Cloud Security Best Practices with AWS IAM

Ahmed SalauAhmed Salau
15 min read

Table of contents

Ensuring robust security in the cloud is essential for managing resources efficiently and protecting sensitive data. AWS Identity and Access Management (IAM) offers a powerful way to implement fine-grained access control for your cloud environment. In this blog, we explore the vital role of AWS Identity and Access Management (IAM) in ensuring secure and controlled access to cloud resources. Using a hands-on project, we’ll demonstrate how to configure IAM policies, create user groups, and assign permissions to EC2 instances. Whether you're a beginner or looking to improve your AWS knowledge, this post will help you understand how to manage permissions effectively and avoid costly mistakes, while maintaining the security of your development and production environments. Let’s dive in!

NextWork Student - community.nextwork.org/u/8a3e1ff8

| Prerequisite

  1. Have an AWS account. If you don’t have one, sign up here and enjoy the benefits of the Free-Tier Account

Project duration ⏰

The project took about 60 minutes.

Cost 💲

$0 - Please make sure to delete all AWS resources used for the project to avoid incurring expenses unless you are within the free tier limit.

Here's what you'll learn in this guide:

  • 🚀 Launch EC2 instances to set up your cloud infrastructure.

  • 🏷️ Utilize tags for simplified resource identification and organization.

  • 🔑 Set up IAM policies to control access to EC2 instances based on their environment (e.g., development vs. production).

  • 👤 Create an IAM user and assign them to a user group with permissions tailored to their role.

  • Test IAM access to ensure users have the right level of access based on their permissions.

Launch EC2 Instances

💡 What is EC2?

Amazon EC2 is a foundational AWS service that allows you to rent and use virtual computers in the cloud. Think of it as your personal computer, but hosted on the internet instead of being a physical machine. EC2 is highly versatile, letting you launch, customize, and manage virtual machines for tasks like running applications or hosting websites.

Here's what EC2 mean:

  • Elastic: Flexible to scale up or down based on your needs.

  • Compute: Delivers powerful virtual computing resources.

  • Cloud: Accessible anytime, anywhere, via the internet.

In the AWS Management Console, Navigate to EC2 (type ec2 into the search bar of your Console). Click on EC2

  • Switch to the AWS Region closest to your location or the one where you plan to use your EC2 instance. This ensures better performance and aligns your resources with the desired geographical area.

  • In your EC2 console, choose Launch instances.

💡 What are EC2 instances?
EC2 instances are the virtual computers or servers provided by Amazon EC2. Think of them as customizable machines created in the cloud to meet specific needs. Just like choosing a laptop with specific RAM, processor, or storage, EC2 instances let you configure CPU, memory, storage, and networking to suit your project. Whether you're hosting websites, running applications, or managing databases, EC2 instances provide the flexibility to scale resources as required, ensuring efficiency and performance for various workloads.

  • Let’s setup the EC2 instance

  • In Name, enter the value yourname-production. Yup, replace “yourname” with your name.

💡 Every EC2 instance must have a unique name in its AWS Region.

  • Click on Add additional tags, located right next to the Name field. This option allows you to assign custom tags to your resource for better organization, identification, and management within your AWS environment. Tags are key-value pairs that help track resources, categorize them by project or environment, and simplify cost management.

  • Choose Add new tag.

  • For the next tag, use this information:

    • Key: Env

    • Value: production

💡 Why are we creating a new tag, and what does it mean?

Tags act as labels for AWS resources to help with organization and management. Here, we’re creating a tag named "Env" with a value like "production" or "development" to distinguish between instances for production and development environments.

These tags are useful for:

  • Resource identification: Easily filter or locate tagged resources.

  • Cost allocation: Track expenses by environment.

  • Policy application: Automate permissions or rules based on environment types (as you’ll soon see in action).

  • Head on down to see your EC2 settings and make sure the Amazon Machine Image (AMI) is using a Free tier eligible option.

💡 What is AMI? What does Free Tier Eligible mean?

Think of AMI (Amazon Machine Image) as the template for building your virtual computers (EC2 instances). Similar to a new computer with pre-installed software and an operating system (like Windows or MacOS), an AMI includes the operating system and applications needed to launch an instance.

Free Tier Eligible AMIs are those that qualify under the AWS Free Tier, allowing you to experiment with EC2 without incurring additional costs.

  • For the instance type, also make sure you're using a Free tier eligible option!

💡 What is an Instance Type?

If AMIs provide the software and operating system for your virtual server, instance types define its 'hardware' specifications. These include CPU power, memory size, storage capacity, and networking performance.

While the AMI determines what your server runs (e.g., Linux, Windows), the instance type sets how efficiently and powerfully it runs, letting you tailor your EC2 instance to match the needs of your project.

  • For Key pair (login), select Proceed without a key pair.

💡 What is a Key Pair? Why is proceeding without one labeled as (Not recommended)?

A key pair is used to securely access your EC2 instance without relying on the AWS Management Console, typically via SSH (Secure Shell). It consists of a public and private key to authenticate your connection.

If you proceed without a key pair, you lose the ability to use SSH for secure remote management or troubleshooting, which is why it's generally discouraged. For long-term or critical projects, setting up a key pair is essential for secure and flexible access.

💡 Wait a second.

For simplicity, we are going to skip configuring network and storage settings in this project. While these are essential for optimizing your EC2 instance's performance and connectivity, we'll focus on basic setup steps here:

  • Network settings: Control how your instance connects to the internet and other AWS resources, including IP addresses and routing.

  • Storage settings: Determine the type and size of storage volumes (like virtual hard drives) your instance uses for data.

These settings become more important for advanced configurations or larger projects!

  • You're ready! Click Launch instance.

  • Now let's create one more EC2 instance for the development environment.

💡 What do development vs. production environments mean?

Development and production environments are distinct stages in software development. The development environment is where developers build and test code, experimenting and debugging before it’s ready. On the other hand, the production environment is the live setting where the software is deployed for end users, making it accessible to the public and ready for real-world use.

  • Repeat the same flow, but this time using these tags:

    • Name: yourname-development

    • Env: development

  • Launch your second instance.

  • Select Instances from your left hand navigation panel.

  • If you only see one instance on your page, make sure to use that refresh button!

You'll see that in the first image, the new EC2 instance “ahmed-development” show as "initializing" in the status check column. It will keep refreshing until it’s fully ready, at which point its status will change to "passed," indicating that it’s up and running.

  • Select the checkbox next to one of your instances, and a popup window of information pops up!

  • Select the Tags tab.

Create an IAM Policy

We've successfully deployed two EC2 instances: one for production and one for development. Now, we’ll move on to our next task: onboarding the new intern and setting up permission policies. The intern needs access to the development EC2 instance, but not the production one, to prevent accidental disruptions. To accomplish this, we'll use AWS IAM to grant the intern access to the development environment first, ensuring that they only have the necessary permissions for their role.

In this step, we are going create an IAM policy that gives access to the development instance.

  • Head to your IAM console.

💡 What is IAM?

IAM (Identity and Access Management) in AWS is a service that allows you to control access to your AWS resources. You can create and manage AWS users, groups, and permissions to ensure that individuals or services have appropriate access levels, whether it’s read, write, or administrative control. IAM helps you enforce security best practices by ensuring that only authorized users or services can interact with your cloud resources.

  • Now on the left-hand navigation panel of your IAM console, choose Policies

💡 What is a Policy?

An IAM policy is a set of rules that defines permissions for users, groups, or roles in AWS. It specifies what actions they can perform on specific resources, such as read, write, or delete, and outlines when and how those permissions are applied. Policies help ensure secure and controlled access to your AWS environment, allowing you to manage who can interact with what resources and under what conditions.

  • Choose Create policy.

  • Switch your Policy editor tab to JSON.

In this step, we will create and edit AWS policies using the JSON method. While you can also use the visual editor to create policies, we’ll focus on the JSON approach for this project, allowing for more flexibility and precision in defining permissions for our IAM roles.

