Lab 1: Introduction to AWS IAM

Version 3.1.2 (spl66)

AWS Identity and Access Management (IAM) is a web service that enables
Amazon Web Services (AWS) customers to manage users and user
permissions in AWS. With IAM, you can centrally manage users, security
credentials such as access keys, and permissions that control which AWS
resources users can access.

Topics covered
This lab will demonstrate:

• Exploring pre-created IAM Users and Groups

• Inspecting IAM policies as applied to the pre-created groups
• Following a real-world scenario, adding users to groups with specific
capabilities enabled
• Locating and using the IAM sign-in URL
• Experimenting with the effects of policies on service access

Learning Objectives

Upon completion of this lab you will be able to:

1. Create IAM groups

2. Create IAM users
3. Use IAM credentials to log in as created users

Other AWS Services

During this lab, you may receive error messages when performing actions
beyond the steps in this lab guide. These messages will not impact your ability
to complete the lab.
AWS Identity and Access Management
AWS Identity and Access Management (IAM) can be used to:
 Manage IAM Users and their access: You can create Users and assign
them individual security credentials (access keys, passwords, and multi-
factor authentication devices). You can manage permissions to control
which operations a User can perform.
 Manage IAM Roles and their permissions: An IAM Role is similar to a
User, in that it is an AWS identity with permission policies that determine
what the identity can and cannot do in AWS. However, instead of being
uniquely associated with one person, a Role is intended to be assumable
by anyone who needs it.
 Manage federated users and their permissions: You can
enable identity federation to allow existing users in your enterprise to
access the AWS Management Console, to call AWS APIs and to access
resources, without the need to create an IAM User for each identity.
Duration
This lab takes approximately 40 minutes to complete.

Accessing the AWS Management

Console
1. At the top of these instructions, click Start to launch your lab.
A Start Lab panel opens displaying the Lab lab status.
2. Wait until you see the message "Lab status: ready", then click the X to
close the Start Lab panel.
3. At the top of these instructions, click AW
This will open the AWS Management S Console in a new browser
tab. The system will automatically log you in.
Tip: If a new browser tab does not open, there will typically be a
banner or icon at the top of your browser indicating that your browser is
preventing the site from opening pop-up windows. Click on the banner or
icon and choose "Allow pop ups."
4. Arrange the AWS Management Console tab so that it displays along side
these instructions. Ideally, you will be able to see both browser tabs at the
same time, to make it easier to follow the lab steps.
Task 0: Set Users Password Policy
After adding a user into the group and applying policies, you have to set the
password for the users. There are two things that you can do in a password.
— First, you can set password policy, For example, you can give minimum
password length, requires one upper case letter etc. The creating policy is
necessary these days for better security. Password policies for better
understanding is shown in the image below:

Note: we will keep all passwords as 123456.

Task 1: Explore the Users and Groups

In this task, you will explore the Users and Groups that have already been
created for you in IAM.
5. In the AWS Management Console, on the Services menu, click IAM.
6. In the navigation pane on the left, click Users.
The following IAM Users have been created for you:
o user-1
o user-2
o user-3
7. Click user-1.
This will bring to a summary page for user-1. The Permissions tab will be
displayed.
8. Notice that user-1 does not have any permissions.
9. Click the Groups tab.
user-1 also is not a member of any groups.
10. Click the Security credentials tab. user-1 is assigned a Console
password
11. In the navigation pane on the left, click Groups.
The following groups have already been created for you:
ΟEC2-Admin
ΟEC2-Support
Ο S3-Support

