AWS Identity & Access Management
As a best practice, do not use the AWS account root user for any task where it’s not required. Instead, create a new IAM user for each person that requires administrator access. Then make those users administrators (only if they absolutely need full access to everything) by placing the users into an “Administrators” group to which you attach the AdministratorAccess managed policy.
It is highly recommended you centralize your identities instead of using IAM Users and Groups as outlined in this lab. If you have more than a simple AWS test account, use AWS Single Sign-On.
The following image shows what you will be doing in the next section 1.1 Create Administrator IAM User and Group.
1.1 Create Administrator IAM User and Group
To create an administrator user for yourself and add the user to an administrators group:
- Use your AWS account email address and password to sign in as the AWS account root user to the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click Users and then click Add user.
- For User name, type a user name for yourself, such as Bob or Alice. Each user should have their own user name, do not share credentials. The name can consist of letters, digits, and the following characters: plus
(_), and hyphen
(-). The name is not case sensitive and can be a maximum of 64 characters in length.
- Select the check box next to AWS Management Console access, select Custom password, and then type your new password in the text box. This user will be able to do almost anything in your account, by not giving it programmatic access (access & secret key) you reduce your risk, and we will configure lower-privileged users and roles later. If you’re creating the user for someone other than yourself, you can optionally select Require password reset to force the user to create a new password when first signing in.
- Click Next: Permissions.
- On the Set permissions for user page, click Add user to group.
- Click Create group.
- In the Create group dialog box, type the name for the new group such as Administrators. The name can consist of letters, digits, and the following characters:
plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be a maximum of 128 characters in length.
- In the policy list, select the check box next to AdministratorAccess. Then click Create group.
- Back in the list of groups, verify the check box is next to your new group. Click Refresh if necessary to see the group in the list.
- Click Next: Tags. For this lab we will not add tags to the user.
- Click Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, click Create user.
You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access Management and Example Policies. To add users to the group after it’s created, see Adding and Removing Users in an IAM Group.
- Configure MFA on your new administrator user by choosing Users from the navigation pane.
- In the User Name list, click the name of the intended MFA user.
- Click the Security credentials tab. Next to Assigned MFA device, click the edit icon.
- You can now use this administrator user instead of your root user for this AWS account. It is a best practice to use least privileged access approach to granting permissions, not everyone needs full administrator access!
The following image shows what you will be doing in the next section 1.2 Create Administrator IAM Role.
1.2 Create Administrator IAM Role
To create an administrator role for yourself (and other administrators) to be used with the administrator user and group you just created:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click Roles and then click Create role.
- Click Another AWS account, then enter your account ID and tick Require MFA, then click Next: Permissions
- Tick AdministratorAccess from the list, and then click Next: Tags.
- Click Next: Review
- Enter a role name, e.g. ‘Administrators’ then click Create role.
- Check the role you have configured by clicking the role you have just created. Record both the Role ARN and the link to the console. You can also optionally change the session duration timeout.
- The role is now created, with full administrative access and MFA enforced.