In this part of IAM tutorial series, I will continue with IAM users. I will explain how to create user , add a user to group and attaching a policy to the users. By default , after creating a new user, this user have no permissions. We can create two types of credentials to a user, access keys and sign-in credentials. If the user will be working with CLI,API or SDK , we should create a “access key”. If the user will work with AWS console , we should create sign-in credentials.
So we can start by creating our users.
As you see, by using “Create User” wizard, we can create up to 5 users and by default “Generate an access key for each User” check box is checked. I unchecked it because we will generate them manually. After clicking “Create” our users are ready (Of course they have no permissions,no access keys, no sign-in credentials).
By default users doesn’t belong to a group.
There is no attached policy to the user.
And also the user has no access credentials and sign-in credentials.
Now step by step , we will configure our user. First let’s add the user to a group. In the first tab, we can add user to groups by clicking “Add user to Groups” button. Also remember that you can add user to a group by using group tab as I explained in my previous post.
As we added our user to First_group, the policy attached to group is automatically attached to the user and our “User_admin” user has EC2Fullaccess permissions. You can wee the policy details by clicking the “Show” link.
What happens if we attach a user policy has a deny effect with action ec2:startinstances ? It will be explicitly denied. We can create our policy and simulate it. First I will add a ec2:startinstances deny policy and attach it to User_admin user.
In policy simulator we can test if it is configured as it should be.
In my next post, I will explain access and sign-in credentials. We will create access keys, signing certificates,sign-in credentials and also configure MFA.
If you have any question or comment please feel free to write and don’t forget to share please.