Exercise 1: Setting up IAM users

Natasha Ong
This is some text inside of a div block.
4 min read

Exercise Overview:

Before you start hands-on exercises for AWS services, AWS strongly recommends that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. We will show you how to create an IAM user to do everyday tasks safely.

In this exercise, you will :

  • Create 3 IAM users
  • Create 3 IAM groups
  • Add IAM users to IAM groups.
  • Enable multifactor authentication (MFA) on one of the IAM users.
  • Assign a policy to an IAM user and an IAM group.
  • Test the access of each IAM user.
  • Bonus! Create an IAM user equivalent to the root user account

Task 0: Log in to the AWS Management Console with your root user details

Click here to log in to the AWS Management Console

Task 1: Create an IAM users

1. To create an IAM user, navigate to the search box and type IAM. Click IAM which will appear on the search results.

2. Now you are on the IAM dashboard page! At the left-hand side panel, you can see different features of AWS IAM. Under Access management, click Users

3. On the Users page, you will see the list of IAM users that you've created. Since this is your first time, it's empty. To create an IAM user, click Create user.

4. In Step 1, you will specify user details, and give the name of your IAM user. In this exercise, you will create 3 IAM users. Below are the needed details to enter.
User-<number>. For example, User-1

- Check the box of the Provide user access to the AWS Management Console - optional

- On the "Are you providing console access to a person?", choose I want to create an IAM user

An extra for the curious 💡AWS Identity Center lets users to log in to the Management Console without a username or password. In this exercise, you are not going to select that, you must understand first the fundamental concept of IAM before you deep dive into the AWS Identity Center.

5. Once you choose I want to create an IAM user, you will see additional settings to setup.

6. For the Console password, you have two options, either an Autogenerated password or Custom password. If you choose an Autogenerated password, AWS will provide the password for you. If you choose Custom password, ensure you follow the requirements for creation of a custom password such as at least 8 characters long, must include at least one uppercase letter (A-Z), and other requirements. For this exercise, choose Autogenerated password.

7. Still, on this page, AWS recommends checking the box next to the left of Users must create a new password at next sign-in - Recommended (users will automatically get the IAMUserChangePassword policy to allow them to change their own password for every sign-in to their IAM user account. For this exercise, you will not do that. Therefore, you will uncheck the box.

8. Once all done with this step, click Next.

9. This page lets you set permissions. Skip this for now as you're going to do this on a separate task. Click Next.

10. On the Review and create page, click Create user.

11. Make sure to click Download .csv file before returning to the Users dashboard (by clicking Users under Access management section in the left hand navigation panel). Inside the CSV file are your credentials (username, password, and AWS console URL) for you to sign in to the AWS Management console as an IAM user. We'll get to opening the CSV file later in this exercise!

Handy tip: If you forget to save it, you can simply create a new password by navigating to your newly created user (User-1) and clicking the Security credentials tab. Under Console sign-in, click Manage console access. Once you see the similar image below, you can now reset your password.

4. For the remaining users - User-2, and User-3 - follow Steps 1 to 7.

Task 2: Enable MFA to an IAM user

In this task, you will enable multifactor authentication (MFA) to User-1.

Why are we doing this?

MFA adds a new layer of security to your AWS Account. It helps prevent outsiders trying to get access to your account through stolen account logins. If you've ever been asked to enter a secure code sent your email/phone to complete your sign-in, that's MFA!
While this may not be a super big deal for our Free Tier account, it is for big companies like Netflix!

1. To enable MFA, return to the Users page, and click the User-1 link.

2. Click Security credentials tab, and find the section labeled Multi-factor authentication (MFA).

3. Once you locate MFA, click Assign MFA device.

4. On the Select MFA device, enter the needed information:

5. Device name:  Give a name of your MFA device, for example, "MFAforAWSAccount"

6. MFA device: In this exercise, you will choose the Authenticator app (virtual MFA) which is commonly used when you are setting up MFA to other accounts.

7. Click Next.

8. On the Set up device, step 1, you will need to install an authenticator app on your mobile. No worries if you haven't downloaded these before - you can find them on the Google Play Store and iOS App Store super easily! Here's the list, you only need to pick one and download it:

  • Authy Authenticator
  • Duo Mobile
  • Microsoft Authenticator
  • Google Authenticator
  • Symantec VIP

9. Now back to your AWS account! Click Show QR code. Open your authenticator app and scan the QR code.

  • Once you scan the QR code, you will see an OTP (One-time password) code in your authenticator app.  
  • (Note: If you are using Cisco Duo Mobile or Authy, after you scan the QR code you have to click Save before you can see the OTP. You don't need to do this step for other authenticator apps such as Microsoft Authenticator, and Google Authenticator.)

10. To finish this off, we'll need to fill in two codes that pop up from our MFA device.

  • MFA code 1: (You will type the first 30 seconds MFA code that appears in your authenticator app)
  • MFA code 2: (You will type the second 30 seconds MFA code that appears in your authenticator app, meaning this code is different than the first one)

11. Click Add MFA.

Congratulations! You've just added an extra layer of protection for User 1. The next time you need to log in to User 1, you will need to use your authentication app to verify that it's really you trying to log in (and not someone else that stole your password)

Task 3: Add the IAM user to the IAM group

In this task, you will add the IAM users to the IAM group. Before you can add the users to the groups, you will first create the IAM groups.

