Configuring users and groups with IAM


Introduction to the AWS Command Line Interface
Start course

Although most AWS services can be managed through the console in Amazon's browser interface or via the APIs commonly used for programmatic access, there is a third way that, in many cases, can be very useful: the Command Line Interface (CLI). AWS has made software packages available for Linux, MacOS, and Windows that allows you to manage the main AWS services from a local terminal session's command line.

In this course, the Cloud Expert and Linux System Administrator David Clinton will tell you everything you need to know to get started with the AWS Command Line Interface and to use it proficiently in your daily operations. He will also provide many examples to clearly explain how command line connectivity really works.

Who should take this course

This is an intermediate course, as such you should already know the basic AWS concepts, and in particular of the services that described in this tutorial. Also, some experience with the Linux Command Line Interface is not strictly speaking necessary, but still quite useful.

If you want to boost your knowledge of AWS, EC2S3, and RDS, we strongly suggest you take our other AWS courses. Also, self-test questions are available if you'd like to test and increase your knowledge.

If you have thoughts or suggestions for this course, please contact Cloud Academy at


Hi and welcome to's video series on the AWS-CLI, Amazon Web Services Command Line Interface. In this video were going to explore IAM, Identity and Access Management that is a service Amazon provides. It allows you to manage users and user permissions under your AWS account. But were going to explore IAM specifically using the CLI, the Command Line Interface. So first lets just see where we are, what we have. List users.

You start with AWS to tell our system that were going to be in the AWS environment.iam tells AWS that were going to be focusing on iam and list users is a command that will, you guessed it, list users. There are currently four users associated with this account. None really exist. There's Dan, Mark, Susan, and Tony.

It is particularly convenient though to group together your users into specific groups because you may want to allow a subset of your users, certain permissions and privileges that other may not need and may not earn. So, we could also list groups. There's currently only one group that's called developers. It is populated by those users that we consider to be developers who need a certain profile of permissions on our system, but perhaps our company is growing and were going to hire a couple of sysadmin's and they're going to need a higher level of access to system resources. Therefore lets create a new user, our new iam create user dash dash username Robert.

Robert now exists. Now lets create a new iam create group, as you could probably imagine, next with two dashes, this is the argument were going to give to the program create group group name. This is where we'll specify the group name, sysadmin. Spell it right.

The sysadmin group now exists. Lets add Robert to our new iam add user to group. You can see how the commands are quite intuitive. Which group do we want to add him to? Well, the group name will be the sysadmin group. And which user are we going to add to sysadmin? Robert. So, lets confirm that Robert is now actually a member of this group. We will list groups for user. That is, we'll list all the groups which a particular user is a member. Username will be Robert. Robert is a member of the sysadmin group, which is exactly where we placed him. There is one more detail which is critically important.

It's all very well to have groups and to have users who are members of these groups, but if there is no specified permissions policy associated with the group, then it's either wide open or shut closed. The division among groups is useless.

We, therefore, have to create a policy which we'll associate with a group. So lets create first a policy document. Lets say nano sysadmindoc.json. The name and extension of this filename is not particularly important. It's just descriptive. This is a document which will explain the sysadmin policies and it happens to be in json format. We will paste into the document a json formatted text, which tells us that an action in fact any action. The asterisks in the brackets tells us any action applying to a resource. And the asterisks tells us any resource at all anywhere on this Amazon account will be allowed. That is the effect these actions will have on these resources. This is as wide open permission as is possible on the Amazon system. This is something that you should not apply to just anybody or just any group because of course you're leaving yourself wide open to the whim and fancy of any user who is associated with this. However, some people, especially administrators, have to have these permissions. Well hit control x, y to save the file. We now have a sysadmindoc.json file in this current directory. Now, lets apply this policy to our group. Lets take this long command at the beginning AWS iam put group policy.

There is group policy we will now put to this group. Which group? Group name sysadmin. Policy name? Well just call it admin policy. That's just a name we give it that's descriptive and will remind us what it was all about and all important the policy document will be found in file, that is a file in our local system, sysadmindoc.json.

Lets see if this works. It seems to have worked. Lets now test iam list group policies and which group? Group name sysadmin. So were going to list all the group policies associated with the group sysadmin. And there is a policy called admin-policy which is what we've called it. So it would seem that the wide open permissions that we have assigned to the sysadmin group now has been successfully assigned. If we want to remove a user from the group or remove a group completely, we have to do that in reverse order. First, we have to delete the policy. By delete group policy groupname sysadmin. So, we'll delete the policy called admin policy from the groupname sysadmin. Then we would remove the user, Robert, from the group.

This'll remove user from the group. Which group? Sysadmin. The user Robert. And then finally we can delete group, group name sysadmin and that group no longer exists.

About the Author
Learning Paths

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.