Deep Dive AWS IAM , Policies and Groups.
AWS IAM identities IAM Users , Policies and Groups.
Deep Dive AWS IAM , Policies and Groups.
In today's session we will learn more about IAM service in AWS. We are going to do some real time examples so we can understand more about this concept. Please check below:
How to create a user in IAM?
Go to the AWS console and click on IAM.
Click on the user on the left pane.
Click on Create , once we click create then following screen appear on the screen.
Provide the username:
Always go with an Autogenerated password while creating the user through IAM. Because once we generated Auto Generated password so next time the user would login user can create their and set their password & post that click on user must create a password in next sign-in option. & click on next.
Once we click on next :
We can not change anything below. We will check what would happen if we create a user in AWS without policy.
Now we are able to see the user details in console as like below:
As we see above there is a policy assigned by default: IAMUserChangePassword. I.e. Users should have permission to change the password.
Now the user has been created successfully.
We can check the details above , also there is another option as well to download the csv so we are able to see the details of that particular user. Once we download the CSV file its look like as below:
Now sign out from the console though I have been logged in as a root user and once we log off we can going to login with IAM user which we were created.
And with the received credentials we will login into in the console.
As we received the excel sheet we can pull the details from there from the URL we have taken the account number i.e.”404926571352” , username and password.
Once we clicked on Signing we got below screen.
Then we went to the console trying to create a bucket & we received below error.
Even billing and cost management have not been accessible.
So User has been created and user doesn't have any permission to access the resources. So it's just authentication not authorization. So we have to attach the policy to create a bucket.
Then again logout from the existing account & will login with the root login and through IAM go in that user from the Permission tab
Click on add permission.
Click on Attach Policies directly. And select S3 once we select the policy Amazon S3 full access so that person is able to create, delete and list the buckets. The policy that we select is AWS managed policy. Even we are able to write the custom policies as per our requirements with the help of Json.
Once we selected S3 full access policy then we click the next button.
Then click Add Permissions.
Now we are able to see two policies
To check further will login in again with that created user and we will check if the user test-user01 having enough permission to create a S3 bucket or not?
Yes , Post assigned the policy test-user01 is now able to create the bucket.
Though that user has S3 full access so the user is now able to create, listing & able to delete the buckets as well. So with the help of the policies we can authorize particular users to the specific AWS services.
Hope you guys understand the concept of authentication and authorization using users and policies in IAM.
Concepts of Groups in IAM:
Groups: Collections of users that can be assigned the same permissions.
We will do some real time scenarios to understand the concepts of Groups.
Go to the IAM and click on Users groups.
Then click create group & attached the permission to that group.
Also added the user in the group.
Then click on create a group. The Group has been created successfully.
We can see the group details as like below:
So with the help of a group allows you to manage permissions for multiple users at once by grouping them. Instead of assigning permissions to each user individually, you can add users to groups and manage permissions at the group level. Here's a quick overview of IAM Groups:
Example Use Case:
If you have a development team and an operations team, you can create two groups:
Developers: This group might have read/write access to development resources like EC2 instances, S3 buckets, or Lambda functions.
Operations: This group might have broader access, including managing production environments, scaling infrastructure, etc.
By assigning users to these groups, you ensure they have the right permissions without managing each person individually.
Happy Learning !!