1. You will create 3 IAM groups (EC2-Admin, EC2-Support, and S3-Support). To create an IAM group, ensure that you are still in the IAM Dashboard, on the left side, click User groups.

2. Similar to IAM users, you will see the list of IAM groups here. It's empty for now as we haven't created a group yet. Click Create group.

3. On the Create user group page, enter this information:

  • User group name: Give a name of your IAM group, in this exercise enter the name EC2-Admin
  • On the Add users to the group - Optional, although this is optional you can add now the IAM user to this group that you're setting up. Check the box of User-3
  • On the Attach permission policies - Optional, you can skip this for now because you will set up this separately.
  • Once all is done, click Create group.

5. Create the other two IAM groups (EC2-Support and S3-Support). Follow step 3 again, and don't forget to assign the right user to the right group:

Task 4: Assign an IAM policy to the IAM group

In this task, you will assign an IAM policy to the IAM group.

  1. You will start first with EC2-Admin, in the EC2-Admin group the users in this group have a full-access to the Amazon EC2 feature. To assign an IAM policy, ensure you are in User groups page, click EC2-Admin
  2. Click Permissions tab
  3. Click Add permissions (on the right side), choose Attach policies
  4. Once you are on the Attach permission policies to EC2-Admin page, on the search box of Other permissions policies, type EC2Full. Select AmazonEC2FullAccess policy name.
  5. Click Attach policies.

Your output should be similar to the image below. The EC2-Admin group now has the AmazonEC2FullAccess policy!! This means IAM user (User-3) will inherit this policy too, because you assigned User-3 to this group earlier.

6. Next, you will attach a policy to the EC2-Support. To do that, click on User groups from the side bar and repeat steps 1 to 5 from Task 4. The difference is that you will select EC2-Support in step. In step 4, you will select AmazonEC2ReadOnlyAccess.

The output should be similar to the image below:

7. Finally, you will attach a policy to the S3-Support. To do that, repeat steps 1 to 5 in this task. The difference is that you will select S3-Support in step one and AmazonS3ReadOnlyAccess in step four.

The output should be similar to the image below.

Task 5: Test the policy of each IAM user.

  1. Sign-in to your IAM user (User-1). To sign-in to your User-1, open the .csv file that you've saved from the previous task. It should be called User-1_credentials.csv. Once opened, copy the Console sign-in URL and paste it to your browser (e.g. Chrome, Safari, Firefox, whatever you use to load websites).
  2. Your .csv file should tell you what username and password to use for User-1. Copy them over the the sign-in page!
  3. Once you enter your username and password it will prompt the MFA page. This is the extra layer of security to set up in Task 2! Enter your MFA code, you can find this code on the authenticator app you downloaded.
  4. You have successfully accessed the AWS Management Console as User-1! You will now try to create a bucket on S3. We'll dive into S3 in depth later in this course - but for now, just know that a bucket = a storage folder. To navigate to S3 console, type S3 on the search box, and click S3.
  5. Try to create a bucket, click Create bucket
  6. Just give it a unique bucket name, for example, myfirstbucket31431. Leave the rest as default and click Create bucket
  7. You will notice the error message "Failed to create bucket", that's because you only assigned the S3-Support group a ReadOnly access. Therefore, you have a successful test on User-1 - nice!

8. Next, you will test User-2. Repeat steps 1 and 2 from this task to sign in to AWS Management Console as User-2.

9. Once signed in, go to the EC2 console by typing in the search box EC2, and click the EC2 that will appear in the search results.

10.Try to create an EC2 instance by clicking Launch instance:

  • Give a name to your EC2 instance, for example, "MyEC2Instance"
  • Leave the rest as default, and click Launch instance.
  • Create key pair will prompt up, select Proceed without key pair.
  • Click Launch instance again.
  • You will notice nothing happens as there are different error messages.
  • Niceeee, this means you had a successful test on User-2! 

11. Finally, you will test User-3. Repeat steps 1 and 2 from this task to sign in to your Management Console as User-3.

12. Once signed in, go to the EC2 console and click Launch instance.

13. Try to create an EC2 instance:

  • Name and tags: Give a name of your EC2 instance, for example, "MyEC2Instance"
  • Leave the rest as default, and click Launch instance. Create key pair will prompt up, select Proceed without key pair.
  • Click Launch instance again.

14. You should see a successful launch of the EC2 instance. This means a successful test on User-3!

15. To prevent some cost on your EC2 instance you have to delete it. To delete an EC2 instance, select the EC2 instance (check the box), click Instance state, and choose Terminate instance.

Note: AWS IAM features are offered at no charge - so you won't be charged even if you decide to keep these users in your account.

16. If you do want to delete IAM users and IAM groups, here are the steps:

  • Head to the IAM console, on the left side panel under the Access Management section choose Users
  • Select (check the box) the IAM users that you've created from the previous task and choose Delete.
  • You will see a pop-up screen for confirmation on deleting the 3 IAM users. To confirm, type delete, and click Delete users.
  • You will see a message saying Users deleted meaning you successfully deleted the IAM users.

Congratulations! You successfully:

  • Created an IAM user, IAM group
  • Enabled multifactor authentication (MFA) to an IAM user
  • Added IAM users to IAM groups
  • Assigned a policy to IAM users and IAM groups