5
  2. Now your console URL becomes:
   https://aws-stephane-v5.signin.aws.amazon.com/console
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”น Step 9 โ€“ Sign In as IAM User

  1. Open a private/incognito window.
  2. Visit your sign-in URL.
  3. Choose IAM user.
  4. Enter:
  • Account alias or Account ID
  • User name: stephane
  • Password: the one you set.
    1. Click Sign In.

Now, at the top-right corner youโ€™ll see:
Account ID | IAM user: stephane

You can keep:

  • Root account in one browser window (normal mode)
  • IAM user in another (private mode) to work with both simultaneously.

๐Ÿ”น Step 10 โ€“ Best Practices

Account When to Use Notes
Root User Only for billing & initial setup Enable MFA, keep credentials safe
IAM Admin User Everyday management Add more users and policies here

โš ๏ธ Losing both the root and admin credentials requires AWS Support recovery.


โœ… Summary

Concept Description
IAM Global service to manage identities and permissions
Root User Highest-privilege account, use sparingly
IAM User Individual identity for people or apps
Groups Simplify permission management
Policies JSON rules that define allowed actions
Account Alias Friendly URL for sign-in

๐Ÿงฉ AWS Multi-Session Support (Multiple Accounts in One Browser)

๐ŸŽฏ Goal

Learn how to use multi-session support in the AWS Console โ€” a new feature that lets you stay signed in to multiple AWS accounts or roles simultaneously in the same browser.


๐Ÿ”น Step 1 โ€“ Enable Multi-Session Support

  1. In the AWS Management Console, look at the top-right corner of your screen.
  2. Click on your account name or ID.
  3. Select Multi-Session Support โ†’ Turn on.

โœ… This allows you to manage separate sessions within one browser tab group.


๐Ÿ”น Step 2 โ€“ Add a New Session

  1. Click Add session.
  2. Youโ€™ll be asked to sign in again โ€” using:
  • Another account ID, alias, or role, and
  • The corresponding IAM user credentials.
    1. Once logged in, AWS opens a second session within the same browser.

Now, at the top of your screen youโ€™ll notice each session clearly labeled with a different account ID or role name.


๐Ÿ”น Step 3 โ€“ Verify the Sessions

To confirm youโ€™re truly using separate accounts:

  1. In Session 1, open the EC2 โ†’ Volumes page.
  2. Create a quick EBS volume (1 GiB) just for testing.

You donโ€™t need to know EBS yet โ€” this is just a proof of concept.

  1. In Session 2, open EC2 โ†’ Volumes again.
  • Youโ€™ll see no volumes listed, because this is a different account.

โœ… Result: Both sessions are independent โ€” same browser, different accounts.


๐Ÿ”น Step 4 โ€“ Why Itโ€™s Useful

Before multi-session support, engineers had to:

  • Use different browsers (Chrome + Firefox + Safari), or
  • Use private/incognito windows for each AWS account.

Now you can:

  • Quickly switch between accounts or roles,
  • Manage dev / staging / prod environments from one browser,
  • Avoid repeated log-ins and MFA prompts.

๐Ÿ’ก This is especially helpful for DevOps engineers or admins who manage multiple AWS environments or customer accounts.


โœ… Summary

Feature Description
Multi-Session Support Lets you open multiple AWS accounts/roles in one browser
Enabled From Account Menu โ†’ Multi-Session Support
Use Case Manage several AWS environments side-by-side
Old Method Separate browsers / incognito windows
Now Tabs or sessions in one browser with clear labels

๐Ÿงฉ AWS IAM Policies โ€” In Depth

๐ŸŽฏ Goal

Understand how IAM policies work โ€” how they are structured, attached, and evaluated across users, groups, and roles.


๐Ÿ‘ฅ Step 1 โ€“ How Policies Are Applied

Letโ€™s start with an example organization:

Group Members Description
Developers Alice, Bob, Charles Have developer-level access
Operations David, Edward Manage infrastructure
Audit Team Charles, David Read-only audit access

Now:

  • If you attach a policy to the Developers group, โ†’ Alice, Bob, and Charles all inherit that policy.
  • The Operations group will have its own separate policy.
  • A user like Fred may exist without a group, โ†’ but can still have permissions using an inline policy.

๐Ÿ”น Inline policy: A policy attached directly to one user (not reusable).
๐Ÿ”น Managed policy: A reusable policy you can attach to multiple users/groups.

Example of Policy Inheritance

User Gets Policy From
Charles Developers + Audit
David Operations + Audit
Fred Inline Policy only (optional)

โœ… This is how AWS permissions layer together.


