Lock It Down: A Hands-On Beginner’s Guide to AWS IAM & EC2 Security
Felix Jumason
🔧 What You'll Need
An AWS Account – Create one here
A working internet connection
Curiosity to learn cloud security!
Launch EC2 Instances
Open your EC2 console - search for it at the search bar.
What is EC2?
It’s one of AWS’s most iconic services! Amazon EC2 (short for Elastic Compute Cloud) lets you rent virtual machines that run in the cloud. Think of them like your personal laptops or desktops—except they live online, not on your desk. You can spin them up, configure them however you want, and use them for things like hosting websites, running apps, or crunching data.
Let’s break down the name:
1️⃣ Elastic – means flexible. You can scale resources up or down based on what you need.
2️⃣ Compute – refers to the processing power. These virtual machines can handle a wide range of tasks, just like a regular computer.
3️⃣ Cloud – simply means it's accessible through the internet.
- Switch your Region to the one closest you🗺️🌍🌎🌏
key: green -Regions
Red-coming soon i.e Kingdom of Saudi Arabia
- On your EC2 console , Launch your instance .
To launch an instance
Under Name and tags, for Name, enter a descriptive name for your instance.
Under Application and OS Images (Amazon Machine Image), do the following:
a. Choose Quick Start, and then choose the operating system (OS) for your instance.
b. For your first Linux instance, we recommend that you choose Amazon Linux.- From Amazon Machine Image (AMI), select an AMI that is marked Free Tier eligible.
Under Instance type, for Instance type, choose t2.micro, which is eligible for the Free Tier. In Regions where t2.micro is not available, t3.micro is eligible for the Free Tier.
For Key pair (login), select Proceed without a key pair.
What is Key pair?
A key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. For Linux instances, the private key allows you to securely SSH into your instance. For Windows instances, the private key is required to decrypt the administrator password, which you then use to connect to your instance.
Amazon EC2 stores the public key on your instance, and you store the private key, as shown in the following diagram. It's important that you store your private key in a secure place because anyone who possesses your private key can connect to your instances that use the key pair.
Network settings control how your instances connect to the internet and communicate with other AWS resources, including aspects like IP address assignment and routing configurations.
Storage settings refer to selecting the storage type and capacity (such as virtual hard drives) that your EC2 instance will use to save data.
The instance will start to build
Looks like a success!
Now, let’s launch another EC2 instance to serve as the development environment.
💡 What’s the difference between development and production environments?
Development and production are distinct phases in the software development process.
The development environment is where developers build, test, and troubleshoot code.
The production environment is the live system that real users interact with.Follow the same steps as before, but this time use the following tag:
Name: development
Start by launching your second instance.
In the left-hand navigation menu, click on Instances.
If only one instance appears, don’t forget to hit the refresh button to update the view!
🔒 Step 2: Create an IAM Policy
Now that your EC2 instances are up and running, it’s time to define who can access what using IAM (Identity and Access Management). IAM lets you manage permissions for users and roles in your AWS account.
💡 What is an IAM Policy?
An IAM policy is a JSON document that defines permissions. It answers:
Who can do what, on which resources, and under which conditions?
For example, you can create a policy that only allows certain users to start or stop EC2 instances—but not delete them.
1. Go to IAM console
Choose policies from the left hand navigation
3.Click on Create policy.
Then, navigate to the JSON tab in the policy editor.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Env": "development" } } }, { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": "*" } ] }Click Next when you're ready.
Fill in the policy details:
Name:
blackieDevEnvPolicyDescription:
IAM Policy for blackie development environment
Click Create policy to continue.
⚠️ If you see an error about the description, it likely contains an invalid character. Check the message below the text box to figure out what needs to be fixed.
After making the correction, click Create policy again.
Set Up an AWS Account Alias
Nice job—your permission policy is all set! ✅
Now that we’re ready to grant our intern access to the development instance, they’re excited to get started.
But wait… how will they access the AWS account?
