AWS Logo
Menu
Q-Bits: IAM User and Role Management

Q-Bits: IAM User and Role Management

Learn how to implement robust identity management by generating AWS CLI commands and CDK templates using Amazon Q Developer.

q-bitsamazon-q-developeraws-iamaws-cliaws-cdk
Tanvi
Published Apr 1, 2025
Last Modified Apr 3, 2025
Welcome to an installment of Q-Bits, where we will go over how Q Developer can help you with IAM User and Role creation, management and more using the AWS CLI. We will explore some sample prompts you can use with Q Developer to help you write AWS CLI commands, and also obtain samples for CDK templates you can use to create and modify IAM components.

Introduction:

IAM is one of the most important aspects of your AWS account, and with increasing complexity it can be hard to manage and modify IAM roles, users, user groups and policies in your account or Amazon Control Tower Organization. Q Developer can be used to help ease the process by giving you detailed documentation and commands to control your IAM elements. We will start with obtaining basic information about IAM from Q Developer, and testing out basic commands. I have used the Amazon Q Developer extension in VSCode to generate the examples in this article.
Feel free to go along with the article and test out some examples. Please note that the answers are non-deterministic and you might get slightly different answers than the ones provided here. A prerequisite for the CLI and CDK commands is that you will need your AWS credentials established in a terminal (I used the terminal in VSCode), which you can learn more about here.

Creating an IAM Policy:

As an example, suppose we want to generate an IAM policy for a Business Intelligence Analyst who needs
  • S3 read only access,
  • permission to list and describe EC2 instances in the 'us-east-1' region only,
  • create and delete Amazon CloudWatch alarms, and
  • deny all access to RDS resources.
You can generate the policy and then obtain the CLI command to create it in your account. The first step is to ask a question like this in the chat window:
Generate an IAM policy which gives S3 read only access, permission to list and describe EC2 instances in the us-east-1 region, create and delete Amazon Cloudwatch alarms and deny all access to RDS resources, and also a CLI command to create the policy in my account.
The policy generated by Q Developer looks like this:
Q Developer gives you the IAM policy and the CLI command below, and also gives you an explanation of each component in this policy, and some important considerations. Further questions can also be asked to clarify.
The next step is to use the AWS CLI to create this policy in your AWS account. To do this, copy the policy code and create the 'custom-policy.json' file (you can rename it if you need to, and modify the name in the CLI command as well). Copy the CLI command in the answer and paste it in your terminal. If the creation is successful, you now have an IAM policy ready to be used in your AWS account.
Next, we can add this policy to a user group.

Create a user group:

IAM best practice is to create a user group, and attach policies to that group. Inline policy attachment for individual users is also possible, and can be achieved in a similar way by getting the users' IAM role ARN.
If we use the same chat window, Amazon Q Developer remembers context and understands your questions better. In the chat window, input something like this:
can you give me a cli command to create a user group and attach the policy to it?
The output I received was:
This chat output shows you how to
  • create the user group,
  • attach the policy created to the group (note that the policy name is taken from the previous answer),
  • find the ARN of the policy created previously,
  • how to verify that the policy was attached to the group, and
  • other important considerations.
Often, Amazon Q Developer will also give you citations of AWS documentation that it referred to in order to get your answer. You can review the documentation for even more information.
Follow these steps to create the user group and attach the policy to it, in the same terminal used in the previous step.
Next, we can create a user or add existing users to this user group.

Adding users to the user group:

A user can now be added to the user group. This means that any users added to the group will inherit the policies and the permissions that come with them, from the user group. Policies can be added and removed from the user group as needed.
Ask this question in the chat window:
can you give me CLI commands to create and add a user to this group?
This is the answer I received:
This output shows you how to:
  • create a user,
  • add the user to the group created previously,
  • enable console access for a user,
  • creating access keys (for the user to also be able to use the AWS CLI), and
  • important notes and sources used.
After adding users to their designated groups and configuring any necessary individual permissions, you have completed the basic IAM setup for your account.

Modify an existing IAM policy, and remove a user from the user group

If you need to make changes to your existing IAM setup such as making changes to an existing IAM policy, or removing a user from a user group, this can be done with the AWS CLI as well.
Ask this question in the chat window:
can you give me aws cli commands to modify the existing iam policy, and removing a user from a group?
This is the answer I got:
This shows you how to make these changes. It details how IAM policies have versions, and you can create a new version of the policy, add or remove permissions from the policy and upload the new version in the same way. New users can be added or removed as needed.

Deep dive - Creating all of this at once using CDK

We can take this a step further by doing all of this in an automated way by using an Infrastructure As Code tool. In this example, I will use CDK (AWS Cloud Development Kit).
To get started, you can ask this question in the same chat window:
can creating a policy, user group, and attaching the policy and adding a user to the user group be automated using CDK?
This is the answer I got:
This shows us how everything we have done so far can be automated completely, eliminating the need for individual AWS CLI commands, using a CDK template. This approach also allows for a higher level of control over your AWS account since the CDK state can be verified, changed and maintained over time.
Another approach to generate the CDK code needed is by using /dev in the chat window, like this:
/dev can you create a cdk project to create a policy, a user group and attach the policy to the user group, and create and add a user to the user group?
This will create an entire CDK project for you, with the necessary files. The only step you would need to take is to replace the policy template with the policy that you need (you can use the one generated in previous steps). This enables you to run the CDK project from the terminal where your AWS credentials are configured. Once the resources are deployed to your account, you can modify the policy, and add or remove users by making changes to the CDK files themselves, usually located within the 'bin' and 'lib' folders in the code generated by Amazon Q Developer.

Conclusion:

In this article, we have gone over ways we can:
  • use Amazon Q Chat to obtain IAM policies,
  • AWS CLI commands to create policies, users and user groups,
  • AWS CLI commands to make changes to policies and user groups, and
  • use CDK to automate the entire process.
This process has shown us that Amazon Q Developer is a great tool - almost like a developer by your side, which will help with any questions, clarifications and code that you need. Amazon Q Developer makes the process of managing your AWS account very easy, and breaks down complex coding tasks, explaining it step by step.
 

Comments