IDENTITY AND ACCESS MANAGEMENT 

Root User

When you first create an Amazon Web Services(AWS)account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.

  • The”root account“is simply the account created when first setup your AWS account. It has complete Admin access on your account.

AWS strongly recommend that you do not use the root user for your every day tasks, even the administrative ones. Instead of using the root user we can create IAM user and allocates the appropriate permissions for the IAM user.

IAM

IAM stands for Identity and Access Management (IAM). IAM is a web service that helps you securely control access to AWS resources for your users. We can use IAM to control who can use our AWS resources and how they can use resources.

IAM Features

identity - if check 14803 - IDENTITY AND ACCESS You can provide Shared Access to your AWS account

identity - if check 14803 - IDENTITY AND ACCESSYou can grant different permissions to different people for different resources

identity - if check 14803 - IDENTITY AND ACCESS IAM allows you to manage users and their level of access to AWS console

identity - if check 14803 - IDENTITY AND ACCESSIAM is universal.It does not apply to regions

identity - if check 14803 - IDENTITY AND ACCESSYou can enable Multi-factor authentication (MFA) for your AWS account

identity - if check 14803 - IDENTITY AND ACCESSIAM allows you to setup your own password rotation policy

identity - if check 14803 - IDENTITY AND ACCESSIntegrates with many different AWS services

For AWS Support  9160565554

Send Enquiries : sales@fgrade.com 

Steps to Create an IAM user:

  1. Log in with the root Account credentials and find the“IAM”under“Security,Identity& Compliance”
  2. IAM users have to sign-in using a dedicated Sign-In link. Every AWS account user will get a 12 Digit account number,that 12 digit number will be displayed on the Sign-In link,if you don’t want to expose the account Number you can give an Alias name. For that select the “customize”
IDENTITY AND ACCESS identity - welcome - IDENTITY AND ACCESS
  • Alias name must be unique over the globe

3. To create a new IAM user, Please select“Users”option under IAM Resources and Select “Add User” option.

IDENTITY AND ACCESS identity - add 2 - IDENTITY AND ACCESS
  • We need to provide a“user name”for the newly creating IAM user. This username must be unique with-in your AWS account.
  • We have two types of the access types
Programmatic access

identity - Tick Mark Dark 512 150x150 - IDENTITY AND ACCESSThis Enables the access to your AWS account by AWS API,CLI, SDK, and other development tools. You will get an access key ID and secret access key if you select this access type

AWS Management Console access

identity - Tick Mark Dark 512 150x150 - IDENTITY AND ACCESSThis enables users to sign-in to the AWS Management Console i.e; Web Browser. You will get a username and password to login.

  • If you select“AWS Management Console access”you have to get a password by“Auto generated password” or “Custom password” option.
  • You can select the“Require password reset option”tick box if you want IAM user to create a new password at next sign-in.

4. By default IAM users will create with NO Permissions. If you want to allocate certain level of permission on any of the AWS resource, you have to attach/apply policy to the user.

  • You can directly Attach one or more existing policies directly to the users or create a new policy
  • If you have any existing user with policies you can select the user,same permissions
  • Or,you can create a group allocate the policy on top of the group,then you can add this IAM user to that group. Creating group will eases the administration.

5. To create a group,select the“Create a Group”option and you will get a pop-up to select the policy. You can filter the policies based on your requirement and select.

Here is some key policies, you have to remember

Administrator Access

Provides full access to AWS services and resources Except Billing and Account management. He can create/delete an IAM user or Groups

Power User Access

Provides full access to AWS services and resources,but does He can launch any resource but doesn’t have any permission to create a new user,group or deleting an existing user.

Read only Access

Provides Read Only access on all AWS services and resources.

IDENTITY AND ACCESS identity - grop - IDENTITY AND ACCESS

6. Review the screen and click on“Create User”option. New IAM user will create and you can send the credentials directly to the user by using“Send Email”option

IDENTITY AND ACCESS identity - Details - IDENTITY AND ACCESS

7. You can download the Credentials. csv file and keep it in a secured location

IDENTITY AND ACCESS identity - user 1 - IDENTITY AND ACCESS

8. By using the mentioned IAM sign-in URL,this newly created IAM user can login to AWS console.

Setup own password policy:

A password policy is a set of rules that define the type of password an IAM user can set.You can set the password complexity to secure your AWS account from easily guess able passwords.You can modify the password policy based on the requirement

IDENTITY AND ACCESS identity - user de - IDENTITY AND ACCESS

9. You need to get all the tick marks in IAM dashboard,then you can consider you are good to go with other services.

IDENTITY AND ACCESS identity - last - IDENTITY AND ACCESS

Create an IAM Group

Create a group for all IAM administrator users and as sign the proper permissions to the new group. This will allow you to avoid as signing policies directly to a user later in these exercises.

identity - if check 14803 - IDENTITY AND ACCESSLog in as the root user.

identity - if check 14803 - IDENTITY AND ACCESSCreate an IAM group called Administrators.

identity - if check 14803 - IDENTITY AND ACCESSAttach the managed policy, IAM Full Access, to the Administrators group.

Create a Customized Sign-In Link and Password Policy

In this exercise,you will setup your account with some basic IAM safeguards. The password policy is are commended security practice, and the sign-in link makes it easier for your users to login to the AWS Management Console.

identity - if check 14803 - IDENTITY AND ACCESSCustomize a sign-in link,and write down the new link name in full.

identity - if check 14803 - IDENTITY AND ACCESSCreate a password policy for your account

Create an IAM User

In this exercise,you will create an IAM user who can perform all administrative IAM functions.Then you will login as that user so that you no longer need to use the root user login. Using the root user login only when explicitly required is a recommended security practice(along with adding MFA to your root user).

identity - if check 14803 - IDENTITY AND ACCESSWhile logged in as the root user, create a new IAM user called Administrator.

identity - if check 14803 - IDENTITY AND ACCESSAdd your new user to the Administrators group.

identity - if check 14803 - IDENTITY AND ACCESSOn the Details page for the administrator user, create a password.

identity - if check 14803 - IDENTITY AND ACCESSLog out as the root user

identity - if check 14803 - IDENTITY AND ACCESSUse the customized sign-in link to sign in as Administrator.

Set Up MFA

In this exercise,you will add MFA to your IAM administrator. You will use a virtual MFA application for your phone. MFA is a security recommendation on powerful accounts such as IAM administrators.

identity - if check 14803 - IDENTITY AND ACCESS Download the AWS Virtual MFA app to your phone

identity - if check 14803 - IDENTITY AND ACCESS Select the administrator user, and manage the MFA device.

identity - if check 14803 - IDENTITY AND ACCESS Go through the steps to activate a Virtual MFA device

identity - if check 14803 - IDENTITY AND ACCESS Log off as administrator

identity - if check 14803 - IDENTITY AND ACCESS Login as administrator, and enter the MFA value to complete the authentication process

More Information :https://www.fgrade.com/aws/