Back to: AWS Tutorials For Beginners and Professionals

IAM Users and Groups in AWS:

In this article, I am going to discuss IAM Users and Groups in AWS. Please read our previous article where we discussed Shared Responsibility Model Diagram.

IAM Users and Groups in AWS:

IAM stands for Identity and Access Management. It is a global service because, in IAM, we are going to create our users and assign them to groups. We have already used IAM without knowing, when we created an account, we created a root account that has been created by default. This is the root user of our accounts. And the only thing you should use it for is to set up your account as we will do it right now. But then you should not use that account anymore, or even share it. What you should be doing instead, is creating users. You will create users in IAM, and one user represents one person within your organization. The users can be grouped together if it makes sense.

Let us take an example we have an organization with six people. You have Alice, Bob, Charles, David, Edward, and Fred so all these people are in your organization. Now Alice, Bob, and Charles they work together. They are all developers. We are going to create a group called the group developers who regroup Alice, Bob, and Charles. And it turns out that David and Edward also work together. We are going to create an operations group. Now we have two groups within IAM. Groups can only contain users, not other groups. This is something very important to understand. Groups only contain users. Some users do not have to belong to a group.

For example, Fred right here is alone, he does not correspond to any group. That is not the best practice. But it is something you can do in AWS. And also, a user can belong to multiple groups. That means that for example, if you know that Charles and David worked together, and they are part of your audit team, you can create a third group with Charles and David. And as you can see, now, in this example, Charles and David are part of two different groups. So, these are the possible configurations for IAM.

Why do we create users and why do we create groups? because we want to allow them to use our AWS accounts and to allow them to do so, we have to give them permissions. Users or groups can be assigned what is called a JSON document. What it means is called a policy, an IAM policy. You do not have to be a programmer. This is not programming. This is just describing in, I think plain English, what a user is allowed to do or what a group and all the users within that group are allowed to do. In this example, we can see that we allow people to use the EC2 to service and do describe it, to use the elastic load balancing service, and to describe it and use Cloud Watch.

We will see what EC2 elastic load balancing and Cloud Watch mean, but through this JSON document, we are allowing our users to use some services in AWS. These policies will help us define the permissions of our users. And so, in AWS, you do not allow everyone to do everything that would be catastrophic, because a new user could basically launch so many services and they will cost you a lot of money or would be valid for security. In AWS, you apply a principle called the least privilege principle. You do not give more permissions than a user needs. If a user just needs access to three services, just create permission for that user.

IAM Users and Groups Hands-On in AWS:

Let’s explore the IAM console. For this, I’m going to type “IAM” and then this will take me straight to a console of an AWS service called IAM.

The first thing we notice is that on the top right corner, under “Global”, it says that IAM does not require region selection. What this means is that IAM is a global service, whereas many other AWS services will be regional services and there will be a region selection. But for IAM, users and groups are created in a global fashion. We are in the IAM dashboard. the first thing we want to do is to create an IAM user. I’m going to go under “Users” and click on “Add users”. Why do we want to create a user?

If you click on the account name right here, we are using the root user. The root user has all the permissions you want in your account, okay? It can do anything you want

Therefore it’s a very dangerous account to use. The better way is to create an administrator account that we’re going to create. And this admin account will be able to do everything the root account does or almost, and we will let the root go. we use the root account only if we really, really ever need to. This is from a security perspective, the best setup.

So as we can see, we’re going to create a username and that one is going to be “sandy66”. And then we need to select the credential type. Enable the password type of credential and we can autogenerate it or create a custom password. And because this is my own account, I can just set a custom password and be done with it. we don’t require a password reset, and then we click on “Next: Permissions”. I will not save this. Now, we need to add the user into a group. we’re going to create a group. And this group is going to be called “ADMIN1”.