๐Ÿงฉ Step 2 โ€“ IAM Policy Structure (JSON)

Every IAM policy is a JSON document that follows a standard format.
Hereโ€™s an example:

{
  "Version": "2012-10-17",
  "Id": "PolicyExample1",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-example-bucket"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Letโ€™s break it down ๐Ÿ‘‡

Key Meaning Example
Version Defines the policy language version (always "2012-10-17") "Version": "2012-10-17"
Id Optional identifier for the policy "Id": "PolicyExample1"
Statement Main policy rules โ€” one or more blocks [ {...} ]
Sid Optional statement ID (for reference) "Sid": "1"
Effect "Allow" or "Deny" the actions listed "Effect": "Allow"
Principal Who this policy applies to (user, account, or role) "Principal": {"AWS": "arn:aws:iam::123456789012:root"}
Action The API actions being allowed or denied "Action": "s3:ListBucket"
Resource The resources these actions apply to "Resource": "arn:aws:s3:::my-example-bucket"
Condition (Optional) Adds logic for when to apply e.g., "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}

๐Ÿง  Step 3 โ€“ The Most Important Four

For the AWS Certified Solutions Architect or DevOps Engineer exams,
you must clearly understand these 4 key fields:

Element Description
Effect Whether access is allowed or denied
Principal The identity the policy applies to
Action The specific AWS API calls allowed or denied
Resource The specific AWS resources those actions apply to

๐Ÿ’ก AWS always evaluates policies by combining explicit denies and allows:

  • Explicit deny always wins.
  • Explicit allow grants permission if no deny exists.

๐Ÿงฉ Step 4 โ€“ Optional Elements

  • Condition: Controls when a policy applies. Example: Allow access only if MFA is enabled or if access is from a specific IP.
  • Sid (Statement ID): Label for identifying specific rules in a policy.

โœ… Summary

Concept Description
IAM Policy JSON document defining permissions
Group Policy Shared by all users in a group
Inline Policy Attached to one user only
Managed Policy Reusable policy managed by AWS or you
Main Elements Effect, Principal, Action, Resource
Optional Elements Condition, Sid
Best Practice Apply the Least Privilege Principle

๐Ÿงฉ AWS IAM Policies โ€” Hands-On Lab

๐ŸŽฏ Goal

In this lab, you will:

  • Explore how policies affect user permissions
  • Understand policy inheritance (from groups vs direct attachment)
  • Create and test a custom IAM policy
  • Verify AdministratorAccess and ReadOnlyAccess behaviors

๐Ÿ”น Step 1 โ€“ Check Current User Permissions

  1. Go to IAM โ†’ Users.
  2. Youโ€™ll see the user Stephane โ€” currently in the admin group.
  • The admin group has the AdministratorAccess policy.
  • So Stephane can do anything in AWS.

โœ… As the Stephane IAM user, open IAM Console โ†’ Users โ€” youโ€™ll see your own user listed.


๐Ÿ”น Step 2 โ€“ Remove the User from the Admin Group

  1. From the root account or another admin, go to IAM โ†’ User groups โ†’ admin โ†’ Users tab.
  2. Remove Stephane from this group.

Now refresh the IAM โ†’ Users page while logged in as Stephane.

โ— Youโ€™ll see:
โ€œAccess Denied: iam:ListUsersโ€
โ†’ Because Stephane no longer has permission to view users.

This demonstrates that removing a user from a group immediately revokes its policies.


๐Ÿ”น Step 3 โ€“ Attach a Read-Only Policy

  1. As an admin, open IAM โ†’ Users โ†’ Stephane โ†’ Add permissions.
  2. Choose Attach policies directly.
  3. Search for IAMReadOnlyAccess โ†’ Add permission.

Now, refresh the Stephane userโ€™s IAM console.

โœ… Stephane can view users, groups, and policies again.
โŒ But cannot create or modify anything.

Try:

  • Create group โ†’ โ€œdevelopersโ€ โ†’ Youโ€™ll see Access denied. โ†’ This is exactly what read-only means.

๐Ÿ”น Step 4 โ€“ Add the User to a New Group

Letโ€™s test multiple policy sources.

  1. Go to IAM โ†’ User groups โ†’ Create group
  • Name: developers
  • Add user: Stephane
  • Attach any sample policy (e.g., AlexaForBusinessFullAccess)
  • Create group
  1. Go back to admin group โ†’ Add user โ†’ Stephane.

Now Stephane belongs to:

  • admin (AdministratorAccess)
  • developers (AlexaForBusiness)
  • plus a directly attached policy (IAMReadOnlyAccess)

๐Ÿ”น Step 5 โ€“ View Policy Inheritance

Go to IAM โ†’ Users โ†’ Stephane โ†’ Permissions tab

Youโ€™ll see:

  1. AdministratorAccess (inherited from admin group)
  2. AlexaForBusinessFullAccess (from developers group)
  3. IAMReadOnlyAccess (attached directly)

โœ… This shows how IAM merges permissions from all attached sources.


