This lab I will demonstrate the following contents:
- Creating new groups and attach policies
- Exploring pre-created IAM users and groups
- Inspecting IAM policies as applied to the new creating groups
- Adding users to groups with specific capabilities enabled
- Updating passwords for users
- Experimenting with the effects of policies on services access
Steps for task: Creating new groups and attach policies
- Co to AWS management console and Click on IAM from Security, Identity & Compliance services tab. You will get IAM management console dashboards. Select Groups and click on Create New Group.
2. Create three new groups such as EC2support, EC2admin, S3admin.
The EC2support group: This group will have the privilege to monitor and watch the status of EC2 instance.
The EC2admin group: This group will have the capabilities to scale up servers instance as needed to response to services needs.
The S3admin group: This group can perform any function with the S3services
Step 1 is the group name setup. Put the name of the group into the Group Name box. My group name: EC2support.
note that: Group name must be unique and meaningful. So that you can recognise user group easily when you will work in the large system.
3. Click on Next Step and attach the policy. You will able to view a bunch of pre-defined policies. You can apply the maximum of 10 policies on each group or you can setup your own policies.
4. Click on Next step for review setup.
5.click on “Create group”. you will see a group has created. There is no user under the group.
6. Follow the steps of creating new groups and attach policies once again for making remaining two groups of EC2admin and S3admin
Steps for task: Exploring pre-created IAM users and groups
- In the previous lab1: new user creation, we already created four users such as userone, usertwo, userthree, and userfour. Click on Users from IAM dashboard for exploring pre-created IAM users.
- As we already created groups and we can view it when we will click on Groups from navigation panel of IAM dashboardSteps for task: Inspecting IAM policies as applied to the new creating groups
1. For the IAM policies inspecting, click on groups from Navigation panel of IAM dashboard. Click on group name (Ec2admin), you will able to see the summary page.
2. click on Permissions. You will view Attach policy tab, and under the attach policy tab you can see Policy Name which already attached with this group.
Steps for task: Adding users to groups with specific capabilities enabled
Suppose, userone will have the role to monitor the Ec2 instance. Add them to the Ec2support group; therefore, they will get the necessary permission via its attached policy EC2support policy.
usertwo role is to scale EC2 system up and down and add instance as necessary. This user will play admin role in the system. so I will add usertwo into EC2system group.
userthree and userfour role are to administrative S3 storage. Therefore, I will add them into S3admin group. These pre-created users will get the permission they need from the group attached policies.
- Click on Groups in left navigator panel of IAM console. Click on Group name from groups page. You will see Add users to Group tab to add new users into this group.
2. Select the users from “Add Users to Group” page. Click on desired Username from users column. Each group should have a 1 in the users cloumn for the number of users in each group.
3. Click on Add users tab. You will see usertwo attached with EC2admin group.
Note: You can remove users from this group or you can add more users in this group.If any new user comes to your organisation with same role and permission, you can add them into this group by click on “Add users to Group”. If any users role has changed or any employee leaves your organisation, you can remove them from this group to click on “Remove users from this Group”.
4. Group page. You can see now Group Name and Users list under each group
Steps for task: Updating passwords for users
- In the left Navigation panel, click on “Users”. Click the link on userone and then select security credential. Click on Manage password under Sign-in-credentials.
- Now you can Manage console access page after clicking on Manage password. Set custom password following by password policy. Thick the require Password reset option so that users will get the option to change their password during their first log in. Then click on Apply. Customer password will be set for userone.
- Repeat the above procedure to set the password for usertwo, userthree, and userfour.
Steps for the task: experimenting with the effects of policies on services access
- login as userone to check the permission and policies effects on users. log in IAM user Sign -in link: https://momataj-nmit.signin.aws.amazon.com/console . You will get it IAM dashboard console
- Copy the IAM users Sign-in link and paste it any browser to log in as IAM users. You will get the following window.
- As I set “require password reset” during the first login of the user. I got the following Screen to change the password as I login userone.
- I set user permission for userone that userone can only monitor the Ec2 system. userone has no permission for S3 storage access. When userone will try to access S3 services, the following message will be showed “Access Denied”
- As userone has only monitoring permission for Ec2 system. It can only monitor the list of instances.
- As userone can not access or control or operate any instance. If userone try to do those activities the following error will be showing.
- Now you can check your other user’s permission by repeating the above steps.
Question: What is the benefit of set group policies and permissions?
Answer: The benefits of set group policies and permissions are:
- An administrator can control and manage users based on their roles.This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
- A user can not access resources which they don’t have permission. Group Policies control users illegal access of services.
- Group policies ensure the system and data security for the organisation.
- If a new user joins the company, Administrator does not need to create new group policies for that specific user if the role has already match with pre-created group policies. Therefore, It reduces administrative workloads.
Question: Who can use IAM?
Answer: AWS customer can use IAM. The service is offered at no additional charge. You will be charged only for the use of other AWS services by your users.
Question: What is the difference between an IAM role and an IAM user?
Answer: IAM user has permanent long-term credentials and is used to directly interact with AWS services.
An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorised entities, such as IAM users, applications, or an AWS service such as EC2.
Question: Can I associate more than one IAM role with an EC2 instance?
Answer: No. You can only associate one IAM role with an EC2 instance at this time. This limit of one role per instance cannot be increased.
Thank you 🙂