Managing IAM Users
Start course
4h 50m

This section of the AWS Certified Solutions Architect - Professional learning path introduces the key identity management, security, and encryption services within AWS relevant to the AWS Certified Solutions Architect - Professional exam. Core to security is AWS Identity & Access Management commonly referred to as IAM. This service manages identities and their permissions that can access your AWS resources, so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Learn about identity and access management on AWS, including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF), including what it is, when to use it, how it works, and why use it
  • Understand how to configure and monitor AWS WAF
  • Learn about AWS Firewall Manager and its components
  • Learn how to configure AWS Shield
  • Learn the fundamentals of AWS Cognito

Once you have created IAM users, you can view their details to configure additional security options or review permissions and change access. In this lecture, I want to cover these additional features. This will be easiest to explain via a demonstration, and I can explain each point as we go through, so let's take a look. So in this demonstration, I just want to select a user and just to show you some of the different elements that you can change of that user once it has been created, so let's take a look.

So I'm in the Identity and Access Management Dashboard at the moment and you can see I'm in the Users section. So let's take a look at this user, Patricia. So if I select the user and we can have a look at some of the options that we can see about this user and some of the things that we can change, et cetera. So this is a summary screen of the user. We have the users ARN at the top here, and we can also see the creation time of that user. And then we have a number of different tabs.

So start with the permissions tab. We can see that this user is getting permissions from two policies at the moment here, the Amazon S3 Full Access policy, and also the Amazon RDS Full Access. And if we wanted to, we can just take a quick look at these groups. We can have a look at the policy summary, or we can take a look at the JSON as well. So that's the policy and the JSON format. And then if we look at the policy summary, we can see here that this allows full access to S3 and S3 Object Lambda. Here we can set her permissions boundary. Currently there's not one set, but if we wanted to, we can set one to control the maximum permissions that this user can have. And also there's a feature here to generate policy based on CloudTrail events.

So what this will do, it will generate a policy looking at the user's activity. And then based on what the user has been accessing, it can generate a policy based on what services this user has been accessing. Also at the top here, we can add an inline policy for this user. So if we'd done that, then that will be a policy that is embedded within the user object itself. So it's not taken from a role, it's not taken from a group. The policy is attached within the user.

Okay, if we take a look at the groups, we can just see a quick breakdown of any groups that the user belongs to, and the policies that are attached to them, which we covered just a moment ago in the summary. The tags is what you'd expect. If there's any tags here for the user, then they would be listed, or if you wanted to add any tags, then you can do so here. So for example, we can add a key of location and say, UK, Save Changes. And then we can see this tag for this user. Under security credentials, we could see console link that this user can use and we can manage the user's password. And if we want to change the password, we can simply click on manage, and we can either disable the console access or generate a new password, or ask the user to create a new password at the next sign-in. We also have here, the assigned MFA device, the multifactor authentication.

At the moment, it's not assigned, but we can go ahead and set up MFA for this user. So let's go ahead and do that quickly. So if we click on manage, we have a couple of options here, virtual MFA device, U2F security key, or another hardware MFA device. For this, I'm just going to use a virtual MFA device and I'll use the Google Authenticator app on my phone to do this. If I click on continue. So, first of all, you need to make sure you have an app on your mobile phone or your computer. Like I say, I'm going to use the Google Authenticator app on my phone.

So what I need to do is to show the QR code, and now on my phone, I'm going to add this as a new entry in my Google Authenticator app, so I'm going to click on Scan QR code. And then we can see at the bottom there is added the user, Patricia. And then we add in that code, so 074720. And then what we need to do is to add the second code that comes in when it appears on the Google Authenticator app. So we're just waiting for that to come around and then I can add in the second code and then it'll be synchronized and configured. So, we can see it's about to change, and now I can add in the next code 185887, and then I click on Assign MFA. And that's it, so you have successfully assigned a virtual MFA device to that user. Click on Close, and there we can see here that there's an assigned MFI device. We can see that this user also had programmatic access 'cause there's access keys that have been generated.

Now, if we wanted to, we can make this access key ID inactive. So if wanted to do that, simply click on Make inactive. And it'll explained that once you've done this, you can't then use these keys to form any programmatic access. Click on deactivate. And you can see here, the status is now inactive. So any access keys that were used before for this user will no longer be allowed to make any kind of requests. If we wanted to generate new access keys, simply click on Create access key. And again, you'll have a new access key ID and a new secret access key. And if you wanted to, you can download the CSV file, so you don't forget those keys. Click on Close.

Now, if we go back up to the top to Access Advisor, I just wanted to show you this quickly. So what this does, it will basically show you which services that this user can access based on their current permissions, and also the last time that these services were accessed. So if you scroll down here, we can see that this user has access to a whole different range of services. And it'll show you which policies are actually granting these permissions.

So this access to EC2 in IAM is being granted through the RDS Full Access policy, and access to S3 is being granted through the Amazon S3 Full Access. So this is great to review to identify if there's any users there that do have access to services that they probably shouldn't do. So you can then modify the policies accordingly just to make sure that the users are only accessing what they are supposed to access. So that was a very quick demonstration of some of the key points that you can change within a user's properties once you have created an IAM user.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.