๐Ÿ”น Step 6 โ€“ Inspect Built-in Policies

a) AdministratorAccess

  • Click on Policies โ†’ AdministratorAccess โ†’ JSON tab
{
  "Effect": "Allow",
  "Action": "*",
  "Resource": "*"
}
Enter fullscreen mode Exit fullscreen mode

โญ * means all actions on all resources โ€” full admin rights.

b) IAMReadOnlyAccess

  • Go to Policies โ†’ IAMReadOnlyAccess โ†’ JSON
  • Youโ€™ll see:
{
  "Effect": "Allow",
  "Action": [
    "iam:Get*",
    "iam:List*"
  ],
  "Resource": "*"
}
Enter fullscreen mode Exit fullscreen mode

โญ Get* = any API starting with Get
โญ List* = any API starting with List
โ†’ Read-only access to IAM resources.


๐Ÿ”น Step 7 โ€“ Create a Custom Policy

Letโ€™s build one manually.

  1. IAM โ†’ Policies โ†’ Create policy
  2. Choose Visual editor
  3. Service: IAM
  4. Actions:
  • ListUsers
  • GetUser
    1. Resources: All resources (*)
    2. Review โ†’ Name: MyIAMPermissions โ†’ Create policy

Now open the JSON tab of your new policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListUsers",
        "iam:GetUser"
      ],
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

โœ… You just created a custom IAM policy that allows only two specific actions.


๐Ÿ”น Step 8 โ€“ Clean Up

  1. Delete the developers group.
  2. Remove the IAMReadOnlyAccess policy directly from Stephane.
  3. Keep Stephane only in the admin group (AdministratorAccess).

Refresh โ†’ all permissions restored. โœ…


โœ… Summary

Concept Description
Group Policies Shared permissions for all users in a group
Inline Policies Attached directly to one user
Managed Policies AWS-created or reusable policies
AdministratorAccess Action: *, Resource: * โ†’ Full control
IAMReadOnlyAccess Only Get* and List* actions
Custom Policy Define your own actions & resources
Least Privilege Principle Always give minimal required permissions

๐Ÿงฉ AWS IAM Password Policy & Multi-Factor Authentication (MFA)

๐ŸŽฏ Goal

Learn how to:

  • Enforce strong password policies for IAM users
  • Understand and configure Multi-Factor Authentication (MFA)
  • Recognize different types of MFA devices supported by AWS

๐Ÿ”น Step 1 โ€“ IAM Password Policy

AWS lets you define a password policy for all IAM users.
This ensures passwords are strong, regularly updated, and hard to guess.

๐Ÿ”ง You can enforce:

  1. Minimum password length (e.g., 8โ€“12 characters)
  2. Character types:
  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Non-alphanumeric characters (e.g., !@#$%)

    1. Password expiration:
  • Example: users must change their password every 90 days

    1. Password reuse prevention:
  • Users cannot reuse previous passwords

    1. Allow or disallow password changes:
  • Admins can restrict users from changing their own passwords

๐Ÿ›ก๏ธ Why it matters

A strong password policy protects your AWS environment from brute-force attacks and unauthorized access.


๐Ÿ”น Step 2 โ€“ Multi-Factor Authentication (MFA)

Even strong passwords are not enough โ€”
thatโ€™s where Multi-Factor Authentication (MFA) comes in.

๐Ÿ” What is MFA?

MFA adds a second layer of security:

  • Something you know โ†’ your password
  • Something you have โ†’ your security device

โœ… Users must provide both to log in.

Example:

Alice knows her password and has an MFA token on her phone.
Even if her password is stolen, the hacker cannot log in without the device.


๐Ÿ”น Step 3 โ€“ MFA Benefits

Risk Without MFA With MFA
Password stolen Account compromised Still secure
Shared workstation Others can log in Protected
Remote access High risk MFA required
Compliance Weak security Meets best practices

๐Ÿ”น Step 4 โ€“ Types of MFA Devices in AWS

AWS supports several MFA device types. You must know these for the exam.

Type Description Example
Virtual MFA Device App-based MFA using your smartphone Google Authenticator, Authy
U2F Security Key Physical USB security key YubiKey by Yubico
Hardware Key Fob (Gemalto) Physical device that generates codes Provided by Gemalto
GovCloud Key Fob (SurePassID) Specialized device for AWS GovCloud users SurePassID hardware token

๐Ÿ”น Step 5 โ€“ Virtual MFA (Most Common)

๐Ÿ“ฑ Virtual MFA Device Examples

  • Google Authenticator (one account per device)
  • Authy (multiple accounts on a single device)

๐Ÿ’ก Why Virtual MFA is Best

  • Free and easy to set up
  • Supports multiple users or accounts
  • Works across all AWS account types (root & IAM)

๐Ÿ”น Step 6 โ€“ Physical Security Key (U2F)

If you prefer hardware:

  • Use a U2F Security Key (e.g., YubiKey)
  • Plug it into your computerโ€™s USB port when logging in
  • Can be shared across multiple AWS users or accounts

This is ideal for admins managing multiple environments.