12. Click the EC2-Support group.

This will bring you to the summary page for the EC2-Support group.
13. Click the Permissions tab.
This group has a Managed Policy associated with it,
called AmazonEC2ReadOnlyAccess. Managed Policies are pre-built
policies (built either by AWS or by your administrators) that can be
attached to IAM Users and Groups. When the policy is updated, the
changes to the policy are immediately apply against all Users and Groups
that are attached to the policy.
14. Under Actions, click the Show Policy link.
A policy defines what actions are allowed or denied for specific AWS
resources. This policy is granting permission to List and Describe
information about EC2, Elastic Load Balancing, CloudWatch and Auto
Scaling. This ability to view resources, but not modify them, is ideal for
assigning to a Support role.
The basic structure of the statements in an IAM Policy is:
Ο Effect says whether to Allow or Deny the permissions.
Ο Action specifies the API calls that can be made against an AWS Service
(eg cloudwatch:ListMetrics).
Ο Resource defines the scope of entities covered by the policy rule (eg a
specific Amazon S3 bucket or Amazon EC2 instance, or which means any
resource*).
15. Close the Show Policy window.
16. In the navigation pane on the left, click Groups.
17. Click the S3-Support group.
The S3-Support group has the AmazonS3ReadOnlyAccess policy
attached.
18. Below the Actions menu, click the Show Policy link.
This policy has permissions to Get and List resources in Amazon S3.
19. Close the Show Policy window.
20. In the navigation pane on the left, click Groups.
21. Click the EC2-Admin group.
 This Group is slightly different from the other two. Instead of a Managed
Policy, it has an Inline Policy, which is a policy assigned to just one User
or Group. Inline Policies are typically used to apply permissions for one-
off situations.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyInlinePolicyLab1EC2AdminRights",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
}
]
}
22. Under Actions, click Show Policy to view the policy.
This policy grants permission to view (Describe) information about
Amazon EC2 and also the ability to Start and Stop instances.

23. At the bottom of the screen, click Cancel to close the policy.
Business Scenario
For the remainder of this lab, you will work with these Users and Groups to
enable permissions supporting the following business scenario:
Your company is growing its use of Amazon Web Services, and is using many
Amazon EC2 instances and a great deal of Amazon S3 storage. You wish to
give access to new staff depending upon their job function:

Task 2: Add Users to Groups

You have recently hired user-1 into a role where they will provide support for
Amazon S3. You will add them to the S3-Support group so that they inherit
the necessary permissions via the attached AmazonS3ReadOnlyAccess
policy.
You can ignore any "not authorized" errors that appear during this task. They
are caused by your lab account having limited permissions and will not impact
your ability to complete the lab.

Add user-1 to the S3-Support Group

24. In the left navigation pane, click Groups.
25. Click the S3-Support group.
26. Click the Users tab.
27. In the Users tab, click Add Users to Group.
28. In the Add Users to Group window, configure the following:
 Select user-1.
 At the bottom of the screen, click Add Users.
In the Users tab you will see that user-1 has been added to the group.

Add user-2 to the EC2-Support Group

You have hired user-2 into a role where they will provide support for Amazon
EC2.
29. Using similar steps to the ones above, add user-2 to the EC2Support
group.
user-2 should now be part of the EC2-Support group.

Add user-3 to the EC2-Admin Group

You have hired user-3 as your Amazon EC2 administrator, who manage your
EC2 instances.
30. Using similar steps to the ones above, add user-3 to the EC2Admin
group.
user-3 should now be part of the EC2-Admin group.
31. In the navigation pane on the left, click Groups.
Each Group should have a 1 in the Users column for the number of Users in
each Group.
If you do not have a 1 beside each group, revisit the above instructions above
to ensure that each user is assigned to a Group, as shown in the table in the
Business Scenario section.

Task 3: Sign-In and Test Users

You need to sign-in with the user, for that you have to copy the link that is
given in the dashboard. So If you think at the level of organization you can
clearly understand that being an Admin I will provide certain user this link,
their username, and password so that they can login and use the services that
I have allowed him/her under policy.

