Access to AWS Resources

How does one grant access to resources within AWS? How does one distinguish between ‘human users’ and  ‘service accounts’ (aka robo users) in AWS.

In GCP, the service that manages resources is called ResourceManager and access to the resources in ResourceManager is via Roles and IAM Policies.

In AWS, while there isn’t a direct equivalent of ResourceManager, Access to all resources is managed through AWS  IAM.

AWS Identity Architect – AWS IAM Key Terms

IAM is one stop shop for creating users, creating credentials, permissions, policies and federating/delegating access to users.

Some terms to get quickly familiar with include:

  1. Users (and Groups)
  2. Credentials (Short term and long term)
  3. Permissions and Policies
  4. Federation and Delegation

Example Use Case – Create a GROUP of EC2 Power Users, Create an individual user with a password and an access key pair, add the user to the group

AWS Identity Architect – To create an IAM Group that will be used for our EC2 PowerUsers Group

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Groups and then choose Create New Group.
  3. For Group Name, enter a name for your group, and then choose Next Step.
  4. On the Attach Policy page, select an AWS managed policy and then choose Next Step. For example, for Amazon EC2, one of the following AWS managed policies might meet your needs:
    • PowerUserAccess (for our example)
    • AmazonEC2FullAccess  (admins for all of EC2)
    • AmazonEC2ReadOnlyAccess
  5. Choose Create Group.

Your new group is ready for users to be added.

To create an IAM user, add the user to your group, and create a password for the user

  1. In the navigation pane, choose UsersAdd user.
  2. For User name, enter a user name.
  3. For Access type, select both Programmatic access and AWS Management Console access.
  4. For Console password, choose one of the following:
    • Autogenerated password. Each user gets a randomly generated password that meets the current password policy in effect (if any). You can view or download the passwords when you get to the Final page.
    • Custom password. Each user is assigned the password that you enter in the box.
  5. Choose Next: Permissions.
  6. On the Set permissions page, choose Add user to group. Select the check box next to the group that you created earlier and choose Next: Review.
  7. Choose Create user.
  8. To view the users’ access keys (access key IDs and secret access keys), choose Show next to each password and secret access key to see. To save the access keys, choose Download .csv and then save the file to a safe location.
    Important

    You cannot retrieve the secret access key after you complete this step; if you misplace it you must create a new one.

  9. Choose Close.
  10. Give each user his or her credentials (access keys and password); this enables them to use services based on the permissions you specified for the IAM group.

Summary

This post clarifies the terminology around creating an AWS Group and adding users to it, using EC2 service access as an example.



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.