Create users and Groups Access to users Programmatic :- If a user connects to AWS using a program or Aws CLI then you need to provide the pr...
Create users and Groups
Access to users
Programmatic:- If a user connects to AWS using a program or Aws CLI then you need to provide the programmatic access. It is has confidential inforation like
- Secret key
- AccessKey
- Username
- Password
Console:- If a user connects to AWS using console then you need to provide userid and initial password to connect a user to AWS console.
Step 1: Select IAM service
Step 2: Click on Users Link on the left panel
Step 3 Add users by providing user name(s), Max 10 users at a time you can create using IAM.
Step 4: Select Access Type: Check both Programmatic Access and Console Access
Step 5: Console password:- select the option Autogenerated Password.
Step 6: Select Required Password reset.
Step 7: Click on Next Button
Step 8: Create a Group here by clicking on Create Group (You can also create the group before user creation ).
Group name: DevGrp
Attach a policy: AmazonEC2FullAccess
Click on Create Group button.
Step 9: Click on Next Add Tags button
you can add max 50 tags
Name: devusers
Click on Next button
Step 10: Review and Click on Create Users button.
Step 11: Download user details in csv files and you can share this information to the respective users.
Experiment
- You can try by yourself to connect to AWS Console using the "Console Login Link" and check out that you have only access to EC2 services.
- Add S3full access permission to Group DevGrp and again check that users have S3 access as well.
- Delete the user and Group.
- Create a user (providing programmatic and console access) without assigning to a group and check whether you are able to assign permission to that user.
- Add a user to multiple groups and provide permission for the first Group as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.
- Delete a Group and check the users also get deleted or not.
How to access AWS services using AWS CLI
To access the AWS services using AWS CLI then first the user should have the Access key and Secret key means programmatic access.
Step 1: Install AWS CLI on your host system.
Step 2: Verify AWS is installed or not by running aws --version command.
Step 3: Configure AWS on your system using aws configure command, it will ask for Access key,Secret key,region
Step 4: If user has S3 full access then run below command to check that with aws cli you can access the S3 buckets
aws s3 ls
How to access AWS services using Console
Step 1: A user id, password, and a console link is shared with you so use the console link to connect to the AWS Console.
Step 2: If a user has only EC2 Access then check if are you able to create the EC2 instances or not.
Step 3: Verify that you don't have any other service access like s3,RDS etc.
MFA(Multi-Factor Authentication)
- First Install Google Authenticator software on your mobile from Google play store.
- Select the user for whom you want to enable MFA
- Select Security credentials Tab
- Select Assigned MFA device and Click on Manage
- Select Virtual MFA device and click on continue
- Then Click on Show QR Code
- Use Google Authenticator App Scan this QR Code
- Type 2 consective MFA code from App
- Then assign MFA.
- Signout and connect with user on console
- After entering correct credential it will ask you to enter the MFA code to Sign in to the app.
Roles:
An IAM role is an identity you can create that has specific permissions with credentials that are valid for short durations. Roles can be assumed by entities that you trust.
Step 1: Create an EC2 instance.
Step 2: Connect to the above Ec2 instance and make sure AWS CLI is already configured on this machine.
Step 3: Goto IAM Service and Select Roles and Click on Create Roles button
Step 4: Select Trusted Entity as AWS Service and Use Case EC2 instance and then click on Next Button
Step 5: Add the permissions to the Role add policy s3FullAccess and click on Next
Step 6: Provide the role name and click on Create Role button
Step 7: Goto EC2 instances and Select the Ec2 instance which you have create on Step1
Step 8: Goto Action ---> Security---> ModifyIAM Role and Choose the role as the one which you have created in step 6 and click on save
Step 9: Connect EC2 instances and run the command
aws s3 ls
you will be able to see all the buckets even though you did not configure any profile on this system, it is because of the role.
Experiment
ReplyDeleteYou can try by yourself to connect to AWS Console using the "Console Login Link" and check out that you have only access to EC2 services.
Ans: Yes
Add S3full access permission to Group DevGrp and again check that users have S3 access as well.
Ans: Yes
Delete the user and Group.
Ans: Ok
Create a user (providing programmatic and console access) without assigning to a group and check whether you are able to assign permission to that user.
Ans: Yes able to assign permission (Attach existing policies directly)
Add a user to multiple groups and provide permission for the first Group as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.
Ans: Yes (permissions attached from group)
Delete a Group and check the users also get deleted or not.
Ans: Groups that the user were in are deleted but the user is not deleted.
Create a user (providing programmatic and console access) without assigning to a group and check whether you are able to assign permission to that user.
ReplyDelete- YES
Add a user to multiple groups and provide permission for the first Group as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.
- YES
Delete a Group and check the users also get deleted or not.
- NO
Experiment:
ReplyDeleteYes, user can be assigned permission without group.
Same user can will have all permissions created from different groups it is attached in.
This comment has been removed by the author.
DeleteTested if only able to access EC2, tested ok. Added S3fullaccess to user group, able to access S3 as well. Able to assign permission without user group. Added user to multiple user groups, deleting a group did not delete user, even deleting both groups did not delete user, however, the permissions granted by that group were removed
ReplyDeleteMikraj:
ReplyDelete1.You can try by yourself to connect to AWS Console using the "Console Login Link" and check out that you have only access to EC2 services.
ans: yes, all users in grp only have access to EC2, if try S3, it shows not authorized.
2. Add S3full access permission to Group DevGrp and again check that users have S3 access as well.
ans: yes all users have access to both EC2 and S3, but no other access to other services
3. Delete the user and Group.
When delete group, the users are still existing under users.
need to go to users directory choose the specific users you want to delete.
4. Create a user (providing programmatic and console access) without assigning to a group and check whether you are able to assign permission to that user.
ans: go to user directory >> add users >> attach existing policies directly to create user without creating grp.
5. Add a user to multiple groups and provide permission for the first Group
as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.
ans: create grp e.g. mikgrp1 and assign existing user(with no exisiting access or grp) and add EC2 permission >> create grp
similarly, create grp e.g. mikgrp2 and assign the same user and add S3 permission >> create grp
the user has access to both EC2 and S3 but other services have error msg not authorized.
6. Delete a Group and check the users also get deleted or not.
ans: When delete group, the users are still existing under users directory.
need to go to users directory choose the specific users you want to delete.