AWS

How to set up IAM on AWS account? (Complete Step by Step Guide)

Today, we are going to set up IAM on AWS, also known as “Identity and Access Management“. We require this when we do not want to share the “root credentials” of aws account to others or clients, instead we create users and groups and assign specific roles and permissions to them, which leads to a secure and restricted way to provide services.

First of all, we need to select the “IAM” service from the dashboard by searching it from the “AWS Management Console“.

Select IAM service from AWS dashboard
Select IAM service from AWS dashboard

After that, you are going to see something like shown in the picture below, we are going to “set up IAM on AWS” in a way that “Security Status” steps should all be showing “Green Ticks“, but right now we only have “Delete your root access keys” and following steps are going to get the “Green Ticks” on other as well.

Default look of IAM dashboard
Default look of IAM dashboard

Before going further, we need to set an “Easy to Remember” link name for the “IAM sign-in link“.

By default, it will be having something like shown in the picture below, where the number is shown as “515417528789” is the “AWS account number“.

Change the IAM user sign-in link in IAM dashboard on AWS
Change the IAM user sign-in link in IAM dashboard on AWS

So, we have to set up an “Alias” to this, choose a good name as we have chosen “practicetestingone“, as shown below.

Give an alias name to the IAM users sign-in link on aws
Give an alias name to the IAM users sign-in link on aws

Our “Account Alias” is changed from “Account Number” to “Account Alias“. This is our new sign-in link which are going to be used by our clients and users for sign-in.

The IAM users sign-in link has been changed
The IAM users sign-in link has been changed

Now, copy the link from the “Copy Icon” shown in the image below.

Copy the link from the copy icon
Copy the link from the copy icon

After that, paste the link in the browser URL tab.

Paste the copied IAM users sign-in link into the URL bar
Paste the copied IAM users sign-in link into the URL bar

Step 0: Current Status

Make all the things in the security status green on IAM aws
Make all the things in the security status green on IAM aws

We have already deleted our root keys, that is why it showing the “Green Tick“.

Question: Why we need to delete the “Root Access Keys“?

Answer: Because they provide unrestricted access to your AWS resources, and we do not want that.

Delete your root access keys on IAM aws
Delete your root access keys on IAM aws

Step 1: Activate MFA on your root account

Question: What is MFA on AWS?

Answer: It is known as “multi-factor authentication“, is nothing but a second way of authenticating your “AWS account login” using a device or via another medium.

Note: In our case, we are going to use an “Android” device to setup MFA for IAM on aws.

From the picture below, click on the “Manage MFA” for the set up.

Activate multi-factor authentication on IAM aws
Activate multi-factor authentication on IAM aws

Now, from the pop-up window, select the “Continue to Security Credentials” option.

Click on continue to security credentials on IAM aws
Click on continue to security credentials on IAM aws

Click on “Activate MFA

Click on Activate MFA
Click on Activate MFA

From the options below, select the “Virtual MFA device” option.

Out of 3 options availabel select Virtual MFA device
Out of 3 options availabel select Virtual MFA device

We have the following options available for the “type of application” on the “mobile device”.

Out of these, we are going to use the “Google Authenticator” application on android phone.

Options for virtual MFA aaplications on mobile devices
Options for virtual MFA aaplications on mobile devices

Go to “Play Store” on your android device and download/install the following.

Download google authenticator on android
Download google authenticator on android

You will be seeing a screen like this, after you open the application on your phone.

Click on “BEGIN“.

Start screen on google authenticator
Start screen on google authenticator

After installing the application on your android device.

Click on “show QR code” as shown in the screenshot below.

Set up a virtual MFA on IAM aws
Set up a virtual MFA on IAM aws

You will a QR code, one example is shown below, now scan this QR code the “Google Authenticator” application installed on your android device.

Scan bar code for MFA set up on IAM aws
Scan bar code for MFA set up on IAM aws

Click on the “scan a barcode” from the “google authenticator” application, and scan the QR code shown on the MFA set up screen.

Add an account on google authenticator
Add an account on google authenticator

After that, you will be seeing a code generated on your “Android Phone” inside the “Google Authenticator” application, like below.

Google authenticator first code
Google authenticator first code

After a few seconds of entering the first code in the “Google Authenticator” application, a new code will be generated on your “Android Phone“, as shown below.

Use this code and enter it in the place of second code.

Google authenticator second code
Google authenticator second code

After doing the things mentioned above, you will be seeing something like “You have successfully assigned virtual MFA” on our dashboard.

