AWS IAM Users and Groups: Creating and Assigning Custom Policies

Chinelo Osuji
11 min readJun 26, 2023

--

Welcome back!

In this article, we will go over Amazon’s IAM service and how a business can utilize this service to manage its resources.

What is AWS IAM ?

AWS IAM (Identity and Access Management) is a service that helps you to provide governance over your resources within your AWS environment. To make it simple, with IAM, you can control who can sign in and who has persmissions to use resources. IAM uses several components to facilitate resource management:
Users: individual accounts used to log in with.
Groups: collection of users; used to organize users and apply policies.
Policies: defines permissions and access controls; can be connected to users, groups, roles, or resources.
Roles: assigns permissions to users and generates temporary security credentials.

Real-World Use Case Scenario

A bank is seeking to enhance its security measures and streamline infrastructure management. The bank has different teams, including developers, management, and a help desk team. Each team requires different levels of access and permissions based on their roles and responsibilities. The bank wants to ensure that developers have access to view EC2 instances but not launch any, the management team can only view S3 resources without the ability to create S3 buckets, and the help desk team only has full access to both EC2 instances and S3 buckets. Also, the bank wants to verify that the assigned permissions are functioning as expected.

So today we are going to create 3 IAM users and groups with the permissions required by the bank. And based on the bank’s requirements, we’re going to have the help desk team launch a Windows Server 2022 EC2 instance. We also want to verify that the developers can establish a remote desktop connection to the Windows Server, and that the management team can only view S3 and not create buckets.

Let’s get to work !

First, sign in to your AWS Management Console.

At the top, click Services. Scroll down and click Security, Identity, & Compliance. On the right side, scroll down and click IAM.

Let’s start by creating the groups.

On the left side, under Access management click User groups.

Click Create group.

Type the name of the group in the field under User group name. For this scenario, the 3 group names will be Developers, Management, and HelpDeskTeam. (Note: the group name cannot contain any spaces.)

Let’s start with the Developers group.

Scroll down.

This is repeated to create Management and HelpDeskTeam groups.
Once the groups are created, under Access management click Policies. Here is where we will create the policies for each user group.

We will start with creating the policy for the Developers group.
Click Create policy.

Select JSON.
JSON or JavaScript Object Notation is a text-based format used to represent data. In this case, we will write out the IAM policies to define permissions for each group in JSON format.

Copy the code below and paste it in the Policy editor field.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:GetPasswordData",
"ec2:GetConsoleOutput"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*"
}
]
}

Let’s break this code down.

In the first statement, we’re going to “Allow” the following actions:
ec2:DescribeInstances” (To get information about EC2 instances that exist.)
“ec2:GetPasswordData” (To get encrypted admin password needed to RDP into Windows instances.)
“ec2:GetConsoleOutput” (To view console output for EC2 instances; includes the last 3 system event log errors for Windows instances, which can be used for troubleshooting issues.)

“Resource”: “*” (Applies permissions to all resources.)
Note: It’s a security best practice to define permissions to specific resources but for this scenario we will go with all resources.

In the second statement, we’re going to “Deny” the following actions:
“ec2:RunInstances” (To deny the ability to launch EC2 instances.)

“Resource”: “*” (Applies restrictions to all resources.)

After pasting code click Next.

Type the name of the policy in the field under Policy name. In this scenario, the policy name is DevelopersPolicy. (Note: the policy name cannot contain any spaces.)

Scroll down and click Create policy.

Now let’s attach this policy to the user group.

Select the button next to the created policy. Then click Actions and Attach.

Select the box next to the user group that you want to attach the policy to.
Then click Attach policy.

The DevelopersPolicy policy is now attached to the Developers user group. This means all users within the group are given the permissions defined by the policy.

Now let’s create the policy for the Management group. Click Create policy.

Select JSON. Copy the code below and paste it in the Policy editor field.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "s3:CreateBucket",
"Resource": "*"
}
]
}

Let’s break this code down.

In the first statement, we’re going to “Allow” the following actions:
“s3:*” (To allow full access to S3.)

“Resource”: “*” (Applies permissions to all resources.)

In the second statement, we’re going to “Deny” the following actions:
“s3:CreateBucket” (To deny the ability to create S3 buckets.)

“Resource”: “*” (Applies restrictions to all resources.)

After pasting code click Next.

After clicking Next, go through the process of giving your policy a name and attaching it to the user group. In this scenario, the policy name for the Management group is ManagementPolicy.

Now let’s create the policy for the HelpDeskTeam group. Click Create policy.

Select JSON. Copy the code below and paste it in the Policy editor field.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"ec2:*"
],
"Resource": "*"
}
]
}

Let’s break this code down.

