AWS – Administering users with IAM

How to install Ubuntu Server 19.10

Before we introduce this recipe, we need to talk briefly about IAM. It’s free, and is enabled on every account. It allows you to create groups and users, and allows you to control exactly what they can and can’t do, through the use of a policy statement.

By default, groups, users and roles will have no permissions until you assign them either an AWS Managed Policy or a Customer-Managed Policy (one which you manage). You may want to use AWS Managed Policies as a starting point in order to avoid having to create and maintain your own, but it’s good practice to refine your requirements, and scope down access privileges with custom policies.

There’s a third kind of policy, called an Inline Policy. Use this sparingly. In fact, the only time we typically see it is in CloudFormation templates.

You pretty much never want to assign a policy directly to a user. If you go down this path, you’ll create a lot of work for yourself in the future, when you have a large number of users that need to be administered separately. Instead, you want to apply policies to groups, and then assign users to those groups. Fortunately, it’s a pretty easy process, and we’re about to walk you through it.

The IAM dashboard provides a URL that your IAM users can use to log in to the web console (if you’ve assigned them a password and given them access to do so). You can also customize this IAM sign-in link if necessary. Don’t forget to give this URL to any IAM users that you create, so they know where to go to sign in.

It will look something like the following, until you customize it: https://<account-id>

Now, jump right in. There’s no excuse for not using IAM. Start today!

Getting ready

All you need to proceed is the CLI tool installed with a profile that can call the AWS IAM API. If you don’t have this, you can follow along with the recipe steps using the AWS web console instead, as the process is the same.

How to do it…

Follow these steps to use the CLI to create a new IAM user:

  1. Create a new group by running this CLI command:
      aws iam create-group --group-name <group-name>
  1. The output looks like this:
          "Group": { 
            "Path": "/", 
            "GroupId": "AGPAIHM2XJ2ELQTNYBFQQ", 
            "Arn": "arn:aws:iam::067180688831:group/PowerUsers", 
            "GroupName": "PowerUsers" 
  1. The group doesn’t have permissions to do anything yet, so you’ll need to attach a policy to it. You can do it with this command (which, unfortunately, doesn’t provide any feedback if it successfully runs):
      aws iam attach-group-policy \
        --group-name <group-name> \
        --policy-arn <policy-arn>
  1. You can find the Amazon Resource Name (ARN) for the policy that you’d like to attach to the AWS IAM web console. You can also run the following CLI command in order to get a list of policies:
      aws iam list-policies
  1. In this example, we’re dealing with PowerUsers, so we want to attach the following ARN, which maps to the AWS Managed Policy for power users:
  1. Now, we can go ahead and create a new user, by running this CLI command:
      aws iam create-user --user-name <new-username>
  1. You’ll get a response that looks like this:
        "User": { 
            "UserName": "lucille.bluth", 
            "Path": "/", 
            "CreateDate": "2017-02-19T06:16:50.558Z", 
            "UserId": "AIDAIU5P6ESCGYTVGACFE", 
            "Arn": "arn:aws:iam::07180688831:user/lucille.bluth" 
  1. If you wish to give this user access to the web console, you’ll need to create a login profile for them. You can do it like so:
      aws iam create-login-profile --user-name <username> \
        --password <password> \
  1. Forcing a password reset here is probably good practice. The API should respond to you like so:
         "LoginProfile": { 
              "UserName": "lucille.bluth", 
              "CreateDate": "2017-02-19T06:29:06.244Z", 
              "PasswordResetRequired": true 
  1. To give the API access to the user, they’ll need a set of API keys. Generate them with this command:
      aws iam create-access-key --user-name <username>

  1. The output will look something like this:
          "AccessKey": { 
            "UserName": "lucille.bluth", 
            "Status": "Active", 
            "CreateDate": "2017-02-19T06:59:45.273Z", 
            "SecretAccessKey": "abcdefghijklmnopqrstuvwxyz", 
            "AccessKeyId": "AAAAAAAAAAAAAAAAAAAA" 
  1. Access keys can only be retrieved once. There is no way to fetch them again after they’ve been generated and shown to you. If you lose your access keys, you’ll have to regenerate a new set of keys.
  2. This user still doesn’t have any permission to do anything; this is because they don’t yet belong to a group. Let’s add them to the group that we created in step 1:
      aws iam add-user-to-group \
        --group-name <group-name> \
        --user-name <username>
Unfortunately, this command doesn’t return any output, either. You can verify whether or not this worked by running this command:
aws iam list-groups-for-user --user-name <username>.
  1. You should see something like this:
          "Groups": [ 
                 "Path": "/", 
                 "CreateDate": "2017-02-19T07:24:46Z", 
                 "GroupId": "AGPAIHM2XJ2ELQTNYBFQQ", 
                 "Arn": "arn:aws:iam::067180688831:group/PowerUsers", 
                 "GroupName": "PowerUsers" 

Be sure to delete this user account if you no longer need it once you have completed the recipe.

There’s more…

This pretty much covers the basics of how to create IAM groups and users, and how to assign policies to them. Here are some of the IAM tips and gotchas that we’ve run into over the years:

  • Users can exist in more than one group. Use this to your advantage.
  • Groups, however, cannot exist within other groups.
  • Users can have more than one set of API keys. This is necessary when they need to perform key rotation.
  • You can (and should) define a strong password policy for your IAM users.
  • The PowerUserAccess policy is good, but it does not allow IAM access. At first, this might not seem to be a problem; however, if you are bound by this policy, you will encounter issues when running CloudFormation stacks that create IAM roles for EC2 instances, for example.
  • IAM is a global service, meaning that users and groups are global, not region-specific. By default, a user can use AWS services in any region.
  • EC2 key pairs are region-specific, and not specific to an IAM user. In other words, IAM users don’t have SSH keys associated with them.
  • Your IAM username and password (and access keys) won’t provide you with SSH or RDP (short for Remote Desktop Protocol) access to running instances. Credentials for these services are managed separately.
  • You can assign up to 10 policies to a group or user.
  • You should also enable multi-factor authentication (MFA) on IAM user accounts for added security. This is used primarily for accessing the web console, but you can also configure your policies so that MFA will be required for API calls, too. You can choose between hardware and software tokens. A good rule of thumb is to use software tokens for IAM users, and hardware tokens for root logins. 

See also

  • The Using cross-account roles recipe

Comments are closed.