Cloud Security with AWS IAM: A Step-by-Step Guide

Imagine you just started working on a team managing an AWS environment. Your first task? Granting access to new team members without giving them complete control over the infrastructure. How do you ensure that everyone gets the right level of access without compromising security? This is where AWS Identity and Access Management (IAM) comes into play. IAM allows you to create users, organize them into groups, and assign permissions, ensuring that each team member has just the right level of access to AWS resources.

This guide is based on my personal project, where I explored IAM best practices while securing an AWS environment. In this step-by-step walkthrough, weโ€™ll cover:

  • What IAM users and groups are

  • Why they are essential

  • How to create IAM users and user groups

  • How to manage permissions effectively

  • How to test user access

Let's dive in!

Step 1: Creating EC2 Instances

What is Amazon EC2?

Amazon Elastic Compute Cloud (EC2) provides virtual servers in the cloud. These instances allow you to run applications, host websites, and perform various computing tasks.

Launching Instances

  1. Log in to AWS Management Console and navigate to EC2.

  2. Set your AWS region to the one closest to you for better performance.

  3. Click Launch instances and configure:

    • Name: production-yourname (replace yourname with your name)

    • Tags:

      • Key: Env, Value: production
    • Amazon Machine Image (AMI): Choose a Free Tier eligible option.

    • Instance Type: Select a Free Tier eligible type.

    • Key Pair (Login): Select Proceed without a key pair (not recommended for production environments).

  4. Click Launch instance.

Creating a Development Instance

Repeat the steps above, but change:

  • Name: development-yourname

  • Tags: Key: Env, Value: development

Step 2: Create an IAM Policy

What is AWS IAM?

AWS Identity and Access Management (IAM) controls who can access AWS resources and what actions they can perform.

Creating an IAM Policy

  1. Navigate to the IAM Console.

  2. In the left panel, click Policies.

  3. Click Create policy.

  4. Switch to the JSON editor and replace the content with:

     {    
       "Version": "2012-10-17",    
       "Statement": [        
         {            
           "Effect": "Allow",            
           "Action": "ec2:*",            
           "Resource": "*",            
           "Condition": {                
             "StringEquals": {                    
               "ec2:ResourceTag/Env": "development"                
             }            
           }        
         },        
         {            
           "Effect": "Allow",            
           "Action": "ec2:Describe*",            
           "Resource": "*"        
         },        
         {            
           "Effect": "Deny",            
           "Action": [                
             "ec2:DeleteTags",                
             "ec2:CreateTags"            
           ],            
           "Resource": "*"        
         }    
       ]
     }
    
  5. Click Next.

  6. Set Name as MyDevEnvironmentPolicy.

  7. Provide a description (without apostrophes to avoid errors).

  8. Click Create policy.

Step 3: Create an AWS Account Alias

Why Create an Account Alias?

AWS assigns each account a unique numeric ID for login. An alias makes it easier to access the console with a readable URL.

Setting Up an Alias

  1. Navigate to IAM Dashboard.

  2. Under Account Alias, click Create.

  3. Enter a readable alias like Yourname-AWS.

  4. Click Save changes.

Step 4: Create IAM Users and User Groups

What Are IAM Users and User Groups?

IAM Users

An IAM user represents a specific person or application that needs access to AWS resources. Each IAM user has a unique name and can be assigned credentials (like passwords or access keys) to interact with AWS.

IAM User Groups

An IAM user group is a collection of IAM users that share the same permissions. Instead of assigning permissions to each user separately, you can create a group, set its permissions, and simply add users to it. This makes managing access more efficient and scalable.

๐Ÿ’ก Example: If you have a team of developers, you can create a "Developers" user group with permissions to access AWS Lambda and Amazon S3 but restrict access to billing or security settings.

  • Creating an IAM User Group

  1. Sign in to the AWS Management Console and navigate to the IAM service.

  2. In the left navigation panel, click User groups.

  3. Click Create group.

  4. Enter a Group Name (e.g., Developers-Team).

  5. Attach a Policy: Select the permission created in step 2 MyDevEnvironmentPolicy.

  6. Click Create group.

  • Creating an IAM User

  1. In the IAM console, click Users on the left panel.

  2. Click Create user.

  3. Enter a Username (e.g., john-doe).

  4. Check Provide user access to the AWS Management Console.

  5. Set Password Settings:

    • Choose Auto-generated password (or set a custom one).

    • Uncheck "Users must create a new password at next sign-in" (optional for test accounts).

  6. Click Next: Permissions.

  7. Assign the User to a Group:

    • Select the Developers-Team group created earlier.
  8. Click Next, review details, then click Create user.

  9. Once the IAM user is created, AWS provides a sign-in URL and credentials. Share these securely via: Email with temporary credentials or a password manager like LastPass or Bitwarden

    โš  Never send credentials over chat or store them in plain text!

    (Leave this page open for the next step).

Step 5: Testing EC2 Access

  1. Open a new incognito window on your browser.

  2. Open the new sign-in URL provided after creating the user in the previous step, in your incognito window.

  3. Log in with the User name and Console password given in your IAM tab

  4. Navigate to the EC2 Console.

  5. Ensure you're in the correct AWS Region where the instances are deployed.

  6. Select your production instance.

  7. In the Actions dropdown, select Manage instance state.

  8. Try to stop the instance by clicking Stop, then Change state.

๐Ÿ’ก You should see an Access Denied error

  1. Now, try stopping the development instance.

  2. Repeat the steps to stop the instance.

๐Ÿ’ก You should see a Success pop up

Congratulations! ๐ŸŽ‰ You've successfully created IAM users and user groups, assigned permissions, and tested access. This ensures your AWS environment remains secure and well-managed.

Now, go ahead and explore more IAM features, like IAM roles and policies, to enhance security further. Happy cloud computing! โ˜๐Ÿš€

Before you wrap up, make sure to terminate any unused instances and resources! Keeping your AWS environment clean prevents unnecessary costs and ensures a clutter-free workspace.

0
Subscribe to my newsletter

Read articles from Eneojo Attah-Olottah directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Eneojo Attah-Olottah
Eneojo Attah-Olottah