Here's the policy you'll be using! Paste this policy into your editor - replace ALL of the existing code in your editor.

{    
  "Version": "2012-10-17",    
  "Statement": [        
    {            
      "Effect": "Allow",            
      "Action": "ec2:*",            
      "Resource": "*",            
      "Condition": {                
        "StringEquals": {                    
          "ec2:ResourceTag/Env": "development"                
        }            
      }        
    },        
    {            
      "Effect": "Allow",            
      "Action": "ec2:Describe*",            
      "Resource": "*"        
    },        
    {            
      "Effect": "Deny",            
      "Action": [                
        "ec2:DeleteTags",                
        "ec2:CreateTags"            
      ],            
      "Resource": "*"        
    }    
  ] 
}

💡 Let’s break down this powerful policy:

This policy grants actions like starting, stopping, and describing EC2 instances for instances tagged with Env = development but denies permissions to create or delete tags for any EC2 instance.

💡 For the Pros: Here's how JSON policies are structured:

  • Version: 2012-10-17 indicates the latest policy version.

  • Statement: The core section detailing permissions.

  • Effect: Can either be "Allow" or "Deny", with Deny taking priority.

  • Action: Lists allowed or denied actions (e.g., ec2:* allows all EC2 actions).

  • Resource: Specifies the resources (e.g., * for all resources).

  • Condition: Defines when the policy applies, e.g., instances tagged Env = development.

  • Select Next when you're ready.

  • Fill in your policy's details:

    • Name: NameDevEnvironmentPolicy (Be mindful of acceptable characters)

    • Description: IAM Policy for Name development environment.

    • Choose Create policy.

Create an AWS Account Alias

  • Head to your IAM dashboard.

  • In the right-hand side of the dashboard, choose Create under Account Alias.

💡 What is an Account Alias and Why Create One?
An Account Alias is a custom, user-friendly name for your AWS account, replacing the default account ID (a string of digits) in the sign-in URL. This makes it easier to remember and share with new users, like the intern joining NextWork. Instead of using the default URL, which is long and complex, the alias simplifies access: https://Your_Account_Alias.signin.aws.amazon.com/console/. It’s a helpful way to make your AWS login page more intuitive and accessible!

  • In the Preferred alias field, enter yourname-alias. Yup, replace yourname with your name!

  • Choose Create alias.

Create IAM Users and User Groups

Our intern currently doesn’t have a way to log into the AWS account, and you wouldn't want to share your own login credentials, especially since you have access to the production instance. To solve this, we'll use IAM to create a user for the intern and assign them to a specific group that only has access to the development instance, not the production environment. This ensures proper access control while keeping production resources secure.

In this step, you'll prepare to:

  • Create an IAM group specifically for interns, making it easier to manage their permissions collectively.

  • Set up an IAM user for the new intern, ensuring they have secure login credentials to access the development environment.

  • Choose User groups in your left-hand navigation panel.

  • Choose Create group.

  • Let's create your first user group!

💡 What is an IAM User Group?
An IAM user group is a collection of IAM users that allows you to manage permissions for all users within the group at once. By attaching policies to the group, you can easily control access rights for multiple users without having to modify each user's permissions individually. This approach streamlines permission management, especially for teams or groups with similar roles.

  • To set up your user group:

    • Name: name-dev-group

    • Attach permission policies: NameDevEnvironmentPolicy

  • Select Create user group. Success!

  • Now let's add Users to your user group.

💡 Why Do We Need Users in a User Group?
IAM users represent individuals who need access to AWS resources, while user groups are a way to organize and manage those users more efficiently. By adding users to a group like "ahmed-dev-group," they inherit the permissions associated with that group. This simplifies permission management, ensuring all users in the group have consistent access. For instance, if you have several interns needing the same permissions, grouping them makes access control easier to manage as your team grows.

  • Choose Users from the left-hand navigation panel.

  • Choose Create user.

  • Let's set up this user! Under User name, enter name-dev-yourname

  • Tick the checkbox for Provide user access to the AWS Management Console.

