Creating IAM User
I have just started learning about AWS services and would like to share my first experience with IAM (Identity and Access Management).
When we first create an AWS account, what we get is a root user account where we can use our registered email and password as login credentials. The root account has unrestricted privileges, in fact, some functionalities are only operable using the root user account like the billing information.
The first question that popped into my head is why create users when we can use root account to perform any task? The answer is already present in the last paragraph, unrestricted privileges, the risk is too high as the power is immense. (With great power comes great responsibility).
The responsibility here is to create users, to restrict privileges to perform only the required tasks.
Enough theory, lets jump into creating users using IAM.
Step 1: Log into your AWS account. Search for IAM Service. You can do this using the search textbox on top of the screen or use the “Services” option — this will list down all services, sorted into categories.
Step 2 : On the left side of the page, you will see a tree view of options, select “Users”.
Step 3: After selecting “Users”, you will see the following view. Click on “Add User”
Step 4: Now fill up the information required for user, the name of the user. Access type, you can select both Programmatic Access and AWS Management Console Access or you can select just one.
Programmatic Access means you will be able to AWS resources using code you write or through third party tools.
Step 5: After selecting the access type, enter a password.
If you choose auto-generated password, AWS will generate a password for you which you can view on the final page. (Step 9)
If you choose custom password, then its you who gets to pick a password.
Also notice there’s a checkbox which reads “Require Password reset”, if you check this, the user will need to change their password every-time they log in.
Step 6: Now let’s apply policies to the user to restrict the access. Note : By default a user has no privileges.
Here we have three options :
1. Add user to group (AWS recommends to manage users via groups, this way we don’t have to manage users individually instead we can apply policies/restrictions to the group and it will apply for all users present in the group)
2. Copy permissions from existing user — you can select an existing user and apply the same policies as they have to the new user.
3. Attach existing policies — here we have some predefined policies which can be used. These policies have been created by AWS and it is also recommended to use these as the chance of errors in these policies are minimal.
Step 7: Tags — these are optional, metadata which can be further used to further restrict privileges.
Step 8: Review page — check if all the entered details are as per your requirement and click on create user.
Step 9: For those of you who chose auto-generated password or programmatic access. You can see you password and you ID and secret key here. Keep your ID and secret key safe. Reason is if its lost, you need to regenerate it.
There you have, a brand new user! Also set-up multi factor authentication to make it more secure.
