Before you start hands-on exercises for AWS services, AWS strongly recommends that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. We will show you how to create an IAM user to do everyday tasks safely.
In this exercise, you will :
1. To create an IAM user, navigate to the search box and type IAM. Click IAM which will appear on the search results.
2. Now you are on the IAM dashboard page! At the left-hand side panel, you can see different features of AWS IAM. Under Access management, click Users
3. On the Users page, you will see the list of IAM users that you've created. Since this is your first time, it's empty. To create an IAM user, click Create user.
4. In Step 1, you will specify user details, and give the name of your IAM user. In this exercise, you will create 3 IAM users. Below are the needed details to enter.
User-<number>. For example, User-1
- Check the box of the Provide user access to the AWS Management Console - optional
- On the "Are you providing console access to a person?", choose I want to create an IAM user
An extra for the curious 💡AWS Identity Center lets users to log in to the Management Console without a username or password. In this exercise, you are not going to select that, you must understand first the fundamental concept of IAM before you deep dive into the AWS Identity Center.
5. Once you choose I want to create an IAM user, you will see additional settings to setup.
6. For the Console password, you have two options, either an Autogenerated password or Custom password. If you choose an Autogenerated password, AWS will provide the password for you. If you choose Custom password, ensure you follow the requirements for creation of a custom password such as at least 8 characters long, must include at least one uppercase letter (A-Z), and other requirements. For this exercise, choose Autogenerated password.
7. Still, on this page, AWS recommends checking the box next to the left of Users must create a new password at next sign-in - Recommended (users will automatically get the IAMUserChangePassword policy to allow them to change their own password for every sign-in to their IAM user account. For this exercise, you will not do that. Therefore, you will uncheck the box.
8. Once all done with this step, click Next.
9. This page lets you set permissions. Skip this for now as you're going to do this on a separate task. Click Next.
10. On the Review and create page, click Create user.
11. Make sure to click Download .csv file before returning to the Users dashboard (by clicking Users under Access management section in the left hand navigation panel). Inside the CSV file are your credentials (username, password, and AWS console URL) for you to sign in to the AWS Management console as an IAM user. We'll get to opening the CSV file later in this exercise!
Handy tip: If you forget to save it, you can simply create a new password by navigating to your newly created user (User-1) and clicking the Security credentials tab. Under Console sign-in, click Manage console access. Once you see the similar image below, you can now reset your password.
4. For the remaining users - User-2, and User-3 - follow Steps 1 to 7.
In this task, you will enable multifactor authentication (MFA) to User-1.
Why are we doing this?
MFA adds a new layer of security to your AWS Account. It helps prevent outsiders trying to get access to your account through stolen account logins. If you've ever been asked to enter a secure code sent your email/phone to complete your sign-in, that's MFA!
While this may not be a super big deal for our Free Tier account, it is for big companies like Netflix!
1. To enable MFA, return to the Users page, and click the User-1 link.
2. Click Security credentials tab, and find the section labeled Multi-factor authentication (MFA).
3. Once you locate MFA, click Assign MFA device.
4. On the Select MFA device, enter the needed information:
5. Device name: Give a name of your MFA device, for example, "MFAforAWSAccount"
6. MFA device: In this exercise, you will choose the Authenticator app (virtual MFA) which is commonly used when you are setting up MFA to other accounts.
7. Click Next.
8. On the Set up device, step 1, you will need to install an authenticator app on your mobile. No worries if you haven't downloaded these before - you can find them on the Google Play Store and iOS App Store super easily! Here's the list, you only need to pick one and download it:
9. Now back to your AWS account! Click Show QR code. Open your authenticator app and scan the QR code.
10. To finish this off, we'll need to fill in two codes that pop up from our MFA device.
11. Click Add MFA.
Congratulations! You've just added an extra layer of protection for User 1. The next time you need to log in to User 1, you will need to use your authentication app to verify that it's really you trying to log in (and not someone else that stole your password)
In this task, you will add the IAM users to the IAM group. Before you can add the users to the groups, you will first create the IAM groups.
1. You will create 3 IAM groups (EC2-Admin, EC2-Support, and S3-Support). To create an IAM group, ensure that you are still in the IAM Dashboard, on the left side, click User groups.
2. Similar to IAM users, you will see the list of IAM groups here. It's empty for now as we haven't created a group yet. Click Create group.
3. On the Create user group page, enter this information:
5. Create the other two IAM groups (EC2-Support and S3-Support). Follow step 3 again, and don't forget to assign the right user to the right group:
In this task, you will assign an IAM policy to the IAM group.
Your output should be similar to the image below. The EC2-Admin group now has the AmazonEC2FullAccess policy!! This means IAM user (User-3) will inherit this policy too, because you assigned User-3 to this group earlier.
6. Next, you will attach a policy to the EC2-Support. To do that, click on User groups from the side bar and repeat steps 1 to 5 from Task 4. The difference is that you will select EC2-Support in step. In step 4, you will select AmazonEC2ReadOnlyAccess.
The output should be similar to the image below:
7. Finally, you will attach a policy to the S3-Support. To do that, repeat steps 1 to 5 in this task. The difference is that you will select S3-Support in step one and AmazonS3ReadOnlyAccess in step four.
The output should be similar to the image below.
8. Next, you will test User-2. Repeat steps 1 and 2 from this task to sign in to AWS Management Console as User-2.
9. Once signed in, go to the EC2 console by typing in the search box EC2, and click the EC2 that will appear in the search results.
10.Try to create an EC2 instance by clicking Launch instance:
11. Finally, you will test User-3. Repeat steps 1 and 2 from this task to sign in to your Management Console as User-3.
12. Once signed in, go to the EC2 console and click Launch instance.
13. Try to create an EC2 instance:
14. You should see a successful launch of the EC2 instance. This means a successful test on User-3!
15. To prevent some cost on your EC2 instance you have to delete it. To delete an EC2 instance, select the EC2 instance (check the box), click Instance state, and choose Terminate instance.
Note: AWS IAM features are offered at no charge - so you won't be charged even if you decide to keep these users in your account.
16. If you do want to delete IAM users and IAM groups, here are the steps:
Congratulations! You successfully: