DEV Community

Cover image for Identity and Access Management in AWS: How to Create an IAM User, User Group, and Attach Policy to User Group in AWS
Oluwanifemi Loveth
Oluwanifemi Loveth

Posted on

Identity and Access Management in AWS: How to Create an IAM User, User Group, and Attach Policy to User Group in AWS

As I promised in a previous post, I will be sharing another thing I have learnt and practiced from the AWS 12 Weeks workshop.

AWS Identity and Access Management (IAM) is a web service in AWS that allows you to securely control access to AWS resources. When you first create an AWS account, it comes with a single sign-in identity that has complete access to AWS services and resources in the account. This is called the root user.

With AWS Identity and Access Management (IAM), you can specify who can access your AWS services and resources and under what conditions they can do so.
IAM is a feature of your AWS account and is offered at no additional charge.

Key Components of AWS IAM

Below are the key components of AWS Identity and Access Management

  1. IAM user: An IAM user is an entity you create in your AWS account to interact with your AWS resources. It consists of a name and credentials. It is strongly recommended not to use the root user for everyday tasks, hence the need for an IAM user.

  2. IAM user group: An IAM user group is a collection of IAM users. User groups allow you to specify permissions for multiple users, making it easier to manage permissions for those users. For instance, you could have a user group called Admin, and assign the Administrator permissions to it, any member of that group automatically has the Admin group permissions. A user group can contain many users, and a user can belong to multiple user groups.

  3. IAM roles: A role is an IAM identity that you can create in your AWS account with specific permissions. Unlike IAM user, a role is not uniquely associated with one person, it is intended to be assumable by anyone who needs it. You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources.

  4. IAM policies: A policy is an object in AWS that defines its permissions when associated with an identity or resource. You can manage access in AWS by creating policies and attaching them to IAM identities (users, groups, or roles). There are six policy types in AWS;

  • Identity-based policies
  • Resource-based policies
  • Permissions boundaries
  • Organizations SCPs
  • Access control lists (ACLs)
  • Session policies

How to Create an IAM User, User Group, and Attach Policy to User Group in AWS

In this article, I will show you how to create an IAM User, and User group and attach a policy to the User group in AWS.
This is a summary of what I did.

  • I first created an IAM policy.
  • Then, I created an IAM User group and attached the policy to it.
  • Lastly, I created an IAM user and placed it in the User group that was created.

Let's get started with the full details.

Step 1
I logged into my AWS account as an IAM user. You can log in as either a root user or an IAM user.

Step 2
After logging in, I typed ‘IAM’ in the searched space and searched, then clicked on it as highlighted below.

Image description

Step 3
This opened up to the IAM dashboard page. On the left-hand side, I scrolled down to ‘Policies’ and clicked on it.
A policy defines the AWS permissions that you can assign to a user, group, or role. You can create and edit a policy in the visual editor and using JSON.

Image description

Step 4
Next, I clicked on the ‘Create Policy’ button at the top right-hand corner.

Image description

When defining policy for the AWS permissions, you can create and edit in Visual Editor or JSON. In this guide, l used the JSON method. So, I clicked the ‘JSON’ button.

Image description

Step 5
I got my policy and pasted it into the space provided for it. The policy I used in this guide allows all actions for EC2 tagged as Env-dev. Also, it allows describe-related actions for all EC2 instances. But it denies the create and delete tags action to prevent users from modifying tags arbitrarily.

Image description

Step 6
After pasting the policy, I clicked the “Next” button as you can see below;

Image description

Step 7
Then, I filled in the details of the policy; policy name, description and clicked on ‘Create Policy’ at the end.

Image description

Image description

Now, my policy has been created successfully, and I will find it in the list of policies.
To create an IAM User,
On the IAM dashboard showing at the left side panel, I clicked on ‘User group’.

Image description

Then, I clicked the ‘Create group' button placed at the top of the right corner.

Image description

Step 9
I input the group name, and selected dev-policy (the policy I just created) in the “Attach permissions policies - Optional section.” Adding users to the group is optional. Then, I clicked on the “Create User group” button.

Image description
Image description

That's all for creating a user group. Now, to create a user.

Step 10
I clicked Users on the left side of the page, and then on ‘Create users' button.

Image description

I typed dev-user as the username and allowed two access type both Programmatic access and AWS Management console access. Then, I selected a Custom password and typed in the password that I wanted.

Finally, I unchecked the required password reset function for quick action. In the real world, it is recommended to activate the password reset.

Image description

Image description

Next: I clicked on the ‘Permissions’ button.

Step 11
To set permissions, I selected “Add user to group”, and below it, I chose the dev-group that was created earlier.

Image description

Under ‘Review and Create User’, I clicked ‘Create User’

Image description

Image description

Now my user has been created successfully, I copied the console sign-in URL to log in and downloaded the .csv file as well. You can also use the username and custom password that you set to log in.

Image description

And then I signed in as the new user.

Step 12
To log in using the custom username and password, type the IAM username and password that you just created into the sign-in page to enter into the AWS management console. (aws.amazon.com)

Image description

And that is all. You will be able to sign in as the new user successfully.

I believe you were able to learn a thing or two from this. Share your thoughts with me in the comments. I look forward to reading them.

Top comments (0)