The Ultimate Guide To AWS IAM User, Group, And Role Management

In this blog we will learn how to create IAM Users and Groups using Amazon Web Services (AWS) management console. Login your AWS account management console and search for IAM in the search bar at the top of the console. In the IAM dashboard, you can use the left navigation bar to navigate into User Groups, Roles, Policies and Identity Providers. For the scope of this blog, we will only work with users, groups and their policies.

IAM dashboard

Let’s start by creating two users Ram and Shyam. In our example, Ram is a developer and Shyam is an AWS Administrator. You can navigate to the Users page by clicking the user option in the IAM dashboard. This is the Users page, where you will see all the users created for your account. We will create our first AWS User by clicking on the Add Users button.

We start by giving a username to your user. Let us call this user “Ram”. When creating more than one user with the same properties, you can simply add another username by clicking on this “Add another user” button. However, for this example, we will do this one by one. The next option we see is the “AWS Credential Type”. You should select “Access key – Programmatic access” to allow this user to be able to access AWS CLI commands or use AWS SDK and AWS API. We do not need this for our example, so we will only select “Password – AWS Management Console access” which will give user “Ram” access to the AWS via management Console. Selecting this gives us some more options.

You can have AWS Create an auto-generated password or you can manually add a simple password for this user. For our example, we will let AWS give us an auto-generated password. The next option is “Require password reset”. You should check this box if you want your user to reset their password when they first access the console. We will uncheck for this blog demo. Click on “Next: Permissions”.

Here we have 3 options: you can add users to a user group, you can copy permissions from an existing user that you already have in your account or you can attach policies directly. We have no users or user groups in our account, so we have no options. But if you click the third option “Attach existing policies directly” you will see a whole list of policies, even if you have never created a policy in your account.

These are the AWS Managed policies, this means that these policies are managed by AWS and that if any change is required, it will be made by AWS. These are highly useful for simple applications where you don’t want to create and maintain your own policies and let AWS handle all this for you. We can select a policy here like “AmazonS3ReadOnlyAccess” and give this permission to our user. Let us first create a user with no permissions.

Click on “Next Tags”, here we can add tags to our users. Let us add an example tag “Department” “Production”, then click on Next which will open up the review page, where you will see the final details about your user.  Click on “Create user”.

This takes us to the final step of creating an AWS User. Here we can see that the user Ram was created. You can even view the password of this user. Click On “Download CSV”, which will download a CSV file with user credentials to your computer. It is important to know that you should save these credentials somewhere after creating the user. If you navigate away from this page, you will no longer be able to get the credentials again.

Click on close and we can see that user Ram is added to the Users page.

Let us create another user, Shyam.

We follow the same process. Add the username “Shyam”, allow AWS access via console, leave all values to default, except “Require password reset” and click next. We will not be adding any permissions, click next. We will add the sample tag same as we did for user “Ram” “Department” “Production”. Click next and click on create a user. Download .csv file to save credentials for user Shyam. Please note again that you won’t be able to get credentials back after closing this page.

 Now that we have created our two users Ram and Shyam, let us create user groups.

Click on User Groups and then click on ‘Create Group’ to create our first user group. Add the name “Developers”. We can add users to this group from the table below. Let us add ram, who is a developer, to this group.

The next step is to add policies to this group. We want our developers to be able to fully access EC2 and S3 so we will check “AmazonEC2FullAccess” and “AmazonS3FullAccess” from the policies table here, and click on “create group”.

We now have a developers group that has only one user. Let us create an Administrators group as well. Click on Create Group; enter the group name “Administrators”. This time we will not be adding Shyam to this group, right now. Let’s create a group without any users.

Let us now attach policies to this group. We will attach the AdministratorAccess policy.

 Click on “Create Group” and we can see that our groups are created, but the Administrators group does not have any users as of now. Let us add Shyam to this group.

Go to the Users page. It has both the users Ram and Shyam, click on “Shyam”. You can see that this user doesn’t have any permission. Move from permissions to the Groups tab. Click on Add user to groups. This will give you a list of user groups. Let’s add Shyam to his Administrators group here. Now if you go back to the permissions tab you can see that permission has been added to this user. Shyam now has the AdministratorAccess policy attached from the Administrators group.

So, we have created two users, two groups provided AWS access to these users and assigned AWS managed policies.

In the next blog, we will log in with IAM User and create IAM roles.

Leave a Comment

Your email address will not be published. Required fields are marked *