My journey to AWS cloud practitioner – AWS IAM – Part 3

I have been through some theories and concepts again about AWS Cloud. I cannot write everything here as its very bulky. There are several courses available on the official AWS portal as well as on other third-party course providers like UDEMY or Youtube. Some of the key concepts I went through again are Regions, Availability Zones, The shared responsibility model in AWS, etc. However, in this article, I am going to skip all these basic part and go directly to AWS IAM and point out whatever I find interesting and stuffs that I can refer to in the future. If you came across this blog, I hope it’s useful for you too.

The 4 Main important terminologies in IAM

These are User, Group, Roles, and Policies. Rest assured, it is not the same definition as the User, Group, and Other in Unix environment. As usual, I’ll try to bring more output from what I see using AWS CLI instead of using the GUI. Please note that there are 3 main ways to access AWS: AWS Console (WEB GUI/Portal), AWS CLI, AWS API.

Users and Groups – Users belong to a group and specific permission can be assigned to a group. This is done based on the group policy.

Role – Its similar to a user but the main characteristic is that it’s uniquely associated with one person and is assumable by anyone who needs it.

IAM Users

When using the aws cli iam command, we have more than 150 command possibilities. The IAM user is controlled.

1. To create a user do the following:

aws iam create-user --user-name adminuser

2. By this time if you want to list the user, you should see it with the following command:

aws iam list-users

3. To create a user “adminuser”:

aws iam create-user --user-name adminuser

4. You can also see if the new user created is in any group, which return a null value, as it doesn’t belong to any group:

aws iam list-groups-for-user --user-name adminuser

IAM Profiles

5.  We would also like to set up a password for the user ‘adminuser’. There are many ways to do that. Here is one of the ways: Create a profile for the user together and using the profile template, we assign the password:

Generate a skeleton:

aws iam create-login-profile --generate-cli-skeleton > create-adminuser-profile.json

Then fill in the username and password details in the JSON file:

cat create-adminuser-profile.json 
{
    "UserName": "adminuser",
    "Password": "enter your passphrase here",
    "PasswordResetRequired": true
}

Create the profile

aws iam create-login-profile --cli-input-json file://create-adminuser-profile.json

It should look like this:

aws iam create-login-profile --cli-input-json file://create-adminuser-profile.json
{
    "LoginProfile": {
        "UserName": "adminuser",
        "CreateDate": "2022-03-18T11:43:43Z",
        "PasswordResetRequired": true
    }
}

6. Create an Access key. When creating the Access key, it means that you are allowed to sign in to AWS using AWS CLI or API (Programmatic access). If the Access key is not created, then that user will have access only to the AWS web portal. Save this key when using the command below.

aws iam create-access-key --user-name adminuser

IAM Groups

7. There are 2 ways to add policy. It’s either on the user itself or to the group the user has been assigned. In practice, it is better to add the user to a group and that group should have its policy attached to it. So let’s create a group:

 aws iam create-group --group-name AdminGroup

8. After creating the group, you should be able to see it using the list-group command:

aws iam list-groups

9. To add the user to the group:

aws iam add-user-to-group --group-name AdminGroup --user-name adminuser

10. I can also list all groups a user belongs to:

 aws iam create-group --group-name AdminGroup

11. In case you want to remove a user from a group:

aws iam remove-user-from-group --user-name adminuser --group-name AdminGroup

Group Policies

12. We have more than 900 types of policies

 aws iam list-policies | grep PolicyName | wc -l
928

13. Let’s now add the AdministratorPolicies to the group:

Here is the policy using list-policies

aws iam list-policies | grep "AdministratorAccess"
            "PolicyName": "AdministratorAccess",
            "Arn": "arn:aws:iam::aws:policy/AdministratorAccess",

Adding the policy to the group using attach-group-policy(AWS CLI use the verb “attach” when adding a policy to a group

aws iam attach-group-policy --group-name AdminGroup --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

14. To check the policies attached to a group

 aws iam list-attached-group-policies --group-name AdminGroups