๐Ÿ”น Step 7 โ€“ Government-Grade MFA

If your AWS account is part of AWS GovCloud (U.S.),
you must use an approved hardware MFA token (e.g., SurePassID).


โœ… Summary

Concept Description
Password Policy Enforces strong password rules (length, characters, expiration, reuse prevention)
MFA (Multi-Factor Authentication) Adds an extra verification layer beyond passwords
Virtual MFA App-based (Google Authenticator, Authy)
Physical MFA Hardware key fob (Gemalto, YubiKey)
Best Practice Enable MFA for root and all IAM users
Exam Tip Memorize the 4 MFA device types (Virtual, U2F, Gemalto, SurePassID)

๐Ÿงฉ AWS IAM Hands-On: Password Policy & MFA Setup

๐ŸŽฏ Goal

In this lab, youโ€™ll:

  1. Define a strong password policy for all IAM users
  2. Enable Multi-Factor Authentication (MFA) for the root user
  3. Understand how to use an authenticator app to secure your AWS account

๐Ÿ”น Step 1 โ€“ Set a Password Policy

  1. In the AWS Console, open IAM.
  2. On the left menu, click Account settings.
  3. Under Password policy, click Edit.

You can:

  • โœ… Use the default IAM policy, or
  • ๐Ÿ”ง Customize it yourself.

Recommended settings

Setting Example / Description
Minimum length 8 โ€“ 12 characters
Require uppercase Aโ€“Z
Require lowercase aโ€“z
Require numbers 0โ€“9
Require non-alphanumeric !@#$%
Expire passwords Every 90 days
Prevent password reuse Yes
Allow users to change own password Yes

๐Ÿ’ก This helps protect against brute-force and dictionary attacks.

Click Save changes when done.


๐Ÿ”น Step 2 โ€“ Enable MFA for the Root Account

  1. In the top-right corner, click your account name โ†’ choose Security credentials.
  2. Youโ€™ll see: โ€œMy security credentials (root user)โ€.
  3. Scroll to Multi-factor authentication (MFA) โ†’ click Activate MFA.

๐Ÿ”น Step 3 โ€“ Select MFA Device Type

AWS offers several device types:

Type Example Use Case
Authenticator app (Virtual MFA) Google Authenticator, Authy, Twilio Authenticator Most common, free
Security key (U2F) YubiKey USB key Hardware-based, very secure
Hardware TOTP token Gemalto key fob Physical token for enterprises

For this demo, select Authenticator App (virtual MFA).


๐Ÿ”น Step 4 โ€“ Set Up the Authenticator App

  1. Open your authenticator app (e.g., Authy or Google Authenticator).
  2. Click Show QR code in AWS.
  3. In your app, tap Add account โ†’ Scan QR code.
  4. The app now displays a 6-digit code that changes every 30 seconds.

๐Ÿ”น Step 5 โ€“ Verify the MFA Setup

  1. AWS will ask for two consecutive codes from your app:
  • Example:

    • First code โ†’ 301935
    • Second code โ†’ 792843 (Your codes will differ.)
      1. Enter both codes and click Add MFA.

โœ… Youโ€™ll see the device listed, for example:
MFA device: my iPhone
You can register up to 8 MFA devices per account.


๐Ÿ”น Step 6 โ€“ Test the MFA Login

  1. Sign out of AWS.
  2. Sign back in with your root email + password.
  3. Youโ€™ll now be prompted for your MFA code.
  4. Open your authenticator app โ†’ enter the current 6-digit code โ†’ Submit.

โœ… Login succeeds โ†’ MFA is working!


โš ๏ธ Important Notes

  • ๐Ÿ”’ Never lose access to your MFA device โ€” youโ€™ll need AWS Support to recover the account.
  • ๐Ÿ“ฑ If you replace your phone, disable MFA first, then re-enable it on the new device.
  • ๐Ÿงฉ You can remove or replace MFA devices any time from the same Security Credentials page.

โœ… Summary

Concept Description
Password Policy Enforces strong passwords and expiration rules
MFA (Multi-Factor Auth) Adds a second layer of security
Virtual MFA App-based (Authy / Google Authenticator)
Physical MFA Hardware key (YubiKey / Gemalto)
Best Practice Enable MFA for root and all admin users
Exam Tip Know the different MFA types and their use cases

๐Ÿงฉ Accessing AWS: Console, CLI, and SDK

๐ŸŽฏ Goal

Understand the three main ways to access and manage AWS resources:

  • AWS Management Console (Web UI)
  • AWS CLI (Command Line Interface)
  • AWS SDK (Software Development Kit)

๐Ÿ”น Step 1 โ€“ AWS Management Console (Web Interface)

The AWS Management Console is the web interface youโ€™ve been using so far.