The image below will guide you where you can find that link:
In this task, you will test the permissions of each IAM User.
32. In the navigation pane on the left, click Dashboard.
An IAM users sign-in link is displayed It will look similar to:
https://123456789012.signin.aws.amazon.com/console
This link can be used to sign-in to the AWS Account you are currently using.
33. Copy the IAM users sign-in link to a text editor.
34. Open a private window.
 Mozilla Firefox

o Click the menu bars at the top-right of the

screen o Select New Private Window

 Google Chrome

o Click the ellipsis at the top-right of the screen

o Click New incognito window

 Microsoft Edge

o Click the ellipsis at the top-right of the screen

o Click New InPrivate window

 Microsoft Internet Explorer

o Click the Tools menu option o Click InPrivate

Browsing
35. Paste the IAM users sign-in link into your private window and press
Enter.
You will now sign-in as user-1, who has been hired as your Amazon S3
storage support staff.
36. Sign-in with:
 IAM user name: user-1  Password: 123456
o

37. In the Services menu, click S3.

38. Click the name of one of your buckets and browse the contents.
Since your user is part of the S3-Support Group in IAM, they have permission
to view a list of Amazon S3 buckets and their contents.
Now, test whether they have access to Amazon EC2.
39. In the Services menu, click EC2.
40. In the left navigation pane, click Instances.
You cannot see any instances! Instead, it says An error occurred fetching
instance data: You are not authorized to perform this operation.. This is
because your user has not been assigned any permissions to use Amazon
EC2.
You will now sign-in as user-2, who has been hired as your Amazon EC2
support person.
41. Sign user-1 out of the AWS Management Console by configuring the
following:
 At the top of the screen, click user-1
 Click Sign Out
42. Paste the IAM users sign-in link into your private window and press
Enter.
This links should be in your text editor.
43. Sign-in with:
 IAM user name: user-2
 Password: 123456
44. In the Services menu, click EC2.
45. In the navigation pane on the left, click Instances.
You are now able to see an Amazon EC2 instance because you have Read
Only permissions. However, you will not be able to make any changes to
Amazon EC2 resources.
If you cannot see an Amazon EC2 instance, then your Region may be
incorrect. In the top-right of the screen, pull-down the Region menu and select
the region that you noted at the start of the lab (eg Oregon).

Your EC2 instance should be selected . If it is not selected, select it.

46. In the Actions menu, click Instance State > Stop.
47. In the Stop Instances window, click Yes, Stop.
 You will receive an error stating You are not authorized to perform this
operation. This demonstrates that the policy only allows you to
information, without making changes.
48. At the Stop Instances window, click Cancel.
Next, check if user-2 can access Amazon S3.
49. In the Services, click S3.
You will receive an Error Access Denied because user-2 does not
permission to use Amazon S3.
You will now sign-in as user-3, who has been hired as your Amazon EC2
administrator.
50. Sign user-2 out of the AWS Management Console by configuring the
following:
 At the top of the screen, click user-2
 Click Sign Out
51. Paste the IAM users sign-in link into your private window and press
Enter.
52. Paste the sign-in link into your web browser address bar again. If it is not
in your clipboard, retrieve it from the text editor where you stored it earlier.
53. Sign-in with:

 IAM user name: user-3

 Password: 123456

54. In the Services menu, click EC2.

55. In the navigation pane on the left, click Instances.
As an EC2 Administrator, you should now have permissions to Stop the
Amazon EC2 instance.
Your EC2 instance should be selected . If it is not, please select it.
If you cannot see an Amazon EC2 instance, then your Region may be
incorrect. In the top-right of the screen, pull-down the Region menu and select
the region that you noted at the start of the lab (eg Oregon).
56. In the Actions menu, click Instance State > Stop.
57. In the Stop Instances window, click Yes, Stop.
The instance will enter the stopping state and will shutdown.
58. Close your private window.
Lab Complete
Congratulations! You have completed the lab.
59. Click End at the top of this page and then click Yes to confirm that you
want Lab to end the lab.
A panel will appear, indicating that "DELETE has been initiated... You may
close this message box now."
60. Click the X in the top right corner to close the panel.

