IAM with AWS

March 2016 · 4 minute read

The following is a step by step tutorial on how to set up Identity Access management or IAM with AWS on your first login. It runs through multifactor authentication on the root account as well as setting up new users and assigning them to groups. There are also two examples of assigning policies, either to individual users to a whole groups.

1. Log into your console

2. Select a region (Set by default to US West Oregon) close to your geographic location if you haven’t previously done so. This will help reduce latency.

3. Open IAM and customise the login link: You can see a sign-in link at the top which is formatted as randomnumber.signin.aws.com/console. You can change this to be a name more suited to you or your company, keep in mind that IAM is not region specific and it uses an international DNS so the alias name must be unique. Once you have chosen a unique name, it will be updated on the console. This will be the link that all users which you specify can follow to log in.

4. Next, you’ll need to complete the security status checks to ensure your account is secure and that users have appropriate policies assigned to them.

a) Activate Multifactor Authentication (MFA) on your root account. Best practice is to set up MFA on the root account and never log in using the root account once users are set up. When managing the MFA, you can opt to either set up with a virtual device such as Google Authenticator or a hardware devise such as RSA tokens. The instructions will provide you with a inquire QR code to scan once you have downloaded the MFA device of your choosing to your mobile phone. Simply enter the unique codes provided and you’re good to go!

b) Create Individual IAM Users. Upon creating an account, you’re automatically logged in as the root user but as mentioned before, it is best practice to set up users, even if you control the root account too. When creating new users, be sure to generate an access key for each user. For each user, you are provided with a KeyID (which acts like a username) and a SecretKey (which acts like a password), which together act as way of interacting with the AWS platform using APIs or the command line. You are only given this information once so it is important to download the credentials (over HTTPs) before leaving this screen. To give users a password, simply:

  • Select the user
  • Under “User Actions” select “Manage Passwords”
  • Assign an auto-generated password and allow users to change their password on first login, again the password will be generated automatically only once and it can be downloaded.

c) Use groups to assign permissions. By default, all users have no permissions so it is vital to ensure new users, even admins, are assigned to groups with permissions by the root user before trying to use the platform as one of those new users.

  • Under ‘Groups’, create a new group i.e. “Admin”
  • Attach a policy to that group by selecting from one of the predefined policy documents, such as “AdminPolicy” and select “Create”
  • Now that your user belongs to a group, you can add users to the group too. Under “Groups”, select the Admin group that was just created
  • Under “Group Actions” select “Add users to group”
  • Add the users you want to have admin rights and select “Add users”.

d) Apply an IAM password policy. This allows you to decide what is required for the password and set a custom policy, i.e. character types allowed/required, minimum password length, users can change their own password, password expires etc. Once your policy is determined, select “Apply password policy” and this will apply the password policy to all users with access to your account.

Assign Policies to a single User

You can use Policies to grant full access to AWS console to one user, however, assigning policies to individual users can become quite difficult to manage and it is best practice to assign policies to groups who share the same permissions. If you still want to do this then:

  • Under ‘Policies’, select the policy you want to assign
  • Under to ‘policy actions’, select “Attach”
  • Select the user you want to attach the policy to and click “Attach” at the bottom of the screen.