How it works:

  • Accessed through your browser at https://aws.amazon.com/console
  • Protected by your username, password, and optionally Multi-Factor Authentication (MFA)
  • Easiest option for beginners โ€” graphical and intuitive

Best for:

  • Visual learners
  • Beginners exploring AWS
  • Manual configurations and demonstrations

๐Ÿ”น Step 2 โ€“ AWS CLI (Command Line Interface)

The CLI (Command Line Interface) allows you to interact with AWS directly from your terminal or command prompt.

๐Ÿง  What It Is

A tool that lets you run commands to manage AWS resources.
Every command starts with the word aws.

Example:

aws s3 ls
aws ec2 describe-instances
aws iam list-users
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”’ Authentication

The CLI uses access keys:

  • Access Key ID โ†’ like your username
  • Secret Access Key โ†’ like your password

Youโ€™ll generate these keys from the Management Console, under your IAM user settings.

โš ๏ธ Important:

  • Never share your access keys.
  • Store them securely (they provide full programmatic access to AWS).
  • Each IAM user should have their own access keys.

Once created, you can download them once in .csv format.

Youโ€™ll configure them on your system using:

aws configure
Enter fullscreen mode Exit fullscreen mode

and provide:

AWS Access Key ID: ***************
AWS Secret Access Key: ***************
Default region name: us-east-1
Default output format: json
Enter fullscreen mode Exit fullscreen mode

After setup, you can use the CLI to automate deployments, run scripts, and manage services faster.

๐Ÿ’ก Why Use the CLI?

  • Automate repetitive tasks
  • Manage infrastructure without using the web UI
  • Integrate AWS commands into scripts (e.g., Bash, PowerShell)

๐Ÿ”น Step 3 โ€“ AWS SDK (Software Development Kit)

The SDK is used by developers to call AWS services directly from within application code.

โš™๏ธ What It Does

It provides programming libraries to integrate AWS services into your applications โ€” the same APIs used by the console and CLI.

Supported languages:

  • Python (boto3)
  • JavaScript / Node.js
  • Java
  • Go
  • C++
  • .NET
  • PHP
  • Ruby

There are also Mobile SDKs (for Android/iOS) and IoT SDKs (for connected devices).

Example

The AWS CLI itself is built on the AWS SDK for Python, called Boto3.

So when you use a command like:

aws s3 cp file.txt s3://mybucket/
Enter fullscreen mode Exit fullscreen mode

youโ€™re indirectly using the AWS SDK for Python behind the scenes.


๐Ÿ”น Summary

Access Method Interface Authentication Use Case
Management Console Web UI Username + Password + MFA Visual management, beginners
CLI (Command Line Interface) Terminal Access Key ID + Secret Key Automation, scripting, DevOps
SDK (Software Development Kit) Application Code Access Keys Programmatic AWS integration

โš ๏ธ Security Reminder

Rule Reason
Never share access keys Equivalent to giving away full AWS control
Rotate keys regularly Reduces risk of compromise
Use IAM roles for apps Avoid hardcoding credentials
Protect root account with MFA Prevent unauthorized access

โœ… Key Takeaways

  • AWS can be accessed via Console, CLI, or SDK.
  • CLI is ideal for automation.
  • SDK is for integrating AWS into your applications.
  • Always follow least privilege and MFA best practices.

๐Ÿงฉ Installing AWS CLI (Version 2) on Windows

๐ŸŽฏ Goal

Learn how to download, install, and verify the AWS Command Line Interface (CLI) on a Windows machine.


๐Ÿ”น Step 1 โ€“ Search for the Installer

  1. Open your browser and search for: aws cli install windows
  2. Click the official AWS link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
  3. Find the section โ€œInstall the AWS CLI version 2 on Windows.โ€

๐Ÿ”น Step 2 โ€“ Download the MSI Installer

  • Scroll to โ€œInstall or update the AWS CLI version 2 on Windowsโ€
  • Click the MSI installer download link:
  https://awscli.amazonaws.com/AWSCLIV2.msi
Enter fullscreen mode Exit fullscreen mode
  • Once downloaded, open the file to begin installation.

๐Ÿ”น Step 3 โ€“ Run the Installer

Follow the setup wizard:

  1. Next โ†’ continue
  2. Accept License Agreement โ†’ Next
  3. Install
  4. Confirm Windows security prompts (โ€œYesโ€)
  5. Wait for installation to complete
  6. Click Finish

โœ… The AWS CLI is now installed.


๐Ÿ”น Step 4 โ€“ Verify the Installation

  1. Open Command Prompt (cmd).
  • Press Start โ†’ type cmd โ†’ Enter.
    1. Run the command:
   aws --version
Enter fullscreen mode Exit fullscreen mode

โœ… Expected output:

aws-cli/2.x.x Python/3.x.x Windows/10 botocore/2.x.x
Enter fullscreen mode Exit fullscreen mode

If you see something like this, AWS CLI is correctly installed.