Conclusion
Congratulations! You now have successfully:
 Explored pre-created IAM users and groups
 Inspected IAM policies as applied to the pre-created groups
 Followed a real-world scenario, adding users to groups with specific
capabilities enabled
 Located and used the IAM sign-in URL
 Experimented with the effects of policies on service access

Some Questions
Q1) What kinds of security credentials can IAM users have?
Ans- IAM users can have any combination of credentials that AWS
supports, such as an AWS access key, X.509 certificate, SSH key, password
for web app logins, or an MFA device. This allows users to interact with
AWS in any manner that makes sense for them.
Q2) What are the features of IAM roles for EC2 instances?
Ans- IAM roles for EC2 instances provides the following features:

– AWS temporary security credentials to use when making requests

from running EC2 instances to AWS services.

– Automatic rotation of the AWS temporary security credentials.

– Granular AWS service permissions for applications running on EC2

instances
Q3) Mention few IAM best Practises?
Ans- Some of the best practises to be followed during IAM are mentoned
below:

 Lock Away Your AWS Account Root User Access Keys

 Create Individual IAM Users

 Use AWS Defined Policies to Assign Permissions Whenever

Possible

 Use Groups to Assign Permissions to IAM Users

 Grant Least Privilege

 Use Access Levels to Review IAM Permissions

 Configure a Strong Password Policy for Your Users

 Enable MFA for Privileged Users

 Use Roles for Applications That Run on Amazon EC2 Instances

 Delegate by Using Roles Instead of by Sharing Credentials

 Rotate Credentials Regularly

 Remove Unnecessary Credentials

 Use Policy Conditions for Extra Security

 Monitor Activity in Your AWS Account

Part 2:

Best practices for permissions image

This hands-on lab is broken into the following parts:

 Launch EC2 Instances with Tags

 Create AWS IAM Identities
 Test the access for resources

Assign IAM Role for EC2 Instance and Test the access

This hands on lab is broken into the following parts:

1. Launch EC2 Instances with Tags

2. Create AWS IAM Identities
3. Test the access for resources
4. Assign IAM Role for EC2 Instance and Test the access

Launch EC2 Instances with Tags

Todo: deployed two instances(servers) with different resource tags (DEV
and PROD)

Launch EC2 Instances with Tags

In this lab, we will launch two Amazon Linux 2 instances. Suppose one is an EC2
instance used in a development environment and the other one used in a production
environment. We will use tags to distinguish these two instances.

1. Enter into EC2 Console in AWS Management

Console.

Click on EC2 Dashboard near the top of the leftmost menu. And Click on Launch
instances.
2. In Name, enter the value prod-instance. And click on Add additional
tags.

3. Click Add tag then in Key enter Env,

and Value enter prod.

4. Check the default settings for Amazon Machine Image and select t2.micro in
Instance
 Type.

5. In Key pair (login) select Proceed without a key pair. Then click Launch
instance.

We launched the instance(s) with a default security group setting only for workshop purposes.
Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance. We recommend
setting security group rules to allow access from known IP addresses only.
6. You have launched an EC2 instance for production environment. Now you
have to create one more EC2 instance for development
environment. Repeat the above instructions(start with no.1 to no.5), but with
a different Name and Env tag in step no.2 and step no.3 as follows.

KEY VALUE

Name dev-instance

Env dev

7. After you launched two instances, you can find them in the instances menu in
the sidebar. Click the prod-instance checkbox and click the Tags tab in the
bottom of the page. You can see details about this EC2 instance's tag
 information.

Great Job! You have deployed two instances(servers) with different resource tags.

Create AWS IAM Identities

ToDo: To create AWS Identities
Create AWS IAM Identities

In this chapter, we will work on creating AWS IAM Identities. AWS IAM Identity
includes IAM Users, IAM User groups, and IAM Roles. Also, we will work on
creating IAM Policy an object in AWS that, when associated with an identity or
resource, defines their permissions.
This chapter consists of the following steps.

 Create IAM Policy to attach to IAM User group

 Create IAM User group named dev-group
 Create IAM User which name is dev-user placed in dev-group

1. Log in to IAM console . To generate a console login Sign-in URL, click

the customize button as shown
below.
 2. Input account alias. For this lab, type aws-login-user_name and click create
alias button.

