IAM stands for Identity access management, and it’s used to control access to AWS resources, in other words it defines “who can do what”. If you have been using AWS for long and are not aware of IAM, here’s how it can help you.
Let’s consider a scenario where an organization has one AWS for all their needs and multiple users use that same account and same access/secret access keys for various CLI tools and SDK that AWS provides.
This is an anti-pattern and it’s not recommended. The reason is, if one of these users decides to leave your organization, he still has your access/secret access keys with it which allows him/her to take full control over your account, regardless of the fact that you change your credentials. And to top it off, you cannot do anything to stop him from menacing around with your account.
There is always an option of closing your account, but that’s not an option for most.
Out of various implemented options available for IAM, there is one that I personally use and always recommend to others, which is: Create an account for every individual user who uses your account and everyone is provided with own password and own access keys to access same account.
Along with that, you can also assign permissions for each user i.e., if you want user A to access only S3, it’s as simple as selecting option from GUI or you can create group of yours and assign permissions to them. For example, you can define group admin and give permissions to them.
Steps for same are mentioned below and shown in following screen cast:
Step-1) Go to IAM
Step-2) Click on “Create new group of users”
Step-3) Enter group name on the following popup and click continue
Step-4) On Next Tab, allow permissions, for example: “Admin Access”, next it displays the policy document that AWS uses internally. Click on continue to go to next tab.
Step-5) Click on “Create new user” tab in following screen and enter a username in one of the text boxes provided. While creating users, you can also select whether you want to generate access keys for this user or not. Select continue to go to next step which will generate a popup screen.
Step-6) In this popup, you’ll be able to see the information you have entered, confirm it and select continue.
Step-7) On Last screen it will confirm that user has been created, do remember to download credentials else you won’t be able to do it afterwards; after that click on “Close window” to finish the process.
So from now onwards, if someone from the admin leaves your organization, you can just terminate his account which will forbid him from hampering your account.
Note: One can only make changes to users and groups in his ‘IAM users’ account which is not possible via normal login screen.
To login, first go to dashboard of IAM, and where you’ll find “IAM users sign-in link” which should be like “https://xxxxxxx.signin.aws.amazon.com/console”. With the help of this link IAM users will use to login to AWS.