๐Ÿ”น Step 5 โ€“ Upgrade (Optional)

If you want to upgrade to a newer version later:

  • Simply re-download the latest MSI installer
  • Run it again โ€” it will automatically update your CLI version.

๐Ÿ”น Step 6 โ€“ Verify the PATH (if command not found)

If aws isnโ€™t recognized:

  1. Restart your Command Prompt or PC.
  2. If still not detected:
  • Add the following to your Windows PATH:

     C:\Program Files\Amazon\AWSCLIV2\
    
  • Then reopen Command Prompt and test again.


โœ… Summary

Step Action
1 Search for โ€œaws cli install windowsโ€
2 Download the MSI installer (Version 2)
3 Run the installer
4 Verify with aws --version
5 Optional: upgrade anytime with a re-install

๐Ÿงฉ Installing AWS CLI (Version 2) on macOS

๐ŸŽฏ Goal

Install and verify the AWS Command Line Interface (CLI) on a Mac, so you can access AWS services from your terminal.


๐Ÿ”น Step 1 โ€“ Find the Official Installer

  1. Open your browser and search: install aws cli version 2 mac
  2. Click the official AWS documentation link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
  3. Scroll to the macOS section titled: โ€œInstall or update the AWS CLI version 2 on macOS.โ€

๐Ÿ”น Step 2 โ€“ Download the Installer

Click the .pkg installer link:

https://awscli.amazonaws.com/AWSCLIV2.pkg
Enter fullscreen mode Exit fullscreen mode

This downloads a graphical installer for macOS.


๐Ÿ”น Step 3 โ€“ Run the Installer

  1. Open the downloaded .pkg file.
  2. Follow the steps in the installation wizard:
  • Continue
  • Continue
  • Agree to the license
  • Install for all users on this computer
  • Click Install
    1. Enter your Mac password if prompted.
    2. Wait for installation to complete.
    3. When finished, click Close, then Move to Trash to clean up.

โœ… The AWS CLI is now installed.


๐Ÿ”น Step 4 โ€“ Verify Installation

  1. Open Terminal (or iTerm2, which is a free alternative).
  2. Run this command:
   aws --version
Enter fullscreen mode Exit fullscreen mode
  1. You should see an output similar to:
   aws-cli/2.x.x Python/3.x.x Darwin/23.x.x botocore/2.x.x
Enter fullscreen mode Exit fullscreen mode

โœ… If you see a version number starting with 2, the AWS CLI installed successfully.


๐Ÿ”น Step 5 โ€“ Troubleshooting

If you get a โ€œcommand not foundโ€ error:

  1. Restart your terminal and try again.
  2. If it still doesnโ€™t work, check that AWS CLI is in your PATH:
   which aws
Enter fullscreen mode Exit fullscreen mode

It should return something like:

   /usr/local/bin/aws
Enter fullscreen mode Exit fullscreen mode
  1. If not, you can reinstall the .pkg file โ€” it will automatically fix the path.

๐Ÿ”น Step 6 โ€“ Upgrade Later (Optional)

To upgrade the CLI in the future:

  • Simply re-download the latest .pkg installer.
  • Run it again โ€” it will replace the existing version.

โœ… Summary

Step Action
1 Search โ€œInstall AWS CLI v2 macOSโ€
2 Download the .pkg installer
3 Run the graphical installer
4 Verify with aws --version
5 Troubleshoot PATH if needed
6 Reinstall to upgrade

๐Ÿงฉ Installing AWS CLI (Version 2) on Linux

๐ŸŽฏ Goal

Learn how to download, install, and verify the AWS Command Line Interface (CLI) on a Linux system (Ubuntu, Debian, Fedora, CentOS, or Amazon Linux).


๐Ÿ”น Step 1 โ€“ Find the Official Installer

  1. Open Google and search: install aws cli version 2 linux
  2. Click the official AWS documentation link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
  3. Scroll to the section โ€œInstall or update the AWS CLI version 2 on Linux.โ€

๐Ÿ”น Step 2 โ€“ Download the Installer

Run the following command in your terminal to download the AWS CLI zip file:

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
Enter fullscreen mode Exit fullscreen mode

๐Ÿ’ก For ARM-based systems (like Raspberry Pi), use:

curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"

โœ… This downloads the AWS CLI installer package.


๐Ÿ”น Step 3 โ€“ Unzip the Installer

Next, unzip the downloaded file:

unzip awscliv2.zip
Enter fullscreen mode Exit fullscreen mode

If unzip is not installed, use:

sudo apt install unzip -y
Enter fullscreen mode Exit fullscreen mode

or on RHEL/CentOS:

sudo yum install unzip -y
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”น Step 4 โ€“ Run the Installer

Now run the installer as root:

sudo ./aws/install
Enter fullscreen mode Exit fullscreen mode

Enter your password when prompted.
The installer will copy all necessary files into /usr/local/bin/aws.