3. Click Policies on the left side of the IAM console, and then click the Create
Policy button placed at the top of the right
corner.

4. When defining policy for the AWS permissions, you can create and edit in
visual editor or JSON. In this lab, we will use JSON method. Briefly describe
the permission below, this policy allows all actions for EC2 tagged as Env-
dev. Also, it allows describe-related actions for all EC2 instances. But
it denies create and delete tags action to prevent users from modifying tags
arbitrarily. Note that deny effect takes precedence over allow effect.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
 "StringEquals": {
"ec2:ResourceTag/Env": "dev"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "*"
}
]
}
Click the JSON tab and paste the above policy and click Next:
Tags button.

JSON policy structure

 Version: use the latest 2012-10-17 version

 Statement: can include more than one statement in a policy
 Sid(optional): an optional statement ID
 Effect: use Allow or Deny to indicate the policy allows or denies
access. Deny has priority
 Principal: If you create a resource-based policy, you must indicate the
account, user, role, or federated user to which you would like to allow
or deny access. If you are creating an IAM permissions policy to attach
to a user or role, you cannot include this element. The principal is
implied as that user or role.
 Action: a list of actions that the policy allows or denies
 Resource: If you create an IAM permissions policy, you must specify a
list of resources to which the actions apply. If you create a resource-
based policy, this element is optional. If you do not include this
element, then the resource to which the action applies is the resource
to which the policy is attached.
 Condition Block(optional): Specify the circumstances under which
the policy grants permission

5. Keep default settings on next step, click Next: Review button. Write
down DevPolicy in the name section, and write down description for
this policy. Next click the Create policy
button.

KEY VALUE

Name DevPolicy

Description IAM Policy for Dev Group

6. Click User groups on the left side of the IAM console, and then click
the Create group button placed at the top of the right
corner.
7. Type dev-group for User group name and select DevPolicy in Attach
permissions policies -
Optional section.

KEY VALUE

User group name dev-group

8. Click Users on the left side of the page, and then click the Add
users button.
9. Type dev-user on User name and allow two access type both Programmatic
access and AWS Management console access. And then, select Custom
password and type password that you want. Finally, uncheck Require
password reset function for quick action. In real world, it is recommended to
activate the password reset. Click Next:
Permissions button.

10. Select dev-group that we created right before and click Next: Tags button.
Skip Add user page and move on to next
step.
Click Create user button for adding dev-
user.

Download csv file to attain Access key ID and Secret access key. Also, you can send
instructions for login.

11. Click Sign-in URL to log in as dev-

user.
 12. Type IAM user name and Password for log in and sign in for entering into
AWS management
console.

Great Job! You have created AWS Identities. Next chapter, we will check whether the

permission we set works properly.

Test the access for resources

Test the access for EC2 instance

1. Log in AWS console and check IAM User and account alias. Also,
check AWS region that launched EC2 instances are
located.
2. Move on to the EC2 console and click Instances menu. Select the instance
named prod-instance and click Instance state button and Stop
instance button. And click Stop button in the pop-up
window.

3. A warning sign appears that dev-user doesn't have permissions to perform

the stop EC2 instance operation. This is because the previous hands on lab
only allowed dev-user to perform the stop action on the ec2 instances with the
resource tag Env(key)-
dev(value).

4. Select the instance named dev-instance and click Instance state button
and Stop instance button. And click Stop button in the pop-up
window.
 5. After a few seconds, you can see the dev instance has been
stopped.

Great Job! You tested the permission for each EC2 instance. Next chapter, we will
learn about AWS IAM Role for AWS resources!

Tip - IAM Policy Simulator (Optional)

In the real world, you may not want to actually shut down your EC2 instance to test your
custom IAM policy. The policy simulator is a tool that lets you examine and validate the
permissions your policies set. In this step, we will test dev-group's permission by
simulating DeleteTags and StopInstances actions using IAM policy simulator. Skipping
this step does not affect to your next hands-on labs.
The dev-user you were using does not have IAM Policy Simulator access. Please login
as Administrator.

