Back to: AWS Tutorials For Beginners and Professionals

IAM Policies Hands-On in AWS:

In this article, I am going to discuss IAM Policies Hands-On in AWS. Please read our previous article where we discussed IAM Policies in AWS.

IAM Policies Hands-On in AWS:

If I go on the right-hand side and go to my services and I go to IAM, so I’ll go to the IAM service. This user is an admin user. therefore, if you go to, for example, users, you can see all the users.

So, now what I’m going to do is I’m going to remove SANDY66 from the admin groups. I’m going to remove this user and the user will lose the group permissions, that’s true.

the user has been removed from the group and how do we make sure that this is applied? if I go on the right-hand side and now refresh this page, as you can see, I need permission to access this page and my user SANDY66 is not authorized to perform IamListUsers on this page. Because we removed the user Stephane from the admins group.

What I can do is I can fix this and to fix it, I can go into my users. Go to SANDY66 and now I can attach permissions directly to my SANDY66 user. two ways of doing so, number one is to add permissions and use policies that already exist or that you created or add an inline policy to just add policies directly to the user. I’m going to add permissions and I’m going to attach existing policies directly and I will search for IAM.

I’m going to look for IAM read-only access. I review, I add these permissions and now my user SANDY66 has IAM read-only access.

What does that mean? That means that, for example, if I refresh this page. Then, as we can see, the user SANDY66 does exist. But, for example, if I go to groups and I try to create a group and call it “dvlper” and create this group.

I’m going to get an exception because I’m not authorized to create a group, I was only authorized to have read-only access to IAM. this really shows the power of IAM and so on.

Now if I go to my user groups, I can do two things. number one, I can go into the admin group and I’m going to add back this SANDY66 user so that we have administrator access. The second thing I’m going to do is I’m going to create a group named “dvlper”. I’m also going to add SANDY66 into this group and I’m going to attach a policy, whatever the first policy I found was directly connected to read-only access and then create this group.

It doesn’t matter which policy you’re attached to, I just want to show you a behavior. now we have two groups, we have the admins and the developers, and the user SANDY66 is in both groups.

What’s going to happen is if I click on the user SANDY66 and look at the policies it has, it has three policies.

One that was attached directly named IAM ReadOnlyAccess. One, that was in two that were in Attached From Groups.

The first one is administrator access from the group admin. it was directly connected to read-only access. from the group’s dvlper.

The policies get inherited in different ways through the IAM permissions. So finally, if you go to policies, we have a list of all the policies available within AWS right here, their managed policy.

this one is administrator access and we’ve been using it before. if you look at the policy, JSON forum, as we can see we have a version and we have a statement that statement contains one statement and the effect is allowed. So to authorize action is “*”, that means any action resource is “*”, that means any resource.

We allow all the actions on all the resources, therefore, making this policy an administrator access policy. We can go into a policy summary as well and this is another view of the policy. We have allowed 284 services. if you don’t have the same number, don’t worry, the course is up to date.

For example, the IAM read-only policy that we’ve dealt with before. this time allows one service out of 284, which is IAM

If we look at the JSON documents, we can see all the actions that are authorized by this IAM read-only access.

We get, for example, iam:get*, the star GenerateCredentialsReport, and so on, on the resource start. There’s also a way for you to create your own policy. you can go back to your policies and create a policy and you have two ways of doing it.

Either, you want to write plain and simple JSON or you can use the visual editor, and this is quite handy. For example, we can choose the service IAM, then we can choose an action. And we can, for example, do a list user, so I can filter for list users for effects and I can do get user.

Let’s say we want to add these two actions and on the resources, we can specify specific resources or all resources.

We could also specify a request condition if we wanted to. once we’ve done that if we go to the JSON documents as we can see the visual editor SID was added, which has the statement ID, we have two actions that were added IAM list users and get users on resource start. it’s quite a handy way to generate JSON directly from the visual editor.

Let’s do a few things. In user groups, I’m going to delete the dvlper group cause I don’t need it and I need you to type the name of the group, I will type developers and click on deletes.

And also on my user as SANDY66, I’m going to remove the policy that was attached directly because we don’t need this IAM read-only policy, I will just remove it and we’re good to go.

Now my user SANDY66 has full administrator access because it is inherited from the admin group.

If I go back to my IAM also on the right side, as we can see, everything is working just fine.

I will refresh and here we go, things are working.

In the next article, I am going to discuss IAM MFA in AWS. Here, in this article, I try to explain IAM Policies Hands-on in AWS and I hope you enjoy this IAM Policies Hands-on in AWS article.