User and Group administration
One of the corner stones in Amazon AWS is Identity and Access Management (IAM)
- How to create 2 new groups and attach predefined group policies
- How to create a new user able to logon the AWS Console
- How to create a new command line only user (Programmatic access)
At the end of this lesson you should have 2 groups and 4 users like this:
- Logon AWS Console and locate the IAM service. It's found under "Security, Identity & Compliance" services.
- In top left corner you find the navigation pane choose "Groups", then choose "Create New Group"
- Type in the name of your group, I call mine admins then click on the "Next Step" button found in the lower left corner.
- Attach a group policy to your new group. To make it easier Amazon has made a comprehensive list of predefined policies, in this tutorial we will be creating an admin group for our admin accounts. Find and select the "AdministratorAccess" policy. Tick the box next to the policy and click the "Next Step" button.
- On the review page check the name and policy is as shown below and click "Create Group" if it matches.
Now try create a 2nd group on your own, name it developers and attach the following 2 predefined policies to the group: "AmazonS3FullAccess" and "IAMUserChangePassword". Check your group on the review page against the picture below, and if it matches click "Create Group"
- Logon AWS Console and locate the IAM service. It's found under "Security, Identity & Compliance" services.
- In top left corner you find the navigation pane choose "Users", then choose "Create New User"
- Type in the name of your user, I call my first user admin. Access type should be "AWS Management Console access" to enable logon the AWS console with a password, leave the "Console password" as "Autogenerated password" and keep the box for "Require password reset" ticked. Last click the "Next: Permissions" button found in the lower right corner.
- There are 3 options for setting the permissions for the user. In this tutorial we will add our user to one of the groups we created earlier. Tick the box in front of the group "Admins" to select it. Last click the "Next: Review" button in the lower right corner.
- On the review page check the username name and permissions is as shown below and click "Create user" if it matches.
The process for creating a programmatic user is very much like creating a user with access to the aws console.
- Logon AWS Console and locate the IAM service. It's found under "Security, Identity & Compliance" services.
- In top left corner you find the navigation pane choose "Users", then choose "Create New User"
- Type in the name of your user, This time we are creating a user with only programmatic access, I call mine admin_cli. short for aws client access. The Access type should be "Programmatic access" to enable the user to access the AWS API, CLI, SDK, and other development tools. Last click the "Next: Permissions" button found in the lower right corner.
- There are 3 options for setting the permissions for the user. In this tutorial we will add our user to one of the groups we created earlier. Tick the box in front of the group "Admins" to select it. Last click the "Next: Review" button in the lower right corner.
- On the review page check the username name and permissions is as shown below and click "Create user" if it matches.
- Make sure you take note of the username, access key id and most importantly copy your secret key to a secure location this is the first and last time you will be able to see this code. If you loose it you need to create a new access key.
Create initial admin_cli user manually, the reset will be setup by terraform.