How to manage AWS IAM User Permissions Using Groups and Policies

Introduction

Let’s assume a situation where a security engineer is working for a new startup, which is set to launch an online bookstore for rare and antique books. The founder, Jenna, needs help with setting up a development team with the proper access permissions. Now, In order to provide access and ensure the proper security measures are in place, AWS Identity & Access Management (IAM) seems to be a proper candidate for this task, wherein one has to group users and assign permissions for the developer group using policies.

AWS IAM

A brief Introduction to IAM

As per AWS documentation, AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Why use IAM

There are many reasons to do that.

1)IAM controls who all users are authenticated (signed in) and authorized (have permissions) to access resources. This solves the issue of storing names and passwords directly in applications or saving credentials as plain text, which is not an ideal practice.
2) IAM works on the principle that a user should have the exact amount of permissions needed to perform a task, and nothing more.
3) The Root user can give other users access to the AWS account without sharing root user’s credentials or access keys, and can restrict their access in a more granular way.
4) IAM also integrates with the AWS API logging service, known as CloudTrail using which one can also monitor and record user actions.

How to use IAM

Coming back to the problem to be solved

To help Jenna in securing the website & to provide Dev team with access, following steps have to be performed by the Security Engineer:

Log in to the live AWS environment using the credentials provided. Make sure to select a REGION (N. Virginia (us-east-1) for this case)

Create a Customer-Managed Policy

1. Navigate to IAM.
2. In IAM Resources, click Users to view existing users.
3. From the left dashboard menu, click Policies to create a new policy with developer access.
4. Click Create policy.

Policy created can be seen above

5. Click the Visual editor tab.

6. Set the following values:

• Service: “DynamoDB”
• Actions: All DynamoDB actions
• Resources: All resources

7. Click Add additional permissions.

8. Repeat the steps above to configure new policy permissions for Lambda, S3, and API Gateway services.

9. Click Review policy.

10. Enter a standard name for your policy and a brief description.

11. Click Create policy.

Create a Group Controlled via a Customer-Managed Policy

1. From the left dashboard menu, select Groups.
2. Click Create New Group.
3. Enter the group name “Developers” and click Next Step.
4. Select the newly created policy and click Next Step.
5. Review the group information, and then click Create Group.

Create User Group

Assign Users to a Group

1. From the IAM Groups menu, select the Developers group.
2. Select the Users tab and click Add Users to Group.
3. Select the three developers to be added to the group and click Add Users.

Assigning Users to the group

Conclusion

Below you can see that the user group is been created

User Group Created

Therefore, The Security Engineer is able to configure the website with proper permissions, users, group etc
This way IAM’s use-case is fully verified.

I hope the readers and Cloud learners will find this post to be useful.

Thank You!