Scribd Logo
Upload

Welcome to Scribd!

  • Preparing AWS Account: Setting Up IAM Users and Groups

    Uploaded by

    Karolis Petreikis
    4 views3 pages
    The document provides steps for setting up AWS accounts, users, and groups for access management and billing organization. It recommends: 1) Creating IAM user accounts instead of using the parent account for daily operations for improved access control and management. 2) Setting up separate AWS subaccounts for different environments like staging and production for easier billing and access control. 3) Giving IAM groups administrative access to subaccounts and explaining how IAM users can then access subaccounts through their group permissions.

    Original Description:

    Original Title

    preparing_aws_account

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides steps for setting up AWS accounts, users, and groups for access management and billing organization. It recommends: 1) Creating IAM user accounts instead of using the parent account for daily operations for improved access control and management. 2) Setting up separate AWS subaccounts for different environments like staging and production for easier billing and access control. 3) Giving IAM groups administrative access to subaccounts and explaining how IAM users can then access subaccounts through their group permissions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views3 pages

    Preparing AWS Account: Setting Up IAM Users and Groups

    Uploaded by

    Karolis Petreikis
    The document provides steps for setting up AWS accounts, users, and groups for access management and billing organization. It recommends: 1) Creating IAM user accounts instead of using the parent account for daily operations for improved access control and management. 2) Setting up separate AWS subaccounts for different environments like staging and production for easier billing and access control. 3) Giving IAM groups administrative access to subaccounts and explaining how IAM users can then access subaccounts through their group permissions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Preparing AWS account

    First, here is a glossary of terms that will be used throughout this guide:

    Parent account - the main organization's AWS root account.


    Subaccount - AWS root child account that has been created under the parent account used to
    group resources for billing and permission management purposes.
    IAM user account - user account used for logging into the AWS Management Console and
    performing daily operations.

    Setting up IAM users and groups

    The best practice is to only use your parent account for the initial IAM user setup, then configure it
    with a secure password, store it in a safe place, and ideally never use the parent account again. Daily
    operations should be done with IAM accounts, as they have the following benefits:

    No need to maintain multiple credentials - single IAM account can be used to access all AWS
    resources of the organization.
    Each IAM account can be made user-specific, so it is easy to remove access when employees or
    contractors leave the project.
    IAM accounts can be assigned to groups, so fine-grained access control is possible - e.g.
    providing certain employees with access to the development environment, but not to production.

    Below is a step by step process for creating IAM groups:

    1. Go to Identity and Access Management (IAM) in the AWS console.


    2. Select the "Groups" menu item.
    3. Click the "Create New Group" button.
    4. Provide a name for the group, e.g. "Staging developers".
    5. Skip policies for now. We will add them later after we set up subaccounts in AWS.
    . Create the group.

    Below is a step by step process for creating IAM user accounts:

    1. Go to Identity and Access Management (IAM) in the AWS console.


    2. Select the "Users" menu item.
    3. Click the "Add user" button and fill details:

    Enter a username, e.g. "firstname.lastname" to make accounts easily identifiable.


    Enable "Programmatic access" if API access is needed.
    Enable "AWS Management Console access" if access via web console is needed.
    Select the option "Autogenerated password" to make sure a secure temporary password is
    generated.
    Select the option "Require password reset" to force the user to change the password upon first
    login. This reduces risks related to sharing of the password via IM and improves traceability since
    no one else will know the final password of this user.

    1. Assign the new user to the groups for which access is needed.

    Creating AWS subaccount for hosting a group of resources (e.g. staging


    environment)

    It is recommended to have separate subaccounts for each project/environment, as this makes billing
    and access control easier. Ideally, the parent account should only contain IAM users and nothing
    else.

    Below are the steps for setting up a new subaccount in AWS:

    1. Log in with your IAM user that has full administrator's access to the AWS parent account.
    2. Before creating a new subaccount ensure that "Enable Tax Settings Inheritance" checkbox is
    enabled in Tax settings of your parent account. Otherwise, AWS will send some invalid invoices
    to you at the end of the month.
    3. Go to "My Organization" in the AWS Console.
    4. Click the "Add account" button
    5. Click "Create account"
    . A form like this will open:

    7. Fill the form:


    AWS account name - An easy to remember name for your subaccount, e.g. "Staging
    environment"
    Email - you can create a new email address for this subaccount, e.g.
    admin@staging.yourdomain.com or similar.
    IAM role name - You can leave it blank, AWS will use default value -
    "OrganizationAccountAccessRole". A role with this name will be created in the new
    subaccount to enable administration via IAM.
    . Click the "Create" button
    9. Account creation may take a few minutes - you will soon receive a welcome email.
    10. The new account will not have a password set. And we do not need it since we will manage it
    via IAM.

    Giving IAM groups the admin access to the new subaccount

    1. Log in with your IAM user that has full administrator's access to the AWS parent account.
    2. In order to give access to a subaccount, first, you need to know its ID. While still in your parent
    account, go to "My Organization" page and note the "Account ID" that has been assigned to the
    subaccount to which you would like to give access.
    3. Now follow steps described here to gain access to the new AWS subaccount via IAM user
    account (see section "To grant permissions to members of an IAM group in the master account
    to access the role (console))".

    Gaining access to subaccounts via IAM user of a parent account

    1. This step requires the user to be a member of an IAM group that has access to the subaccount,
    so steps described in the previous section must be performed first.
    2. When you log in with your IAM credentials, you will be managing your parent AWS account by
    default, since the IAM users are set up in it.
    3. In order to gain access to a subaccount, first, you need to know its ID. While still in your parent
    account, go to "My Organization" page and note the "Account ID" that has been assigned to the
    subaccount that you would like to access.
    4. Now follow steps described here to gain access to the new AWS subaccount via IAM user
    account (see section "To switch to the role for the member account (console))".

    You might also like