Identity and Access Management in AWS (Amazon Web Services)

Identity and Access Management in AWS (Amazon Web Services)

In this article,we will see

  1. Create 2 users “Ramesh” and “Ajay”
  2. Create 2 groups “EC2 Full Access” and “S3 Full Access”
  3. Give permission to groups “AmazonEC2FullAccess” and “AmazonS3FullAccess”
  4. First group has AmazonEC2FullAccess
  5. Second group has AmazonS3FullAccess
  6. Add first user “Ramesh” to first group “EC2 Full Access”
  7. First user has only one permission “AmazonEC2FullAccess”
  8. Add second user “Ajay” to second group “S3 Full Access”
  9. Give one direct permission “AmazonGlacierFullAccess” to second user Ajay”
  10. Second user has 2 permissions “AmazonS3FullAccess” and “AmazonGlacierFullAccess”.

Note

As long as first user “Ramesh” is in the first group “EC2 Full Access”  he will get only one permission “AmazonEC2FullAccess”else he won’t get any permissions.

As long as Second user “Ajay” is in the first group “S3 Full Access”  he will get 2 permissions “AmazonEC2FullAccess” and “AmazonGlacierFullAccess”

Glacier Full Access assign to second user “Ajay” directly so if he leave from second group that permission  “AmazonGlacierFullAccess” along with him.

First, we need to AWS Console page by using below link.

https://aws.amazon.com/console/

Click on sign in to Console button.

Logging to aws account

Provide username and password then click on sign in.

Enter to AWS Management Console

We can see the AWS Management Console Dashboard.

Go to Security, Identity & compliance module click on IAM service to open.

We can see IAM Management Dashboard.

  1. Create 2 users “Ramesh” and “Ajay” and one group “EC2-GROUP”

Go users and click on Add user to create new user.

Specify new user names “Ramesh” and “Ajay”.

Give access type “AWS Management Console Access” to get username and password by clicking on checkbox

Choose console password type “Auto Generated password” menas system will generate the password (complex password).

Uncheck Required password reset have to use password whatever you provide the password no need to change.

Click on Next.

Click on Create group.

Note

Add users to group – These users will add to this group by default.

Specify group name “EC2-GROUP”

Give required policy “AmazonS3FullAccess” to group by searching “ec2full” in search bar.

Click on Create group.

The group “EC2-GROUP” has been created with policy/permission “AmazonEC2FullAccess”

Click on Tags.

Click on Review.

Verify all details and click on Create users.

The users “Ramesh” and “Ajay” has been created successfully we can see one message “success”.

Send email – To share the credentials to users.

We can download the credentials  for taking backup by clicking on download.csv then click on Close.

Currently the two users are  in EC2-GROUP.

Create S3-GROUP and add user “Ajay” to S3-GROUP.

We can see two users belongs to one group “EC2-GROUP”.

Create another group “S3-GROUP”

Specify group name “S3-GROUP” and click on Next Step.

Attach Policy to group “S3-GROUP”

Attach Policy to group by searching “S3Full” in search bar and click on Next Step.

Review

Verify details and click on Create Group.

The group “S3-GROUP” has been created successfully.

We can see 2 groups are “EC2-GROUP” and “S3-GROUP”.

Currently both users in EC2-GROUP.

Note:

Go inside EC2-GROUP remove one user “Ajay”.

Go inside S3-GROUP add one user “Ajay”.

Remove User “Ajay” from EC2-GROUP

Click on EC2-GROUP to go inside the group.

Go ajay users and click on Remove User from group in Actions.

Click on Remove From Group.

The user “Ajay” has been removed from group “EC2-GROUP”.

We can see in the “EC2-GROUP” has only one user “Ramesh”.

Add user “Ajay” to “S3-GROUP”

Go inside the group by clicking on group name “S3-GROUP”.

Click on Add Users to Group.

Choose the required user “Ajay” and click on Add Users.

The user “Ajay” has been successfully added to group “S3-GROUP”.

we can see two groups and each group has one user.

Grant GlacierFullAccess directly to the user “Ajay”

Click on ajay user.

Currently user “Ajay” has AmazonS3FullAccess. I am going to add one more  access directly

Click on Add Permissions.

Choose Attach Existing policies directly.

Select AmazonGlacierFullAccess and click on Next.

Click on Add Permissions.

The AmazonGlacierFullAccess has been added to user directly the user “Ajay” has two permissions are “AmazonS3FullAccess” and “AmazonGlacierFullAccess”.

 

Go to users, we can see two users and their groups.

Logging to AWS Account as a user “Ramesh”

Go to physical location and open the credentials excel sheet which was downloaded earlier.

We can see two users credentials like username, password along with console login link.

Copy user “Ramesh” console link and search in browser.

We can see Account ID or alias ( user is logging to root account).

Provide IAM user name “Ramesh” and password (Copy from excel sheet) then click on Sign in.

The User “Ramesh” logged in to root account  (He is a part of root account).

In the AWS Management Console we can see Ramesh@4882-9520-537 (Ramesh is the user @ 4882-9520-537 is root account ID).

Go to services and we can see all the services.

The user “Ramesh” can access EC2 because he has “AmazonEC2FullAccess”.

Logging to AWS Account as a user “Ajay”

We can see two users credentials like username, password along with console login link.

Copy user “Ajay” console link and search in browser.

We can see Account ID or alias ( user is logging to root account).

Provide IAM user name “Ramesh” and password (Copy from excel sheet) then click on Sign in.

The User “Ramesh” logged in to root account  (He is a part of root account).

In the AWS Management Console we can see Ramesh@4882-9520-537 (Ajay is the user @ 4882-9520-537 is root account ID).

Go to services and we can see all the services.

The user “ajay” can access S3 because he has “AmazonS3FullAccess”.

Apart from S3 he can’t able to access rest of services.(He can’t touch remaining services).

 

 

Thank you for giving your valuable time to read the above information.

Follow us on 

Website :  www.ktexperts.com

Facebook Page : KTexperts

Note: Please test scripts in Non Prod before trying in Production.
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Add Comment