Learn AWS IAM By Writing Your First Policies for Groups and Users
Managing users and access to resources is part of a cloud administrator's job. This tutorial introduces basic concepts and a tutorial to demonstrate how to use the AWS Identity and Access Management service to manage user access to cloud resources.
title: "Learn AWS IAM By Writing Your First Policies for Groups and Users"
description: "Managing users and access to resources is part of a cloud administrator's job. This tutorial introduces basic concepts and a tutorial to demonstrate how to use the AWS Identity and Access Management service to manage user access to cloud resources."
tags:
- tutorials
- aws-iam
- it-pros
- security
authorGithubAlias: spara
authorName: Sophia Parafina
date: 2023-08-30
description: "Managing users and access to resources is part of a cloud administrator's job. This tutorial introduces basic concepts and a tutorial to demonstrate how to use the AWS Identity and Access Management service to manage user access to cloud resources."
tags:
- tutorials
- aws-iam
- it-pros
- security
authorGithubAlias: spara
authorName: Sophia Parafina
date: 2023-08-30
- Best practice for securing your AWS account
- What are AWS Identities and policies
- How to write and apply policies to control access to resources
About | |
---|---|
✅ AWS Level | Intermediate - 200 |
⏱ Time to complete | 45 minutes |
💰 Cost to complete | Free when using the AWS Free Tier or USD 1.01 |
🧩 Prerequisites | - AWS Account - AWS CLI version 2 |
📢 Feedback | Any feedback, issues, or just a 👍 / 👎 ? |
⏰ Last Updated | 2023-08-30 |
- Share the responsibility. Create an AWS administrator email distribution list with primary and alternate contacts. A group notification removes a single point of failure and adds flexibility to add and remove admins. Additionally, create email lists for operations, security notifications, and billing.
- The root user of an AWS account has full access to all the services. Protect this account by restricting the use of the root user by creating IAM identities.
- Use federated identities when possible. Manage user accounts with a central identity provider such as Active Directory, Okta, or AWS IAM Identity center. If your organization doesn’t have a identity provider solution, you can create user accounts directly with IAM but it is not recommended because each user is assigned long-term credentials that do not expire.
- Require multi-factor authentication (MFA). These devices respond to an authentication call to complete sign-in. Use MFA with long-term credentials such as root access or IAM user accounts.
- Implement a strong password policy that is resistant to brute force or social engineering attacks.
- Log events using AWS CloudTrail to audit usage.
- Sid - A Sid (or statement ID) is an optional identifier for the policy statement. Sids are descriptive names of a statement written in camel case.
- Principal - A principal can be a person or a role that can request an operation on an AWS resource.
- Authentication - AWS supports three kinds of authentication that allow principals to work with cloud resources.
- IAM users can authenticate by providing their account ID, a user name, and passwords. In addition, using MFA when signing in is best practice.
- Federated users use an identity provider such as Amazon, Facebook, Google, or Microsoft Active Directory to log into AWS.
- You can log in as the root user (not recommended) but you should use multi-factor authentication and temporary credentials to keep your account secure.
- Request - When you use the AWS CLI, AWS Management Console, or AWS API an AWS API call is sent to a service. The API call or request contains actions to be performed against resources. The request context includes: who made the request (the principal), environment data such as an IP address, and resource data such as a tag.
- Resources - A resource is an object within a service, for example a bucket is a resource in S3.
- Actions - Actions are what you can do with a resource and the type of action is defined by a resource. For example, S3 has a
CreateBucket
operation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"Version": "version"
"Statement":[{
"Effect":"effect",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value"
}
}
}
]
}
- Effect - An effect is either an Allow or Deny. All requests are denied by default, which is overridden by an explicit allow. Conversely, an explicit deny overrides any allows.
- Action - An action is specific to a service. The effect allows or denies an action.
- Resource - A resource is an object in a service. Sending a request specifies an action applied to a resource.
