How to configure AWS Identity and Access Management

How to configure AWS Identity and Access Management (IAM)

On this post we will continue with the preparation for the AWS CERTIFIED SOLUTIONS ARCHITECT EXAM. Remember the exercises we are solving here are from AWS Certified Solutions Architect Official Study Guide: Associate Exam by Joe Baron and others. We are going to resolve the exercises from Chapter 6, Identity and Access Management (IAM)

EXERCISE 6.1: Create an IAM Group

In this exercise, you will create a group for all IAM administrator users and assign the proper permissions to the new group. This will allow you to avoid assigning policies directly to a user later in these exercises.

Create an IAM group called Administrators

aws iam create-group --group-name Administrators

We will see an output like the one below:

{
     "Group": {
         "Path": "/", 
         "CreateDate": "2019-04-05T15:40:29Z", 
         "GroupId": "AGPA3HVKSB5MWDP5COMQ2", 
         "Arn": "arn:aws:iam::772378070873:group/Administrators", 
         "GroupName": "Administrators"
     }
 }

Attach the managed policy, IAMFullAccess , to the Administrators group

aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/IAMFullAccess --group-name Administrators

EXERCISE 6.2: Create a Customized Sign-In Link and Password Policy

In this exercise, you will set up your account with some basic IAM safeguards. The password policy is a recommended security practice, and the sign-in link makes it easier for your users to log in to the AWS Management Console.

Customize a sign-in link, and write down the new link name in full.

For this step we will use the AWS Management Console as I couldn’t find a way to do this on the AWS CLI. To create the AWS Sign-in Link Go to the Identity and Access Management Dashboard and click Customize at the top. A pop-up like the one below will appear, just type something descriptive for your link:

aws iam configure

If completed successfully you have a sign-in link that can provide to your users to log-in to AWS as shown below:

sign-in link URL

Create a password policy for your account.

A password policy can also be set from the AWS Management Console. Go to Identity and Access Management and then select the Account Settings menu, you will find the option to set your own password policy as shown below:

aws iam password policy

EXERCISE 6.3: Create an IAM User

In this exercise, you will create an IAM user who can perform all administrative IAM functions. Then you will log in as that user so that you no longer need to use the root user login. Using the root user login only when explicitly required is a recommended security practice (along with adding MFA to your root user).

While logged in as the root user, create a new IAM user called Administrator.

We will perform using the AWS CLI command below:

aws iam create-user --user-name Administrator

and we will get an output like this one:

{
     "User": {
         "UserName": "Administrator", 
         "Path": "/", 
         "CreateDate": "2019-04-05T15:49:01Z", 
         "UserId": "AIDA3HVKSB5MWGAKAOIRF", 
         "Arn": "arn:aws:iam::772378070873:user/Administrator"
     }
 }


Add your new user to the Administrators group.

aws iam add-user-to-group --group-name Administrators --user-name Administrator


On the Details page for the administrator user, create a password.

We will have to do this using the AWS Management Console, as AWS CLI requires passing the old password as parameter, which we don’t have as this is a new user.

So to change the password for the Administrator user go to Identity and Access Management, select Users and the Administrator User. Go to Security Credentials and Click Manage on ‘Console Password’. A screen like the one below will appear.

aws iam admin password

Log out as the root user and Use the customized sign-in link to sign in as Administrator

So we will use our sign-in link and new Administrator user to test the access. Open your favourite browser and type the link, in our example it was:

https://australtech.signin.aws.amazon.com/console´╗┐

And then just Log-in with the Administrator user and the auto-generated password

EXERCISE 6.4: Create and Use an IAM Role


In this exercise, you will create an IAM role, associate it with a new instance, and verify that applications running on the instance assume the permissions of the role.
IAM roles allow you to avoid storing access keys on your Amazon EC2 instances.

While signed in as administrator, create an Amazon EC2-type role named S3Client.

aws-iam-role-1

Attach the managed policy, AmazonS3ReadOnlyAccess to S3Client


aws-iam-role-2
aws-iam-role-4

Launch an Amazon Linux EC2 instance with the new role attached

Now lets back to some of the AWS Linux instances you created on the previous posts and lets assign the IAM role as shown below:

aws iam role 5
aws iam role 6

SSH into the new instance, and use the AWS CLI to get a file from an Amazon S3 bucket.

First, lets make sure the S3 Bucket we will use has a bucket policy which will allow the instance with the Role assigned to access the file. To do so, go to Services->S3 and select your Bucket, then go to Permissions and Bucket Policy. Make sure you have a bucket policy like the one below, where we specify the Principal (Role) S3Client has access to Get Operations on your bucket (australtechbucket in this example).

aws iam bucket policy

Feel free to copy the bucket policy from the code below and modify to match your environment:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::772378070873:role/S3Client"
            },
            "Action": "s3:Get*",
            "Resource": "arn:aws:s3:::australtechbucket/*"
        }
    ]
}

You need to use the AWS CLI within the linux instance, if you use another tool like curl to get the file it won’t work as curl wont’t pass the Instance role information on the request, however AWS CLI or AWS SDK will do. So the command to run on our example is (Assuming you still have foo.txt in the bucket from previous exercises):

aws s3 cp s3://australtechbucket/foo.txt .

This command will copy the foo.txt file locally.
If we run the command before the Role is assigned to the Instance, we will the following error:

aws s3 cp s3://australtechbucket/foo.txt .
fatal error: Unable to locate credentials

However, after we assign the IAM Role to the instance and we run the command again we get:

$aws s3 cp s3://australtechbucket/foo.txt .
download: s3://australtechbucket/foo.txt to ./foo.txt         
$cat foo.txt 
red
$ 


We see we could retrieve the file successfully. This concludes this post and the exercises for AWS Identity and Access Management (IAM) for the AWS Certification. See you on the next one!