Let IT Block show you the easy way to use IAM in AWS console fro granting access to your colleagues or teammates
Before we begin, we assume you have root access to your AWS management console can view all the services in the dashboard.
As the administrator of your organization, only you should have access to the root credentials of your AWS (Amazon web services) console before you can grant access using IAM. And even then, you should only access your console via an administrator enabled user created within IAM or Identity and access management of your AWS management console.
Step 1: Log in to AWS console and locate the IAM service
Easy way to use IAM (grant access) in AWS console
The image above is where you should be for us to proceed on to the next steps. If you don't see it, click on 'Services' on the top left of the AWS management console.
Categories organize the services. Look under the category: Security, Identity, & Compliance. Here you find the IAM or Identity and access management service.
WARNING: Under no circumstances should you let your developer or integrator have in their possession the root credentials of your AWS console.
Another way to quickly locate the IAM service is to type 'IAM' in the search bar.
The service highlights under the search bar, as shown in the image here.
To proceed, click on 'IAM' to start.
Step 2: Add a user
Easy way to use IAM (grant access) in AWS console
We are not here to teach you how to use IAM to grant access at a high-level. Just what is needed to create or grant access by necessity? We also advise that before you create an IAM user account for the staff or a third-party developer/integrator, start by granting access as an administrator for yourself and use that admin account to log in to AWS console. In the case of a security compromise, you can quickly gain back control of your AWS console through your root credentials, which is why root credentials are best left for emergency use only.
What we are trying to accomplish here is an easy and straightforward technique to grant access via IAM. To illustrate our example, we imagine a scenario where we have to give the third-party vendor access to the 'Elastic Beanstalk' service within your AWS environment.
On the left-hand side panel, click on Users. And proceed to 'Add user' to see the window below.
Choose a username. Below we see programmatic access and AWS Management Console access. If you are unsure, click on both, which allow your third-party vendor either programmatic access (via SSH) or through their console access, similar to the interface access you have now. With fewer rights, of course.
Choose between autogenerated password or custom password at your discretion. You can also choose to make it a requirement for your vendor to change their password after their first successful login attempt to your AWS console. Again, all of this is up to your discretion. Choose what access you wish to grant from IAM in accordance to your organization procedures. Click next: permissions.
Step 3: Set user permissions and attach policies
Easy way to use IAM (grant access) in AWS console
We are now on the permissions page of IAM. Here we grant the user the right to access only the services they need access. Nothing more and nothing less is the best way to go about it. Rights assignments are with a purpose, try not to give anyone more rights than they need; this is to manage errors and security risks to your AWS environment. Ignore 'Add user to group' and 'copy permission from existing user'.
Click on 'Attach existing policies directly'.
So in our scenario, our third-part vendor requires permission to access Elastic Beanstalk. Search 'beanstalk', and you see a list of preset policies ready for you to assign. If you are not precisely sure the extent of the permission they require within Elastic Beanstalk, it is still acceptable to grant them full access to the service. Especially if they are the only vendor using that particular service, therefore we click the box right next to 'AWSElasticBeanstalkFullAccess', which as written grants them full access to the service. Once that is done, click Next: tags.
Tags are for higher-level purposes, in an AWS console where you have a large number of services, users and resources in use. One of the uses of tags is to allow administrators to quickly search through all the services tagged to a particular keyword or email address, for example. In any case, you can ignore this part in IAM. Click Next: Review.
In the review page, you see the policies you have attached in IAM. In our illustration here, you can see the new user has full access to Elastic Beanstalk, and they have to change their password after a successful login. So once you have checked the policies are what they should be, click 'Create User'.
Success! But it's not over yet. In the 'Success' green box, please save the AWS Management Console access URL. Click on 'download.csv' to download the Access key ID and Secret access key. They use for programmatic access. As for the password and user, these we use to login to the AWS management console via the copied URL link above. It is best to save these details somewhere.
Finally, click on send email and input the email of either yourself or the third-party vendor. We prefer to email the details to the third-party vendor ourselves, reduces the complication honestly. Alternatively, you can click on 'send email' and input the email of the third-party vendor. And the login details are sent to them.
Great job and thank you for reading our easy way to use IAM to grant access in AWS console.
Comments