Trushang Suthar's Blog

Configuring IAM Roles and Permissions (Create Users, Groups, and Policies)

Trushang Suthar's photo
Trushang Suthar
·

6 min read

AWS Setup and Configuration: Configuring IAM Roles and Permissions (Create Users, Groups, and Policies)

When setting up an AWS environment, one of the first and most crucial tasks is to configure IAM (Identity and Access Management). This is how you manage access to your AWS resources securely. IAM allows you to define who can access what resources, and what actions they can perform.

Why IAM?

IAM is a service that controls access to your AWS resources. It’s an essential tool for ensuring that the right people (or systems) can interact with your AWS environment, while keeping others out. It’s vital for keeping your cloud environment secure.

Key IAM Concepts

To configure IAM, you first need to understand its key components:

  1. Users: An IAM user represents an individual identity within AWS. A user is an AWS account that you create for someone who needs access to AWS.

  2. Groups: A group is a collection of IAM users. You can assign permissions to a group, and all users within the group inherit those permissions.

  3. Roles: A role is an IAM identity with specific permissions that determine what actions can be taken on what resources. Roles are typically used by AWS services or other AWS accounts to access resources.

  4. Policies: A policy is a document that defines permissions. Policies can either allow or deny actions on resources. These are attached to users, groups, or roles to enforce permissions.

Steps to Set Up IAM Roles and Permissions

Now, let’s break down the process of setting up IAM users, groups, and policies.

1. Creating IAM Users

Users represent individuals or applications that need to access AWS resources. To create a new IAM user:

  1. Access IAM Console:

    • Log in to your AWS Management Console.

    • Navigate to IAM under Services.

  2. Create New User:

    • In the IAM dashboard, go to Users and click Add user.

    • Enter a username for the new user.

    • Select the type of access you want to give the user:

      • Programmatic access: This allows the user to access AWS via API, CLI, or SDK.

      • AWS Management Console access: This gives the user access to the AWS console with a password.

  3. Set Permissions:

    • You can assign permissions directly to the user or through a group. We’ll cover groups shortly.

    • For now, choose Attach policies directly to assign permissions to the user. For example, if the user needs access to EC2, search for and select the AmazonEC2FullAccess policy.

  4. Review and Create:

    • Review your settings, and click Create user.

    • Save the user’s credentials (e.g., Access Key ID and Secret Access Key) securely.

Example: If you're setting up a user for a developer who will be managing EC2 instances, you can assign the AmazonEC2FullAccess policy.

2. Creating IAM Groups

Instead of assigning permissions individually to users, it's more efficient to create groups and assign permissions to the group. All users in a group inherit the group’s permissions.

  1. Create a Group:

    • In the IAM dashboard, click on Groups and then click Create New Group.

    • Name the group (e.g., Developers).

  2. Assign Policies to the Group:

    • After naming the group, you’ll be asked to attach policies. For a developer group, you might want to attach AmazonEC2FullAccess, AmazonS3FullAccess, etc.

  3. Add Users to the Group:

    • Add users to the group during group creation, or you can add users later.

By using groups, you can manage permissions more effectively as your team grows.

Example: Create a group called “Admins” and assign the AdministratorAccess policy, which provides full access to all AWS services.

3. Creating IAM Policies

IAM Policies are what define specific permissions. AWS provides managed policies, but you can also create custom policies for more fine-grained control.

  1. Create a Custom Policy:

    • In the IAM console, navigate to Policies and click Create policy.

    • You can use the visual editor or directly edit the policy in JSON format. For example, if you want to allow users to only read from a specific S3 bucket:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::your-bucket-name/*"
            }
        ]
    }

  1. Attach the Policy:

    • Once the policy is created, you can attach it to a user, group, or role.

Example: Create a policy that allows users to list EC2 instances but not make changes. Here’s an example of a JSON policy for that:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": "ec2:DescribeInstances",
         "Resource": "*"
      },
      {
         "Effect": "Deny",
         "Action": "ec2:TerminateInstances",
         "Resource": "*"
      }
   ]
}

4. Creating and Using IAM Roles

Roles are typically used for granting permissions to AWS services, such as allowing an EC2 instance to access an S3 bucket.

  1. Create a Role:

    • Go to Roles in the IAM console and click Create role.

    • Choose the trusted entity. For example, if you're creating a role for an EC2 instance, select AWS service and then EC2.

  2. Attach Permissions:

    • After creating the role, you can attach policies to it. For an EC2 instance to access S3, you might attach AmazonS3FullAccess.

  3. Assign the Role:

    • You can then assign the role to an EC2 instance or another AWS service.

Example: If you have a Lambda function that needs to access DynamoDB, create a role with AWSLambdaBasicExecutionRole and AmazonDynamoDBFullAccess policies, and assign this role to the Lambda function.

5. Managing Permissions with Least Privilege

It’s crucial to follow the least privilege principle, which means granting only the permissions necessary for users or systems to perform their tasks. This minimizes the risk of accidental or malicious actions.

For instance, if a user only needs to read data from a particular S3 bucket, don’t grant them full access to all S3 resources. Similarly, give only the necessary permissions to EC2, Lambda, or any other services your users need.

Example Use Case: Developer Access to EC2 and S3

Let’s consider a use case where you need to give developers access to EC2 and S3, but you want to limit their permissions to only what’s necessary.

  1. Create Developer Group:

    • Create a group called Developers.

    • Attach AmazonEC2FullAccess and AmazonS3FullAccess policies.

  2. Add Users to the Group:

    • Add all developer users to this group.

Now, all developers can manage EC2 instances and S3 buckets, but they won’t have access to other AWS services unless specifically granted.

Conclusion

Configuring IAM roles and permissions is essential for maintaining a secure AWS environment. By setting up users, groups, policies, and roles correctly, you can ensure that your team has the appropriate access to the resources they need—without compromising security. Always adhere to the principle of least privilege to minimize risk.

For more detailed documentation on IAM, you can refer to the official AWS IAM documentation here:
AWS IAM Documentation

By following the steps above, you will have a well-organized, secure AWS environment for your team to work in.

AWS IAM ConfigurationAWS IAM Roles and PermissionsAWS Developer Access SetupAWS IAM for EC2 and S3AWS EC2 Instance Securityaws iam policiesaws Security best practicesAWS Access Control