๐Ÿ”น Step 5 โ€“ Verify the Installation

To make sure AWS CLI is correctly installed, run:

aws --version
Enter fullscreen mode Exit fullscreen mode

โœ… Expected output:

aws-cli/2.x.x Python/3.x.x Linux/5.x.x botocore/2.x.x
Enter fullscreen mode Exit fullscreen mode

If you see version 2.x, everything is working correctly.


๐Ÿ”น Step 6 โ€“ (Optional) Upgrade AWS CLI

If you already have an older version and want to update:

sudo ./aws/install --update
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”น Step 7 โ€“ Uninstall AWS CLI (Optional)

If you ever need to remove it:

sudo ./aws/uninstall
Enter fullscreen mode Exit fullscreen mode

โœ… Summary

Step Command Description
1 curl "..." -o "awscliv2.zip" Download installer
2 unzip awscliv2.zip Extract files
3 sudo ./aws/install Install AWS CLI
4 aws --version Verify installation
5 sudo ./aws/install --update Update CLI (optional)
6 sudo ./aws/uninstall Remove CLI (optional)

๐Ÿง  Tip

If you get command not found:

  • Restart your terminal, or
  • Check if /usr/local/bin is in your PATH:
  echo $PATH
Enter fullscreen mode Exit fullscreen mode

It should include /usr/local/bin.

๐Ÿงฉ AWS Access Keys and CLI Configuration

๐ŸŽฏ Goal

Learn how to:

  • Create Access Keys for an IAM user
  • Configure them using the AWS CLI
  • Verify permissions and test CLI commands

๐Ÿ”น Step 1 โ€“ Create Access Keys

  1. Sign in to the AWS Management Console as your IAM user (Stephane).
  2. Click on your username (top right corner) โ†’ select Security credentials.
  3. Scroll down to Access keys and click Create access key.

๐Ÿ”น Step 2 โ€“ Choose Key Purpose

When prompted:

  • Select Command Line Interface (CLI) as your use case.
  • AWS may suggest alternatives (like AWS CloudShell or IAM Identity Center) โ€” you can ignore those for now.
  • Check the box: โœ… โ€œI understand the above recommendationโ€ฆโ€
  • Then click Create access key.

๐Ÿ”น Step 3 โ€“ Save the Credentials

Youโ€™ll see two values:

  • Access Key ID (like your username)
  • Secret Access Key (like your password)

โš ๏ธ This is the only time you can view or download them.

Click Download .csv or copy them securely to your password manager.

Never share these keys โ€” they grant direct access to your AWS account.


๐Ÿ”น Step 4 โ€“ Configure the AWS CLI

Now open your terminal (on Windows, macOS, or Linux).

Run:

aws configure
Enter fullscreen mode Exit fullscreen mode

Youโ€™ll be prompted to enter:

AWS Access Key ID [None]: <your-access-key-id>
AWS Secret Access Key [None]: <your-secret-access-key>
Default region name [None]: <your-region>
Default output format [None]: json
Enter fullscreen mode Exit fullscreen mode

Example:

AWS Access Key ID [None]: AKIAEXAMPLE123
AWS Secret Access Key [None]: abCDeFghIjKLmnopQRstuVwxyz12345
Default region name [None]: eu-west-1
Default output format [None]: json
Enter fullscreen mode Exit fullscreen mode

โœ… CLI stores these settings under:

~/.aws/credentials
~/.aws/config
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”น Step 5 โ€“ Test Your Connection

Run:

aws iam list-users
Enter fullscreen mode Exit fullscreen mode

If your IAM user has permissions, youโ€™ll see output similar to:

{
    "Users": [
        {
            "UserName": "Stephane",
            "UserId": "AIDAEXAMPLE123",
            "Arn": "arn:aws:iam::123456789012:user/Stephane",
            "CreateDate": "2024-10-01T14:32:00Z"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

โœ… This confirms your CLI setup works and your credentials are valid.


๐Ÿ”น Step 6 โ€“ Permissions Check (Demo)

Now letโ€™s test how permissions affect CLI access.

  1. From your root account, remove Stephane from the admin group.

  2. Try running:

   aws iam list-users
Enter fullscreen mode Exit fullscreen mode

Youโ€™ll get an AccessDenied error or no response:

   An error occurred (AccessDenied) when calling the ListUsers operation
Enter fullscreen mode Exit fullscreen mode

โ†’ This proves that CLI permissions = IAM user permissions.

  1. Add Stephane back into the admin group to restore access:
  • Go to IAM โ†’ Groups โ†’ admins โ†’ Add user
  • Select Stephane
  • Click Add to group

โœ… Permissions restored.


๐Ÿ”น Step 7 โ€“ Key Takeaways

Concept Description
Access Key ID Identifies your IAM user
Secret Access Key Private credential (like a password)
aws configure Stores credentials and default region locally
Permissions Same in CLI and Console
Best Practice Never share access keys โ€” rotate them regularly

๐Ÿง  Quick Tip

If you ever lose or expose your access keys:

  1. Delete them immediately from the Security credentials page.
  2. Create a new key pair.
  3. Update your CLI configuration using aws configure.