1. Move to IAM Policy simulator.

2. Select dev-group

3. Select DeleteTags and StopInstances actions to

test.

4. You can see both actions are denied but with different
reasons. DeleteTags was denied because of 1 matching
statements and StopInstances was Implicitly denied (no matching
 statements).

5. Expand DeleteTags and click Show statement in DevPolicy (IAM Policy). It

automatically highlights which statement exactly matched with your simulated
action.

6. Expand StopInstances. The action was denied because the simulation

resource is "*". Please note that dev-group can only stop EC2 instances
having dev tags.

7. Now we will test the policy after adding dev tag to validate the policy
correctly.

Great Job! You just tested the your custom IAM policy without affecting your

environment.
Assign IAM Role for EC2 Instance and
Test the access
Re-login to the AWS account with administrator role at the beginning of the hands on
lab, not dev-user before proceeding with this chapter.

1. To create S3 Bucket, enter into the S3 console . And then, click Create
bucket button. For more detail information on Amazon S3, please refer to
the Storage on
AWS chapter.

2. Enter a unique bucket name in the Bucket name field. In this lab, type iam-
test-user_name. All bucket names in Amazon S3 have to be unique and
cannot be duplicated. Click Create bucket button, leaving the remaining
settings
intact.
3. Upload any file(sample: aws-logo-picture ) in the S3
bucket.

4. Create one more bucket named iam-test-other-user_name. Upload any file

in the S3 bucket.
5. Move on to the IAM console to create IAM role for EC2 instance.
Click Roles on the left side of the IAM console and click Create role button.
On first step, choose EC2 for trusted entity and click Next: Permissions. IAM
Role can be applied to many AWS services including EC2 and Lambda, as
well as other AWS accounts, Web identity, and SAML 2.0
 federation.

6. In step 2, click Create policy to create a policy to attach to the EC2 instance's
role. On the JSON tab, paste the policy below and click Next: Tags.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
 "Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::iam-test-user_name/*",
"arn:aws:s3:::iam-test-user_name"
]
}
]
}

In the json file above, make sure to change the value in the Resource to the name of
the S3 bucket you created.

7. To skip adding tags operation, click Next:Review and

type IAMBucketTestPolicy in the Name input box. Click Create policy to
attach to IAM
 role.

8. Back to the page where you were creating IAM Role, press the refresh button
on the right corner and type IAMBucketTestPolicy. If you see the policy you
just created in the list below, select it and go to the next
step.

9. In step 4, type IAMBucketTestRole and create

role.
10. Move on to the EC2 console to attach IAM role on the EC2 instance. At this
time, if you don't have EC2 instances created in the previous lab, check the top
right to see whether AWS Region is properly set up. Select prod-instance,
then click
the Connect button.

11. Connect to instance by using EC2 Instance Connect option, and

click Connect button. Then the terminal will come out as below. Type aws s3
ls and you cannot get S3 bucket
lists.

12. Back to the Instances page and select prod-instance. Click Actions button

and select Security and click Modify IAM role.

13. In IAM role, select IAMBucketTestRole and click Save button to attach IAM
role to EC2
 instance.

14. Again, connect to the EC2 instance and type aws s3 ls again. Now you can
see S3 bucket lists. Also, you can see object list placed in iam-test-
user_name but not in iam-test-other-user_name because you don't have
IAM policy for this
bucket.

1
2
3
4
5
aws s3 ls

aws s3 ls iam-test-user_name

aws s3 ls iam-test-other-user_name
Great Job! You finished all hands on lab about IAM

Clean Up Resources
Cleaning up Your Resources

In EC2 console , delete dev-instance and prod-

instance.

In IAM console , delete all IAM Identities that you created.

 User groups: dev-

group

 Users: dev-user
  Roles: IAMBucketTestRole

 Policies: DevPolicy, IAMBucketTestPolicy

In S3 console , delete iam-test-user_name and iam-test-other-

user_name bucket. Before deleting iam-test-user_name, you have to Empty bucket
first.