As a best practice, you should create individual users rather than share your credentials to be used by other users. This ensures that you create unique users with their own individual credentials. In addition, this allows you to rotate individual credentials and assign users individual permissions. Typically, you would identify the IAM users in your organization, create their credentials, and assign suitable permissions to them.
You can create IAM users using AWS console, API or CLI. After creating an IAM user, you need to configure the password, access keys, and MFA devices for that user. By default, a new user created in IAM does not have any permission, that is, the user exists but does not have access to any of the services. To assign permissions to the user, you will have to create a policy. The policy is a JSON document that contains one or more permissions. You can use predefined policy templates or use the policy generator.
- Create an IAM user.
Execute the following command to create a user named
ethanhunt:$ aws iam create-user --user-name ethanhunt
- Set the password for IAM user.
Execute the following command to set a new password for the user:
$ aws iam create-login-profile --user-name ethanhunt --password P@ssw0rd
- Create an inline IAM policy for the user.
Create a new JSON file with the contents listed and save the file as
S3ReadAccess.json. The following sample policy gives permissions to list all theS3buckets, and to list, upload, get, and delete objects in the bucket namedethanhunt.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::ethanhunt" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::ethanhunt/*" } ] } - Execute the following command to create a policy,
S3ReadAccess, using the JSON document (S3ReadAccess.json):$ aws iam put-user-policy --user-name ethanhunt --policy-name S3ReadAccess --policy-document file://F:\S3ReadAccess.json
First, we create an IAM user, and then we assign the permissions and the password. As a best practice, we always follow the principle of assigning the least privilege to any given user. For example, if a user doesn't make API calls, then we don't create the access keys for that user. This practice will ensure a more granular control over API and resource usage, and a lesser chance of a user making mistakes. The assigned password is required to log in into the AWS console. Ensure that you store the password in a secure location because if the password is lost, then you can't recover it. In addition, as a best practice reduce or eliminate the use of root account because this account cannot be controlled by IAM policies. Typically, we delete the access keys and assign a MFA device to the account to achieve this.
Policies contain one or more permissions. In our example, upon creation of a new user, we create a policy to assign permissions to the user to be able to access the AWS services (EC2, S3, DynamoDB, and so on.) However, there are policy templates readily available or most scenarios that you can use to customize for your own use.
There are two types of policies—managed and inline. Managed policies can be attached to multiple users, groups, and roles. Inline policies are directly embedded in a user, group, or role definition. In the next step, we create an inline policy and attach it to the user. We need to specify the following parameters in the policy-version, effect (whether the user is allowed to access or not), action (specific actions that are allowed or denied), and resource (identifies the specific AWS resource).