I will demonstrate AWS identity and Access Management (IAM) configuration on AWS Console. The following topics I will cover with this lab:
- Create new users
- Password policy setting
- Locating and using the IAM sign-in URL
1. Creating new users:
Step 1: You have to go AWS cloud services (https://aws.amazon.com/) and Sign-In to the console with your registered Email address. You will see AWS services console. Select IAM from Security, Identity & Compliance panel. Click on IAM and you will see IAM Dashboard console.
Step 2: Now you can view IAM console Dashboard “Welcome to Identity and Access Management”. This is the window where you will manage and control your users, groups, and policies etc. In another word, It is called IAM administrative panel. At the left side of this screen and under Dashboard, you can view IAM resources options “Groups”, “Users”, Roles, “Policies”, “Identity Providers”, “Account Settings”, “Credential report”, and “Encryption keys”.
Step 3: Now I will create some new users to demonstrate how to create users. Click on “Users” option left side of the IAM console Screen.
Important note: Users and groups must have unique names to avoid collisions or conflict of identical names in the large-scale organisation.
Step 4: Ater clicked on “USERS” option on IAM console, you will get the following “USERS” window with the two privilege options “Add User” for creating a new user, and “Delete Users” for remove user.
Important note: Deleting users is not a good practice in real cases. Better to disable user or revoke their grant privilege. Because some cases we need to enable disable users based on organisational functionality.
As I am going to create new users. I will click on “Add user”.
Step 5: Now you can view “Add user” screen. On the “Set user details” panel, you will get the option for put usernames. I created four users for demo such as userone, usertwo,userthree and usrfour.
Note that you can add one user or you can create multiple users at once with the same access type and permission or you can change users access type and permission later based on their activities.
Step 6: Next “Select AWS access type”. In this screen, you will define how IAM users will access AWS resources based on access type. You will see three options “Access Type with Programmatic access, Console password with autogenerated password, and require password reset (user will change default password first Sign-in)”.
In my lab, I selected programmatic access and AWS Management console access, console password custom and require a password reset so when I will login AWS services console as a new user I must have to change this default password.
Step 7: Next review screen. On the review screen, you will see your user details and access type, also managed policy depend on your previous setup. Now click on “Create User”
Step 7: Congratulation! In this step, your users will be created successfully. In my case, you can see my users is created successfully. Here I also get AWS management console URL (https://038485693013.signin.aws.amazon.com/consol0e) for Sign-In as a new user on AWS service console, Acces key ID. If you want you can download .csv file for further access.
2. Password Policy setting
You need to setup strong password to secure your account as well as for data security. As the cloud is public domain, you need to make complex password policy.Therefore, nobody can break up your account ID for illegal access your account or seize your information.
Step 1: For password policy setup, you have to go AWS IAM dashboard, and click on Account setting at the left side of Dashboard.
I set up my password policy as per my policy design. You can setup your setup and manage your password policy as per your company policy.
Step 2: After setup password policy from account setting option, click on “Apply Password policy”. A policy will be successfully updated. whenever your users create or change the password, they have to follow this policy during managing password.
3. Locating and using the IAM sign-in URL
Step 1: If you want to Sign-In as an IAM user. You need to go Dashboard to locate the IAM sign-in URL. The following Dashboard Screen I marked the URL location. In my lab exercise, I will copy the link and log in as a “userone”.
Step 2: Account Alias Setup. If you want to show your organisation name instead of your AWS account name in the AWS IAM Sign-In URL, you can create Account Alias for your AWS account ID. In my lab practical, I created Account Alias “momataj–nmit“.
For setup Account Alias, click on “Customise” option that you will get at the right side of IAM URL link.
Important note: Account Alias must contain only digits, lowercase letters, hyphens but can not begin or end with a hyphen.
You can view now the URL has been changed.
Step 3: Copy the IAM users URL (CTR + C), open a new tab in your Internet browser and paste it, and press enter. Now you will get IAM Users Sign-In window. As you see, I already setup alias name for my account ID. Here My account name “momataj-nmit”, username “userone” and password which I provided during user creation.
Now I am going to Sign-In as a userone with the particular credential that has been provided.
Step 4: Default Password change. In the first Sign-In, the new user must have to change the default password, set up their own secret password. The new Password should be given as followed by password policy setting.
Note: Password must not be shared.
Step 5: Userone AWS Services management console screen after sign-in.
Recommendation: I have not got any error during my AWS IAM user creating, password policy setup, and Sign-in with IAM URL, but you may face some difficulty during configuration.
- Username must be unique, others you will get the following error if you try to create a user with the same name.
- Setup complex password policy. Don’t forget to apply password expiration period, and prevent reuse password policy, account lock policy after 3 (three) wrong attempts to sign-in.
- If you don’t follow the password policy during change old password. You will get the following error.
- Create Account Alias configuration error. You have to follow account alias name policy properly during the creation of alias; otherwise, You will get the following error.Thank you for visiting my Blog 🙂