- Condition - A condition is optional. It can trigger an effect based on a value. AWS defines several general conditions and services have defined conditions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/JohnDoe"
]
},
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
"Condition": {
"StringEquals": {
"s3:prefix": ["", "home/", "home/JohnDoe"],
"s3:delimiter": ["/"]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/JohnDoe"
]
},
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET"],
"Condition": {
"StringLike": {
"s3:prefix": ["home/JohnDoe/*"]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/JohnDoe"
]
},
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/home/JohnDoe/*"]
}
]
}
home/JohnDoe/*
.1
2
aws iam create-user --user-name yeemin
aws iam create-user --user-name alicia
1
2
aws iam create-login-profile --user-name yeemin --password pcgUser#1 --no-password-reset-required
aws iam create-login-profile --user-name alicia --password pcgUser#2 --no-password-reset-required
1
2
3
aws iam create-group —group-name pcg-experts
aws iam add-user-to-group --user-name yeemin --group-name pcg-experts
aws iam add-user-to-group --user-name alicia --group-name pcg-experts
1
2
3
4
5
6
7
aws sts get-caller-identity
{
"UserId": "AI334FYWB3ZZKE53QA4OP",
"Account": "123456789101",
"Arn": "arn:aws:iam::123456789101:user/default"
}
https://<account id>.signin.aws.amazon.com/console
, e.g., https://123456789101.signin.aws.amazon.com/console
.my-unique-bucket-name
in the command:1
aws s3api create-bucket --bucket my-unique-bucket-name --region us-east-1
1
2
3
4
5
mkdir Development/ Finance/ Private/
touch ./Development/project1.xls ./Development/project2.xls
touch ./Finance/Tax2023/document1.pdf ./Finance/Tax2023/document2.pdf
touch ./Private/privDoc1.pdf ./Private/privDoc2.pdf
touch s3-info.txt
put-object
command. Remember to replace my-unique-bucket-name
with your bucket name:1
2
3
4
5
6
7
8
aws s3api put-object --bucket my-unique-bucket-name --key Development/project1.xls
aws s3api put-object --bucket my-unique-bucket-name --key Development/project1.xls
aws s3api put-object --bucket my-unique-bucket-name --key Development/project2.xls
aws s3api put-object --bucket my-unique-bucket-name --key Finance/Tax2023/document1.pdf
aws s3api put-object --bucket my-unique-bucket-name --key Finance/Tax2023/document2.pdf
aws s3api put-object --bucket my-unique-bucket-name --key Private/privDoc2.txt
aws s3api put-object --bucket my-unique-bucket-name --key Private/privDoc1.txt
aws s3api put-object --bucket my-unique-bucket-name --key s3-dg.pdf
1
2
3
4
5
6
7
8
9
10
11
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
}
]
}
GroupPolicy.json
. We’ll create the policy first:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
aws iam create-policy --policy-name GroupPolicy --policy-document file://GroupPolicy.json
{
"Policy":
{
"PolicyName": "GroupPolicy",
"PolicyId": "ANPA4XYZU3UAF7HXTVH43",
"Arn": "arn:aws:iam::123456789101:policy/GroupPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-08-09T01:04:51+00:00",
"UpdateDate": "2023-08-09T01:04:51+00:00"
}
}
1
aws iam attach-group-policy --policy-arn arn:aws:iam::123456789101:policy/GroupPolicy --group-name pcg-experts
https://<account-id>.signin.aws.amazon.com/console
).Insufficient permissions to list objects
.resource
is the bucket we created earlier and we've added a condition to allow listing the objects in the bucket.1
2
3
4
5
6
7
8
9
10
11
{
"Sid": "AllowRootLevelListingOfBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::<my-unique-bucket-name>"],
"Condition":{
"StringEquals":{
"s3:prefix":[""], "s3:delimiter":["/"]
}
}
}
GroupPolicy.json
file and save the file. The updated policy looks like this:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
"Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ],
"Effect": "Allow",
"Resource": [ "arn:aws:s3:::*" ]
},
{
"Sid": "AllowRootLevelListingOfBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::<my-unique-bucket-name>"],
"Condition":{
"StringEquals":{
"s3:prefix":[""], "s3:delimiter":["/"]
}
}
}
]
}
1
aws iam create-policy-version --policy-arn arn:aws:iam::123456789010:policy/GroupPolicy --policy-document file://GroupPolicy.json --set-as-default
Yeemin
. You’ll be able to list the folders and objects in the bucket.“Development/*”
as a condition. Listing any other folder is not allowed. The second statement enables listing, putting, and getting objects in the Development folder.AliciaDevPolicy.json
.1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllowListBucketIfSpecificPrefixIsIncludedInRequest",
"Action":["s3:ListBucket"],
"Effect":"Allow",
"Resource":["arn:aws:s3:::your-unique-bucket-name"],
"Condition":{
"StringLike":{"s3:prefix":["Development/*"]
}
}
},
{
"Sid":"AllowUserToReadWriteObjectDataInDevelopmentFolder",
"Action":["S3:ListObject","s3:GetObject", "s3:PutObject"],
"Effect":"Allow",
"Resource":["arn:aws:s3:::your-unique-bucket-name/Development/*"]
}
]
}
1
aws iam put-user-policy --user-name alicia --policy-name AliciaDevPolicy --policy-document file://A1liciaDevPolicy.json
Insufficient permissions
message.1
aws iam delete-user-policy --user-name alicia --policy-name AliciaDevPolicy
arn:aws:iam::<account id>:policy/policy-name
.1
aws iam detach-group-policy --group-name pcg-experts --policy-arn arn:aws:iam::123456789010:policy/GroupPolicy
1
2
aws iam delete-policy-version --policy-arn arn:aws:iam::837028011264:policy/GroupPolicy --version-id v1
aws iam delete-policy --policy-arn arn:aws:iam::123456789010:policy/GroupPolicy
1
2
3
4
5
6
aws iam remove-user-from-group --group-name pcg-experts --user-name yeemin
aws iam remove-user-from-group --group-name pcg-experts --user-name alicia
aws iam delete-login-profile --user-name yeemin
aws iam delete-login-profile --user-name alicia
aws iam delete-user --user-name yeemin
aws iam delete-user --user-name alicia
1
aws iam delete-group --group-name pcg-experts
—force
parameter. Note that we used the higher level s3 rb
command to delete the bucket for convenience, s3api
does not support the --force
parameter and would require deleting the objects in the bucket.1
aws s3 rb s3://your-unique-bucket-name —force
attach-group-policy
command. This would allow access to the Developers folder to everyone in that group.Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.