Perfect โ€” this is your AWS CloudShell lecture, and it fits perfectly after your CLI configuration session.
Hereโ€™s the polished, ready-to-teach version โ€” you can use it directly in your Bootcamp or post it as a full written tutorial.


๐Ÿงฉ Using AWS CloudShell

๐ŸŽฏ Goal

Learn how to use AWS CloudShell โ€” a built-in, browser-based terminal that lets you run AWS CLI commands directly in the AWS Management Console without installing anything locally.


๐Ÿ”น Step 1 โ€“ What Is CloudShell?

AWS CloudShell is a browser-based command line environment preconfigured with:

  • The AWS CLI (v2)
  • Python, bash, zsh, and PowerShell
  • Persistent storage for your files and scripts

โœ… Itโ€™s free to use and runs securely in your AWS account.


๐Ÿ”น Step 2 โ€“ Launching CloudShell

  1. In the AWS Management Console, look at the top-right corner for the CloudShell icon (a small terminal symbol).
  2. Click it to open a new CloudShell session.

โš ๏ธ If you donโ€™t see the icon, CloudShell may not be available in your region.
Visit: AWS CloudShell Regional Availability
Choose a region where itโ€™s supported (for example, us-east-1, us-west-2, eu-west-1).


๐Ÿ”น Step 3 โ€“ How CloudShell Works

When CloudShell starts:

  • It automatically provisions a Linux shell inside your AWS account.
  • It uses temporary credentials tied to your logged-in IAM user or role.
  • The AWS CLI is already installed and ready to use.

To verify:

aws --version
Enter fullscreen mode Exit fullscreen mode

Example output:

aws-cli/2.1.0 Python/3.8.8 Linux/5.10.0 botocore/2.0.0
Enter fullscreen mode Exit fullscreen mode

โœ… You can now run any AWS CLI command โ€” no setup required!


๐Ÿ”น Step 4 โ€“ Running AWS CLI Commands

Example:

aws iam list-users
Enter fullscreen mode Exit fullscreen mode

This command works the same way as on your local CLI โ€” using your IAM credentials for authentication.

๐Ÿ’ก The default region in CloudShell matches the AWS region youโ€™re currently logged into in the console.

You can change it anytime by adding:

--region <region-code>
Enter fullscreen mode Exit fullscreen mode

Example:

aws s3 ls --region us-west-2
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”น Step 5 โ€“ Persistent File Storage

CloudShell provides 1 GB of persistent storage per region.

Try this:

echo "test file from CloudShell" > demo.txt
Enter fullscreen mode Exit fullscreen mode

Now run:

ls
Enter fullscreen mode Exit fullscreen mode

โœ… Youโ€™ll see demo.txt.

Even if you close or restart CloudShell, this file remains saved.


๐Ÿ”น Step 6 โ€“ Uploading and Downloading Files

CloudShell lets you easily transfer files between your computer and AWS.

๐Ÿ“ค Upload a file:

Click the Actions menu (โ‹ฎ) โ†’ Upload file โ†’ select a local file.

๐Ÿ“ฅ Download a file:

  1. Get the full path:
   pwd
Enter fullscreen mode Exit fullscreen mode
  1. Right-click the file in the CloudShell file list โ†’ Download file.

Example:

  • File: demo.txt
  • Path: /home/cloudshell-user/demo.txt
  • Action: Download โ†’ file will be saved to your computer.

๐Ÿ”น Step 7 โ€“ Customizing CloudShell

You can personalize CloudShell appearance and layout:

  • Themes: Light or Dark mode
  • Font size: Small, Medium, Large
  • Split panes:

    • New tab
    • Split horizontally or vertically for multitasking

๐Ÿ’ก Example: Split CloudShell into two panes โ€” run aws s3 ls in one, and aws ec2 describe-instances in the other.


๐Ÿ”น Step 8 โ€“ When to Use CloudShell

Use Case Recommendation
You need quick access to AWS CLI โœ… Use CloudShell
You donโ€™t want to install the CLI locally โœ… Use CloudShell
You need automation or scripting on your local environment โŒ Use AWS CLI on your machine
Your region doesnโ€™t support CloudShell โŒ Use local CLI instead

โœ… Summary

Feature Description
CloudShell Browser-based AWS CLI environment
Availability Only in supported regions
Credentials Automatically uses your IAM session
Persistence 1 GB of file storage per region
File Actions Upload, download, and manage files
Customization Adjustable font, theme, and tabs
Alternative to CLI No installation required

Bottom Line:

You can use CloudShell or your local CLI โ€” both work the same way.
Choose whichever is more convenient for your workflow or available in your region.

Top comments (0)