💡 Why Are We Checking This Box?
By ticking this box, you're enabling the new user to sign in and access AWS services through the AWS Management Console. If left unchecked, the user won’t be able to access the console directly and would need to use other methods, like the AWS CLI, SDKs, or APIs, which we’ll explore in more advanced projects.

  • Select Next when you're ready!.

  • To set permissions for your user, we'll simply add it to the user group you've created.

  • Select the checkbox next to name-dev-group.

  • Select Next.

Select Create user!

Test your intern's access

In this step, you'll:

  • Log in to AWS using the intern's IAM user credentials.

  • Test the intern's permissions by trying to access both the production and development EC2 instances.

This ensures that the intern has the correct level of access, with permission to interact with the development instance but not the production one.

  • Copy the Console sign-in URL. Do not close this tab!

  • Open a new incognito window on your browser.

  • Open the new console sign-in URL in your incognito window.

  • Using the User name and Console password given in your IAM tab, let's log in!

  • Because you selected "User must create a new password at next sign-in," you'll first enter the temporary password used during user creation. Afterward, the intern will be prompted to set a new password to complete the login process.

    • Success!

      • As a new user, you'll notice that some of your dashboard panels are showing Access denied already.

      • Head to your EC2 console, and make sure you're in the same Region as the one where you deployed your two production and development instances.

      • Head to Instances.

Select your production instance, and in the Actions dropdown, select Manage instance state.

Let's try to stop this instance. Select the Stop option, then Change state.

  • Select Stop.

  • At the top of your page, you'll see a banner indicating that the attempt to stop the instance failed due to insufficient permissions. This error occurs because you're not authorized to stop any instances tagged with "production." You need specific permissions to perform this action on production instances.

Now let's try to stop the development instance.

  • Head back to the Instances page, and select the checkbox next to development instance.

  • Under the Actions drop-down, select Manage instance state.

  • Select Stop, then Change state. Select Stop.

  • Success! The intern was able to delete the development instance because they were granted permission to perform actions on instances tagged with "development." The IAM policy allowed them to delete EC2 instances that were tagged with this label. However, since they didn't have permission for production instances, they couldn't delete the production instance. This is consistent with the permissions granted to the intern through the IAM policies for their assigned user group.

🎉Wow, wonderful work! Hats off 🧢

Delete Your Resources

To avoid further charges, terminate both your development and production EC2 instances in the AWS EC2 console. To ensure you're viewing all instances, select the "x" next to the "Instance state = running" filter to show the development instance as well. Be sure to double-check that all resources are fully terminated to prevent ongoing costs.

  • In your IAM console, delete the group, user, and policy that were created. AWS does not charge for IAM resources such as users, groups, roles, and policies. However, if IAM roles are associated with other services (e.g., EC2, Lambda), charges may apply based on the usage of those services. It's important to track and clean up resources you've created to maintain a well-organized and cost-effective environment. This will help ensure that you're not leaving unnecessary resources in your account and are able to manage your AWS environment more efficiently.

💡To summarize, we’ve learnt how to:

Here’s a breakdown of the steps we completed:

  • Launched EC2 Instances: Created instances for development and production environments.

  • Applied IAM Policies: Configured policies to allow access to the development instance only for specific users.

  • Created IAM Users & Groups: Onboarded an intern with limited access using IAM roles.

  • Tested Access: Verified the intern could access the development instance but not the production one.

  • Cleaned Up Resources: Terminated EC2 instances and deleted IAM users, groups, and policies to avoid extra charges.

Thank you so much for following along! 🙏 I hope this guide on AWS IAM has been insightful and useful. Whether you're just starting out or refining your skills, I trust this project has provided you with hands-on knowledge. 💻 Keep exploring, experimenting, and don’t hesitate to revisit these steps as you continue to grow in your cloud journey. 🌐 Stay tuned for more updates and happy learning! 🚀👩‍💻👨‍💻

0
Subscribe to my newsletter

Read articles from Ahmed Salau directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSIAMIAM,MFA,Access key ID,Secret access keyiam role in awsaws iam policiesec2EC2 instance

Written by

Ahmed Salau
Ahmed Salau