Let’s make it easy by setting up a login alias for your AWS account!
1. Go to your IAM dashboard.
On the right side of the dashboard, click Create under Account Alias.
note: create alias is on the left first card
Create IAM Users and User Groups
Managing access to your AWS environment is critical for both security and efficiency. Instead of sharing login credentials or giving broad permissions, AWS Identity and Access Management (IAM) allows you to create individual users and organize them into groups. This way, you can assign the right level of access to each team member based on their role.
In this section, you'll learn how to set up IAM users and groups to ensure that everyone on your team—like new interns—has the access they need, and nothing more. This approach not only helps secure your AWS resources but also simplifies permission management across your organization.
To set up your user group:
Name:blackie-test-group
Attach permission policies: NextWorkDevEnvironmentPolicy
Select Create user group. Success!
Now let's add Users to your user group.
Choose Users from the left-hand navigation panel.
Choose Create user.
Let's set up this user! Under User name, enter
blackie-dev-enter your name
select the checkbox for Provide user access to the AWS Management Console.
Clear the checkbox labeled "Users must create a new password at next sign-in (Recommended)".
Click Next when you're ready to proceed!
To assign permissions to the user, just add them to the user group you created earlier. Check the box next to blackie-test-group.
Then, click Next, and finally, select Create user to complete the setup.
Test the user's access
Copy the Console sign-in URL from the current tab.
Keep this tab open – don’t close it.
Open an incognito window in your browser.
Paste and navigate to the sign-in URL in the incognito window.
Log in using the username and console password shown in the IAM tab.
Since this is a brand-new user account, the AWS Console treats it like a fresh start. That’s perfect for the new team member who will be using this account!
As you explore, you might see some dashboard panels displaying Access denied—this is expected for a user with limited permissions.
Go to your EC2 Console, and double-check that you're in the same Region where you launched your production and development instances.
Navigate to Instances.
Click on your production instance, then open the Actions dropdown menu and choose stop instance.
Select the Stop option, then Change state
when you select stop you get a red banner of a warning
Now, let's stop the development instance.
Return to the Instances page and check the box next to developement.
From the Actions dropdown, choose Manage instance state.
Click Stop, then confirm by selecting Change state and again Stop.
Great job!
WOOHOOOOOOOOO YOU DID IT 👏
Congratulations on successfully managing and testing user permissions with AWS IAM!
Delete Your Resources
Be sure to clean up all your resources to prevent any unexpected charges. It's a crucial step for every project you launch.
💡 Pro tip: Leaving an EC2 instance running when you’re done is like leaving the lights on during a month-long vacation—your wallet will definitely notice! 💸
Subscribe to my newsletter
Read articles from Felix Jumason directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Felix Jumason
Felix Jumason
👨🏻💻 Felix - Full Stack Web Developer I'm Felix, a passionate web developer specializing in frontend development with React.js and backend development with Node.js, Firebase, and Supabase. I love creating dynamic and user-friendly web applications that provide seamless experiences for users. 🌐 Frontend Development: Crafting responsive and engaging frontend experiences using React.js is where I excel. My attention to detail and design skills help me create visually appealing and intuitive user interfaces. ⚙️ Backend Development: In the backend, I am well-versed in Node.js, Firebase, and Supabase. Leveraging these technologies, I build robust backend solutions that support my frontend applications, ensuring smooth functionality and efficient data management. 🔥 Firebase & Supabase: I leverage Firebase and Supabase as backend-as-a-service platforms to streamline database management, authentication, and real-time data synchronization. These tools enhance the performance of my web applications significantly. 💡 Innovative Solutions: With a creative mindset and problem-solving approach, I continuously seek innovative solutions to deliver high-quality web applications that meet user requirements and industry standards. 🚀 Passionate & Dedicated: I'm committed to staying updated with the latest trends and technologies in web development. My dedication to honing my skills ensures that I deliver exceptional results in every project I undertake.