You can manage users better using IAM groups than by managing them as individual users. Using groups, you can assign same permissions to multiple users. This makes it easier to assign the same permissions to multiple users. In addition, it also becomes simpler to update or reassign permissions for multiple users, or move users between groups.
Typically, you would map permissions to a specific business function in your organization followed by assigning users to that function. After creating groups, you have to create a policy and assign it to the group. Policy variables and groups allow you to manage your users without hardcoding each user in the policy.
- Create IAM group.
Execute the following command to create a group called
developers:$ aws iam create-group --group-name developers
- Add a user to the group.
Execute the following command to add the previously created user,
ethanhunt, to thedevelopersgroup:$ aws iam add-user-to-group --user-name ethanhunt --group-name developers
- Create an inline IAM policy for the group.
Follow these steps to create an inline IAM policy. After creating the policy, you can attach it to the
developersgroup.- Create a JSON policy document with the following content, and then save the file as
EC2DevGroupPolicy.json. The first statement allows all users in thedevelopersgroup to list all the EC2 instances, and the second statement allows the users in thedevelopersgroup to terminate instances with thedevresource tag. Here, the users in thedevelopersgroup don't have the permission to launch an EC2 instance. In the resource parameter, replace the region name and account number with your own values. To find your AWS account ID number in the AWS Management Console, click on Support in the navigation bar in the upper-right corner, and then click on Support Center. Your currently signed-in account ID appears below the Support menu.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:TerminateInstances", "Resource": "arn:aws:ec2:ap-southeast- 1:968336292411:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/stack": "dev" } } } ] } - Get the list of users in the group using the following command.
$ aws iam get-group --group-name developers - Execute the following command to assign the inline policy to the
developersgroup:$ aws iam put-group-policy --group-name developers --policy-name EC2DevGroupPolicy --policy-document file://F:\EC2DevGroupPolicy.json
- Create a JSON policy document with the following content, and then save the file as
As the first step, we create an IAM group so that we can add users to it. As a best practice, create a group even if you have a single user in it. This helps any future users having the same requirements to be added quickly to the same group. Creating groups also helps in managing a set of users, as users may be added or removed from the group at any time.
You can restrict access further using conditions. Conditions allow for additional granularity in permissions. There are some conditions that are common across AWS services and others that are service specific. However, ensure that you don't overuse conditions, as it can result in a very restrictive environment.