In the statement, we’re going to “Allow” the following actions:
“s3:*” (To allow full access to S3.)
“ec2:*” (To allow full access to EC2.)

“Resource”: “*” (Applies permissions to all resources.)

After pasting code click Next.

So far, we’ve created 3 user groups and attached policies to them.

Now let’s create 3 users and add a user to each group.

On the left side, under Access management click Users.

Click Add users.

The 1st user will be called DeveloperUser1 and will be added to the Developers group.

Type in the user name. Select Provide user access to the AWS Management Console — optional.
Then select I want to create an IAM user. You can create a custom password, but for this scenario I chose to autogenerate a password.
Select Users must create a new password at next sign-in — Recommended and then click Next.

Select Add user to group. Select the box next to the Developers group name. Then click Next.

At the bottom, click Create user.

The user DeveloperUser1 has been created. Make sure to save the Console sign-in details in a safe location. For convenience, you can click Download .csv file. The csv file contains the user credentials such as User name and Console password. (Note: This is the only time you can view and download the password.)
Click Return to users list.

Now, let’s create users for the Management and HelpDeskTeam groups. Let’s name the users ManagementUser1 and HelpDeskTeamUser1. Make sure to save the Console sign-in details for each user in a safe location.

Now that the users are created and assigned to their corresponding groups, click Sign out and sign in as each user and verify the following:

  1. Verify that HelpDeskTeamUser1 can launch EC2s and create S3 buckets, but can’t use some of the other AWS services that you haven’t given access to. Have HelpDeskTeamUser1 launch a Windows Server 2022 EC2.
  2. Verify that DeveloperUser1 is not able to launch or deploy any EC2 instances, but can still view any that have been created. Verify that DeveloperUser1 can RDP into the Windows Server.
  3. Verify that ManagementUser1 can’t view anything but S3 and even then, can’t create a bucket.

To sign-in as IAM user, you can use the Console sign-in URL thats located in the .csv file that was downloaded earlier. The first 12 digits of the Console sign-in URL is the Account ID. Enter the user name and password and click Sign in.

Let’s launch a Windows Server 2022 EC2.

Signed in as HelpDeskUser1, click Services, click Compute and click EC2.

Click Launch instance.

Enter a name for the instance.
Under Application and OS Images (Amazon Machine Image), select Windows and Microsoft Windows Server 2022 Base (Free Tier Eligible).

Under Instance type, select t2.micro (Free tier eligible).
Under Key pair (login), click Create new key pair.

Enter a name for the key pair.
Click Create key pair.
When a key pair is created, a .pem file is downloaded to your computer. This file contains the private key that is used to retrieve the password for the instance. Remember where this file is stored, it will be needed later on.

Click Launch instance.

The instance has been successfully launched.

Now let’s confirm that HelpDeskTeamUser 1 can create a S3 bucket, but can’t use some of the other AWS services that access hasn’t been given to.
Go to S3 and click Create bucket and provide a Bucket name.
You should see that the bucket was successfully created.

And when trying to use another AWS service, the user will see a You need permissions message.

Now signed in as DeveloperUser1, let’s try to launch an instance.
In this case, when the user selects Windows, a message shows that the AMI is invalid. This is an indication that the user cannot launch an instance.

Still signed in as DeveloperUser1, let’s RDP into the Windows Server 2022 EC2 that was launched by HelpDeskTeamUser1. Click Connect.

Click RDP client. Then click Download remote desktop file. This downloads the Remote Desktop Connection client on your computer.
Click Get password.

Click Upload private key file. Locate the .pem file and open it.
Click Decrypt password.

You will see the password is now visible. Copy the password.

Locate the remote desktop file on your computer and open it. Click Connect.

Paste the password and click OK.

And you are now connected. The virtual desktop should appear.

Now let’s confirm that ManagementUser1 is not able to view anything but S3, and even then, can’t create a bucket.
Signed in as ManagementUser1, go to EC2 and then go to Instances.
You’ll see that ManagementUser1 is not able to see the instance that HelpDeskTeamUser1 launched. A message that reads You are not authorized to perform this operation. is visible.
Also, if you go to CloudFront and then go to Distributions, a red banner appers at the top indicating ManagementUser1 is not authorized to view distributions.

Still signed in as ManagementUser1, go to S3 and then click Buckets. The user has access to S3 and can view existing buckets.
But if ManagementUser1 tries to create a bucket, Failed to create bucket prompt will appear. This is because the user does not have the necessary permissions required to create a bucket.

And that completes this demonstration. Thank you for your time and attention!

--

--

Chinelo Osuji
Chinelo Osuji

Written by Chinelo Osuji

DevOps | Cloud | Data Engineer | AWS | Broward College Student

Responses (1)