MFA is successfully setup on IAM aws
MFA is successfully setup on IAM aws

You MFA has bee set up for IAM on aws

Android device is registered as MFA device
Android device is registered as MFA device

“Security Status” has been updated

Security status is updated
Security status is updated

Step 2: Create individual IAM users

In order to control the permissions on “user level“, we need to create new “IAM users“.

So, we need to click on the “Manage Users“.

Click on manager users to create an IAM user
Click on manager users to create an IAM user

After that, you will be seeing a screen as shown below. Select the “Add user” icon from the screen.

Click on Add User
Click on Add User

A screen like below, is going to be prompted to you.

Set user details:

  • User name* = Practice-test-user
  • Access type* = “Programmatic access” and “AWS Management console access”
  • Console password* = “Autogenerated password” or “custom password”
  • Require password reset = “tick” or “leave blank”
Set user details for a IAM user on aws
Set user details for a IAM user on aws

Set as following on the screen shown below.

Note: We are giving this user “Practice-test-user” the “AdministratorAccess” policy.

Set permissions for an IAM user
Set permissions for an IAM user

Add some “tags” to your IAM set up.

Adding tags to IAM user
Adding tags to IAM user

Before going for the final step, crosscheck the information from the “Review” screen as shown below.

Review the IAM user settings on aws
Review the IAM user settings on aws

After doing the steps, you will see a screen with a “Success” message as shown below.

IAM user is successfully added
IAM user is successfully added

From the screenshot shown below, we can confirm that our user has been created successfully.

Verify the user creation from dashboard
Verify the user creation from dashboard

Step 3: Use groups to assign permissions

Question: What is the purpose of groups here?

Answer: We can understand this with an example, say if we have “user1“, “user2” and “user3” for “EC2 full Access” and “user4“, “user5” for “S3 Administrator Access“.

IAM groups diagram
IAM groups diagram
Use groups to assign permissions to IAM users
Use groups to assign permissions to IAM users

Click on “Create New Group” icon as shown in the picture below.

Create a new group for IAM users
Create a new group for IAM users

Now, “Set Group Name” and we have chosen “Admin-access-s3” as the name for our group.

Set group name for IAM users
Set group name for IAM users

Now, it is time to attach the “AmazonS3FullAccess” policy to “Admin-access-s3” group. Because we want to create this group and its users to have only “AmazonS3FullAccess“.

Attach a policy to IAM group
Attach a policy to IAM group

Again, before saving the changes, “Review” all the things.

Review group name for IAM users
Review group name for IAM users

From the screen below, we can confirm that the “Admin-access-s3” is created successfully.

IAM group with s3 full access policy has been created
IAM group with s3 full access policy has been created

“Security Status” has been updated

Security status is updated
Security status is updated

Step 4: Apply an IAM password policy

Question: What is IAM password policy?

Answer: It is nothing but providing a way for users to create strong passwords and rotate their passwords regularly.

As shown in the screenshot below, click on “Manage Password Policy“.

Apply an IAM password policy
Apply an IAM password policy

Specify the things in the screen as shown below, as per your requirements.

Create a password policy for IAM users
Create a password policy for IAM users

“Security Status” has been updated

All the things under the “Security Status” now have “Green Ticks“.

Security is completely set up and updated
Security is completely set up and updated

At last, From the IAM dashboard, we can see that it shows “Users: 1” and “Groups: 1” and “Roles: 2“.

IAM resources is also update now
IAM resources is also update now

Step 5: Login with the IAM user just created

Make sure that you have download the “credentials.csv” file at the end of “Step 2“.

Credentials File Downloaded
Credentials File Downloaded

Open the “credentials.csv” file and you will see something like shown in the picture below, copy the “user name” and “password” from the file.

Copy password from the crendentials file
Copy password from the crendentials file

After copying the file, go the custom “sign in URL link” we have created at the start of this post.

Note: The link will be different in your case, so use your URL and not ours.

After copying the “URL“, paste it into a brower’s URL tab and hit “Enter“.

Now you will be seeing something as shown below, simply provide your IAM user’s “username” and “password” and click on “sign in“. If your credential information is correct, you will be dropped down in your AWS console.

Login with the new user to AWS console
Login with the new user to AWS console

Conclusion

  • IAM provides “granular permissions” means one can specify a particular type of permissions for a particular user or a group.
  • It provides “shared access” to administer your AWS account with sharing your actual root’s password and keys.
  • One can set up an MFA type authentication for your AWS account.
  • Any many more features are being provided by “IAM aws“, they are going to update and added in the future.

More on AWS:

Comment here