What is IAM and How does IAM Work in AWS?

IAM (Identity and Access Management) falls under “Security, Identity, & Compliance” service in AWS (Amazon Web Services). It lets us manage access to AWS services and resources securely. Using IAM we can create and manage AWS users, groups, roles and use permissions to allow or deny their access to AWS resources.

IAM comes with "no additional charge" and we are charged only for other AWS services used by us.

AWS IAM helps us  to:

  • Manage users and their access:
    We can create users in IAM, assign them individual security credentials. We can manage permissions to control which operations a user can perform and which not.
  • Manage roles and their permissions: 
    We can create roles in IAM and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. 
  • Manage federated users and their permissions: 
    We can enable identity federation to allow existing users, groups, and roles in our enterprise to access the AWS Management 

To understand IAM service  more in detail you can refer AWS official documentation.

In this article, we will see how to create an IAM user, group, IAM role, assign permission and create custom policy.

Note: IAM does not belong to a particular region and spans across the complete AWS Account.

Pre-requisites

  1. AWS Account (Create if you don’t have one).

What we will do

  1. Login to AWS.
  2. Create an IAM User.
  3. Create an IAM Group and add user to it.
  4. Create an IAM Role.
  5. Create an IAM policy.

Login to AWS

  1. Click here to go to AWS Login Page.

When we hit the above link, we will see a web page as follows where we are required to login using our login details.

Login to AWS

Once we login into AWS successfully, we will see the main console with all the services listed as follows.

AWS Management Console

Create an IAM User

An (IAM) user is an entity that we create on AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Click on “Services” at the top left corner and you will see a screen will all the service. Spot “IAM” under “Security, Identity, & Compliance” and click on “IAM

Create an IAM User

You will see a Dashboard. This is the home page for IAM. Click on “Users” from the left panel.

Identity and Access Management

Click on “Add user” to create a new user.

Add user

Here, give a name to the user to be created. We can create a user with two different access type.

  1. Programmatic access:
    We can perform the operation on AWS account from AWS API, CLI, SDK, and other development tools using this access type.
  2. AWS Management Console access:
    This access type allows a used  to sign-in to the AWS Management Console.

In this article, we will create a user having “AWS Management Console access”.

Once you click on “AWS Management Console access” you will get a field to assign a password for the user.

We can either have “Autogenerated password” or “Custom password”. Here, we will select “Custom password” and assign a password to the user. Depending on the requirement we can force a user to change the password on its next login. Here, keep it as it is. Click on “Next: Permission” to proceed further and assign the permissions.

Set User details

On the next screen, click on “Attach existing policies directly” and search for “readonlyaccess” and select the check-box as shown in the following screen. Giving “ReadOnlyAccess”, the user will not be able to create any of the AWS resources. You can go through the list of permissions to understand them. Click on “Next: Tag” to proceed further.

Set Permissions

Assigning tags is optional but helps to organize, track, or control access for this user. Click on “Next: Review” to proceed further and create a user.

Add tags

Review the configuration and click on “Create user” to create a user.

Review User Details

Click on “Download .csv” which contains “Console login link”. In case of creating a user with “Programmatic access” this file is very important as it would contain “Access key ID” and “Secret access key” required to get access. Now, you can click on “Close” as we have created our first user.

User added successfully

Create an IAM Role

An IAM role is an IAM identity that we can create in our AWS account that has specific permissions. It is similar to an IAM user with permission policies that determine what the identity can and cannot do in AWS. IAM Role allows AWS services to perform actions on our behalf.

On the IAM home page, click on “Roles” in the left panel. Click on “Create role”.

Create an IAM Role

In this article, we will create a Role for Lambda Service. Click on “Lambda” and click on “Next: Permissions”.

Lamda > Permissions

In the search box, search for  “ec2readonlyaccess” and tick on the check-box for the policy “AmazonEC2ReadyOnlyAccess”. This will give “readonly” access to Lambda function on EC2 Service. Click on “Next: Tags”.

AmazonEC2ReadyOnlyAccess

Adding tags is optional but can be used to organize, track, or control access for this role. Click on “Next: Review” to proceed further.

Create Role

Give a name to the role, add a description and click on “Create role”. This will create a Role which will Allows Lambda functions to call AWS services on your behalf with “ReadOnlyAccess” on “EC2” service.

Read Only Role

Create an IAM Group

An IAM group is a collection of IAM users. We can specify permissions for multiple users using role, which can make it easier to manage the permissions for those users.

On the IAM home page, click on “Groups” in the left panel. Click on “Create New Group”.

Create an IAM Group

Specify a name and click on “Next Step”.

Set Group name

Search for “readonlyaccess”, scroll to the bottom and check the check-box. Click on “Next Step”.

Attach a policy

Review the configuration and click on “Create Group”.

Now, we have a group with “ReadOnlyAccess”, which means users belonging to this group will have only “Read-Only” access on AWS Resources/Services.

Review settings

Go back to the IAM Homepage and select the group that we just created. Click on “Add Users to Group” to add our user to this group.

Add Users to group

Select the user that we created in the previous step and click on “Add Users”. This will add our user to the group we created having “ReadOnlyAccess”.

Read only Users

Create an IAM Policy

An IAM policy is an entity that is attached to an identity or resource to define their permissions. 

On the IAM home page, click on “Policies” in the left panel. Click on “Create Policy“.

Create an IAM Policy

Click on “Service” to select a service for which policy needs to be created. Search for a service in the search box and select the service.

Service

You will get a list of permissions that can be assigned, here select "List". Click on “Review Policy”.

Review Policy

Give a name to the policy and click on “Create policy”. This policy now can be attached to a user to give only “List” permissions on EC2 Service. We can follow the same steps we followed to attach a policy while creating a user to attach this policy.

Create new Policy

Conclusion:

In this article, we created a user, a role  and attached a policy to them, created a group and added a user to it, created a custom policy which can be added to the user. 

Share this page:

Suggested articles

1 Comment(s)

Add comment

Comments

By: Ajinkya at: 2020-01-30 10:49:38

Great artlicle