Managing Access with IAM User Groups & Roles
This course explores some of the security best practices when using user groups and roles and how these can help you secure access to your resources more effectively. It also includes guided demos from the AWS platform to give you a practical understanding of the topics covered throughout the course.
- Learn how to manage multiple users with IAM User Groups
- Get a foundational understanding of IAM roles
- Understand how to use AWS service roles to access AWS resources on your behalf
- Learn how to use IAM user roles to grant temporary access for users
- Understand how to use roles for federated access
- AWS administrator
- Security engineer
- Security architect
- Anyone who's looking to increase their knowledge of the IAM service in preparation for an AWS certification
To get the most out of this course, you should already have a basic understanding of AWS IAM and what the service is used for, as well as knowledge of policy types such as managed, customer, and in-line. It would also be advantageous if you had some basic hands-on experience of AWS and some of its core services, but it is not essential.
In this lecture, I want to talk about how IAM User Groups can be used to manage multiple users. IAM User Groups do not signify a single user and they can't be referenced as a principal in any AWS access policy like a User or a Role can. However, they are used to authorize access for members of the group to AWS resources through the use of AWS Policies attached to the User Groups. So User Groups are objects that contain IAM Users, and these User Groups will have IAM policies associated that will allow or explicitly deny access to AWS resources.
These policies can be AWS Managed policies that can be selected from within IAM, customer-managed policies that are created by you, or in-line policies, which are written and embedded directly into the group. User Groups are a great user management feature and they are normally created to directly relate to a specific requirement or job role. For example, you could have a group called Developers, and then attach policies to that group that allow access to AWS resources required by your development team.
Any users that are then a member of that group will automatically inherit the permissions applied to the group. By applying permissions to a group instead of individual users, it makes it easy to modify permissions for multiple users at once, simplifying access management at scale. It's a security best practice to apply permissions to User Groups and then associate users to that group than to associate policies to individual Users. This prevents you having to update permissions for each and every user.
For example, if you needed to change access for all the individual developers that had policies assigned to them directly, and this can be very time intensive and prone to human error, especially in an enterprise environment. If using groups and additional access is required for your Developer User Group, all you would need to do is to modify the permissions of the Developer Group and all your associated developers would inherit the new access.
Creating a group is very simple and is essentially a three-step process. You must give your group a meaningful name, add users to the group, attach permissions via the policies. Once you have created a user group, you can then review its configuration, edit the permissions and see other details such as the ARN of the user group. Let me show you via a quick demonstration on how to create an IAM group and then how to modify the permissions of the group once it's been created.
Okay, so I've logged into my AWS Management Console and I've gone to the IAM dashboard. Now, from here, to access and create groups, under access management on the left, you can see user groups. So if you select that, and then will show you any groups that you currently have. And I only have one group, which is Admin. So to create a new group, you've gotta cross to the right-hand side here, click on create group. And the first thing you need to do is to give the group a name. So I'm going to call this MyS3andEC2Group. And then after that, you need to select the users that you want to be a part of the group.
So if you already have the IAM users there, you can add them at this stage. So let's just go ahead and add in Stuart. And then at the bottom, you can then attach any policies that you want to be associated with the group. So if I type in S3, and it'll pick up any policies that we have associated with S3. And I'm going to select this one here, this AmazonS3andEC2FullAccess policy. And if I click on the little plus sign here, it'll give you a JSON view of the actual policy itself. So you can see exactly what's happening.
So now I've selected that policy. If we just go down to create group at the bottom, and it's as simple as that. So it's very easy to create a group. You simple give it a name, specify the users if you need to at that stage and also add any permissions if you want to at that stage as well.
Now, once we've created our group, if we select it, we can see the user list here. Now, if you need to add any additional users, simply click on add users, select the users that you'd like and click on add users. And then they'll be immediately added to the group. You can also look at the permissions. So here's the policy that we added. Now, we can if we want to, add additional permissions by clicking on this button here. And you can either attach an existing policy or create an inline policy that's directly embedded into the group.
So for example, if we go to attach policies, and we want RDS access as well for the people in this group, have a quick search and we'll select this AWS managed policy for RDSFullAccess. Click on add permissions. And we can now see that this group has two permissions policies. And again, we can view the JSON details of those policies if we want to. And then we have the Amazon RDS policy here. So it's very easy to set up groups and only literally takes just a few clicks.
So that's how you create a new group, add users and also change the permissions as well. And also, just before we finish, if you want to delete the group, you can click on delete here. And we just need to type in the name of the group to confirm the deletion. So I'll just go ahead and do that. Then click on delete. And that deletes the group. Finally, from a limitation perspective, your AWS account has a default maximum limit of 300 groups. To increase this you'll need to contact AWS using the appropriate limit increase forms. Also, a user can only be associated with 10 groups, so bear this in mind when assigning permissions and each group can contain 10 different policies attached at once. Limitations on AWS services is fluctuating all of the time, so for the latest information on Group limitations, please see the following URL here.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.