Now, any user placed within the group “ADMIN1”, will inherit the permissions associated with that group. And so permissions are defined through policies. And the one policy we’re going to attach to the “ADMIN1” group is called “AdministratorAccess”. This policy will allow any account under this group to be an administrator of your account. Let’s go ahead and create this group.

And next, click on “Tags”. In AWS, you will find tags pretty much everywhere. They’re just information that can help you track, organize or control access for users. And so we’re not going to create tags everywhere for our course, what I can show you is how to create a tag for our user.

This is just information you want to add regarding that specific user, For example, I can say that the “Department” of my user is “ECE”. And you can have any tags you want on many resources in AWS. Let’s click on “Review”.

We have created a username “SANDY66”, with password access to the Management Console. Then the group it belongs to is the “ADMIN1” group. And the tag is “Department: ECE”.

Let’s go ahead and create this user. And now the user is created. Before we go there, you need to download the .csv especially if you autogenerated a password. This “Download .csv” will have the credentials of your users contained within it. And you can also email login instructions to a specific email if you’re creating a user for someone else. But this is our own user, so are we good to go? we’ll close this and now let’s explore what we have created. Under “User groups”, I will find the group “ADMIN1”. If I click on it, I can see that there’s one user in this group, which is the “SANDY66” user. If I look at the group permissions, as we can see, there’s a policy name attached to the group, which is the “AdministratorAccess”, which provides full admin access to any users within the group. If we go and click on the user “SANDY66”.

So this is a user. You can also get back from this menu on the left-hand side and just click on “Users > SANDY66”. If you click on the user “SANDY66” back to it. We have these permissions and the permission associated with my user is “AdministratorAccess”. And this is a managed policy that we inherited from the group admin, we have our users and we have our groups.

Now we’re going to see how to log in with that user, “SANDY66”. Let’s go back into the dashboard. And on the right-hand side of the dashboard, we have a summary of our AWS account. The account ID is right here, which can also get by opening this panel.

This is the same account ID here, and here. the account alias is what you can set to log in to your account faster because remembering numbers sometimes is difficult.

So you can create an account alias, and you just have to specify an alias that you like. For example, “sandy66-aws-a1”. And click on “Save changes”. Now, this is a unique alias for my account. You’re not going to be able to use this account, this alias for your account, but you can create your own. And now we have a sign-in URL on the right-hand side that is customized for my alias.

So if I click on “Copy this URL”, I need to open it in a new tab, but it must be an incognito tab or a different web browser. So here I’ve opened a private browser, which is going to be a different session. therefore I can copy the sign-in URL and paste it here and press enter. Now we are taken again to the login page of AWS. we have three fields.

We have the “Account ID”, the “IAM user name” and the password. what’s happening here, is that we, using this URL, are taken to a sign-in page as an IAM user. And how do we know this? How can we get back to this page if we wanted to? when we went into the “Sign in”, we had two options, either “Root user”, which will log you in as a root user, or “IAM user”, in which case you just need to enter the account ID or the account alias and then click on “Next”, which will take you into the page that we had from before, which was this page right here.

Now in this page, what I need to do is to enter my IAM username and the password that I just created. then click on “Sign in”. And we are now logged in as an IAM user in the console. how do we know this account number? This is a root user. But if we go on the right-hand side, we can see that there’s “SANDY66 and then the account alias. what we can see is that “SANDY66” is the IAM user “SANDY66”, and then “My Account” and the account number. we know on the right-hand side, that we’re logged in as an IAM user. Now this IAM user can do pretty much anything that the other user was able to do, the root user because they’re both admins, But from a course perspective, it’s better if you use an IAM user, than using the root account.

Now you will see in some articles, I have the root user, and in some articles, I have the IAM user. It doesn’t really matter from the course perspective, So I will use them as I please. If I need to use the root user specifically.

In the next article, I am going to discuss IAM Policies in AWS. Here, in this article, I try to explain IAM User and Groups in AWS and I hope you enjoy this IAM User and Groups in AWS article.