AWS IAM For Dummies - A Quickstart Accountant Access Guide
Identity and Access Management (IAM) is a service built by AWS, that lets you control access to AWS resources.
I believe in keeping things simple, and way back ages ago when I wanted to learn about IAM, I found that most of the guides online were overcomplicated. So I promised myself that I’d create a guide to getting up-to-speed with IAM quickly. This is that guide.
Why We Use IAM
In a real world scenario, you don’t want every user to have unlimited access to your AWS account. Maybe Bob the junior developer should only have the ability to restart test EC2 instances. While managers have access to everything, and the accounting team might just has access to billing.
AWS IAM is the service that lets you create users & groups. You’ll then normally associate particular groups or users with permissions which dictate how much control they have within the API and console.
The Fundamentals
The convoluted guides I used to learn IAM gave me the impression that IAM was complex, this couldn’t be further from the truth. In fact, you just need to get your head around the four main aspects, those being:
Users
A user represents either a person or application that will interact with the AWS Console or API in some way.
Groups
IAM groups are collections of users.
If you have a bunch of users who need the same permissions, stick them in the same group and benefit from the ability to update the privileges of all members in the group, in one go.
Roles
Roles are like users, in the sense that they are identities with permission policies. They key difference is that roles do not have an access key or password.
You’ll typically want to use a role when you wish to deploy an instance without storing any keys within the instance.
Policies
Policies are documents which list permissions. You may attach policies to both individual users and groups.
Our Project
We’re going to create a user that only has access to the billing area of our account.
Restrictions are commonly required for the accounting team in your business since we don’t want Susan in accounting to go messing about with load balancers and lambdas by mistake.
In tech, it’s best to follow the Principle of least privilege which means that we should only give users permission to view and change things that they have an actual business need for.
Creating Groups
Lets get started by creating a group.
- Navigate to the IAM console and select the groups page from the sidebar
- Click on the “Create New Group” button
Name Your Group
Give your group a meaningful name. I’m calling mine “AccountsBilling”. Then click the next button.
Assign A Policy
This next step is where things get a little more interesting. Remember that the policy is the set of permissions that the user’s in this group are going to be grated.
You can create your own policies, or use the existing policies already created by AWS. The number of pre-existing policies are probably quite intimidating at this stage.
But we’re in luck, since all of the existing policies follow a nice naming convention. For example, the existing policy named AWSLambdaFullAccess will grant the group full access to AWS Lambda. Most existing policies follow the naming convention “product name” + “access level”.
AWS happens to supply us with a nice premade policy called billing. I’m going to select that policy and then click on the Next button to continue to the next step.
At the review screen, hit the Create button.
If everything went well, you should now see your new group in the list.
Creating Users
We’re now ready to create our first user.
- Navigate to the IAM console and select the Users option from the sidebar.
- Select Add user
We’re now going to name our user and for the purpose of this tutorial we’re going to set a password for the user ourselves.
Because this user is going to be a real world person, we’re ticking the box for “AWS Management Console access”. If the user was a program, connecting to AWS via the API then we would select “Programic access” instead.
When you’re ready, click Next.
You can now directly set permissions to the user, or assign the user to a group.
Since we already created a group (AccountsBilling) to do all of the heavy lifting, select the group you just created and then click on the next button.
Tags are optional elements used to keep track of resources on your AWS account.
For the purposes of this tutorial we’re not going to assign the user any tags.Click Next.
When you’re ready at the review screen, click Create User.
You’ll then be presented with a screen where you can click on the “email login instructions”. You’ll typically want to email the instructions to the user in question so that they can access the AWS console from the link provided.
Final Possible Change
The knowledge in this article should be useful for creating any set of users/groups. However it’s worth noting that you must enable billing for for IAM users from the administrator account by selecting My Account, scroll down to IAM User and Role Access to Billing Information, click Edit, click the Activate IAM Access checkbox and then finally click on Update.
Summary
I hope you now have an understanding of how to create IAM users & groups. You should also know how to assign roles & policies to your user groups.