Followers

AWS - IAM ( Identity Access Management)

Create users and Groups Access to users Programmatic :- If a user connects to AWS using a program or Aws CLI then you need to provide the pr...


Create users and Groups

Access to users

Programmatic:- If a user connects to AWS using a program or Aws CLI then you need to provide the programmatic access. It is has confidential inforation like 

  • Secret key
  • AccessKey
  • Username
  • Password

Console:- If a user connects to AWS using console then you need to provide userid and initial password to connect a user to AWS console.

Step 1: Select IAM service

Step 2: Click on Users Link on the left panel

Step 3 Add users by providing user name(s), Max 10 users at a time you can create using IAM.

Step 4: Select Access Type: Check both Programmatic Access and Console Access

Step 5: Console password:- select the option Autogenerated Password.

Step 6: Select Required Password reset.

Step 7: Click on Next Button

Step 8: Create a Group here by clicking on Create Group (You can also create the group before user creation ).

        Group name: DevGrp

        Attach a policy: AmazonEC2FullAccess

  Click on Create Group button.

Step 9: Click on Next Add Tags button

              you can add max 50 tags

              Name: devusers

Click on Next button

Step 10: Review and Click on Create Users button.

Step 11: Download user details in csv files and you can share this information to the respective users.

Experiment

  • You can try by yourself to connect to AWS Console using the "Console Login Link" and check out that you have only access to EC2 services.
  • Add S3full access permission to Group DevGrp and again check that users have S3 access as well.
  • Delete the user and Group.
  • Create a user (providing programmatic and console access)  without assigning to a group and check whether you are able to assign permission to that user.
  • Add a user to multiple groups and provide permission for the first Group as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.
  • Delete a Group and check the users also get deleted or not.

How to access AWS services using AWS CLI

To access the AWS services using AWS CLI then first the user should have the Access key and Secret key means programmatic access.

Step 1: Install AWS CLI on your host system.

Step 2: Verify AWS is installed or not by running aws --version command.

Step 3: Configure AWS on your system using aws configure command, it will ask for Access key,Secret key,region

Step 4: If user has S3 full access then run below command to check that with aws cli you can access the S3 buckets

     aws s3 ls

How to access AWS services using Console

Step 1: A user id, password, and a console link is shared with you so use the console link to connect to the AWS Console.

Step 2: If a user has only EC2 Access then check if are you able to create the EC2 instances or not.

Step 3: Verify that you don't have any other service access like s3,RDS etc.

MFA(Multi-Factor Authentication)

  1. First Install Google Authenticator software on your mobile from Google play store.
  2. Select the user for whom you want to enable MFA
  3. Select Security credentials Tab
  4. Select Assigned MFA device and Click on Manage
  5. Select Virtual MFA device and click on continue
  6. Then Click on Show QR Code
  7. Use Google Authenticator App Scan this QR Code
  8. Type 2 consective MFA code from App
  9. Then assign MFA.
  10. Signout and connect with user on console
  11. After entering correct credential it will ask you to enter the MFA code to Sign in to the app.

Roles:

An IAM role is an identity you can create that has specific permissions with credentials that are valid for short durations. Roles can be assumed by entities that you trust.

Step 1: Create an EC2 instance.

Step 2: Connect to the above Ec2 instance and make sure AWS CLI is already configured on this machine.

Step 3: Goto IAM Service and Select Roles and Click on Create Roles button

Step 4: Select Trusted Entity as AWS Service and Use Case EC2 instance and then click on Next Button

Step 5: Add the permissions to the Role add policy s3FullAccess and click on Next

Step 6: Provide the role name and click on Create Role button

Step 7: Goto EC2 instances and Select the Ec2 instance which you have create on Step1

Step 8: Goto Action ---> Security---> ModifyIAM Role and Choose the role as the one which you have created in step 6 and click on save

Step 9: Connect EC2 instances and run the command 

          aws s3 ls

you will be able to see all the buckets even though you did not configure any profile on this system, it is because of the role.






COMMENTS

BLOGGER: 6
  1. Experiment

    You can try by yourself to connect to AWS Console using the "Console Login Link" and check out that you have only access to EC2 services.

    Ans: Yes

    Add S3full access permission to Group DevGrp and again check that users have S3 access as well.

    Ans: Yes

    Delete the user and Group.

    Ans: Ok

    Create a user (providing programmatic and console access) without assigning to a group and check whether you are able to assign permission to that user.

    Ans: Yes able to assign permission (Attach existing policies directly)

    Add a user to multiple groups and provide permission for the first Group as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.

    Ans: Yes (permissions attached from group)

    Delete a Group and check the users also get deleted or not.

    Ans: Groups that the user were in are deleted but the user is not deleted.

    ReplyDelete
  2. Create a user (providing programmatic and console access) without assigning to a group and check whether you are able to assign permission to that user.
    - YES

    Add a user to multiple groups and provide permission for the first Group as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.
    - YES

    Delete a Group and check the users also get deleted or not.
    - NO

    ReplyDelete
  3. Experiment:

    Yes, user can be assigned permission without group.
    Same user can will have all permissions created from different groups it is attached in.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  4. Tested if only able to access EC2, tested ok. Added S3fullaccess to user group, able to access S3 as well. Able to assign permission without user group. Added user to multiple user groups, deleting a group did not delete user, even deleting both groups did not delete user, however, the permissions granted by that group were removed

    ReplyDelete
  5. Mikraj:

    1.You can try by yourself to connect to AWS Console using the "Console Login Link" and check out that you have only access to EC2 services.

    ans: yes, all users in grp only have access to EC2, if try S3, it shows not authorized.


    2. Add S3full access permission to Group DevGrp and again check that users have S3 access as well.

    ans: yes all users have access to both EC2 and S3, but no other access to other services


    3. Delete the user and Group.
    When delete group, the users are still existing under users.
    need to go to users directory choose the specific users you want to delete.


    4. Create a user (providing programmatic and console access) without assigning to a group and check whether you are able to assign permission to that user.

    ans: go to user directory >> add users >> attach existing policies directly to create user without creating grp.


    5. Add a user to multiple groups and provide permission for the first Group
    as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.

    ans: create grp e.g. mikgrp1 and assign existing user(with no exisiting access or grp) and add EC2 permission >> create grp
    similarly, create grp e.g. mikgrp2 and assign the same user and add S3 permission >> create grp
    the user has access to both EC2 and S3 but other services have error msg not authorized.


    6. Delete a Group and check the users also get deleted or not.

    ans: When delete group, the users are still existing under users directory.
    need to go to users directory choose the specific users you want to delete.

    ReplyDelete

Name

Ansible,6,AWS,1,Azure DevOps,1,Containerization with docker,2,DevOps,2,Docker Quiz,1,Docker Swarm,1,DockerCompose,1,ELK,2,git,2,Jira,1,Kubernetes,1,Kubernetes Quiz,5,SAST DAST Security Testing,1,SonarQube,3,Splunk,2,vagrant kubernetes,1,YAML Basics,1,
ltr
item
DevOpsWorld: AWS - IAM ( Identity Access Management)
AWS - IAM ( Identity Access Management)
DevOpsWorld
https://www.devopsworld.co.in/2022/03/aws-iam-identity-access-management.html
https://www.devopsworld.co.in/
https://www.devopsworld.co.in/
https://www.devopsworld.co.in/2022/03/aws-iam-identity-access-management.html
true
5997357714110665304
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content