Setting up a Group and Users in Identity and Access Management in AWS and Best Practices

It is important to consider that managing a server online comes in a few security risks that is quite too common like “who can access the server?”. Restriction is the most basic form of security online the ability to allow access to certain individual. AWS is no exception to these kinds of risks. Manageability is one aspects of AWS, so it comes with a handy way of managing Identity and access. With AWS’ IAM or Identity and Access Management Console it is a great way to manage these aspects like users, groups, roles, policies. In this article we will discover how to create a Group and adding a new User to Group.

Creating a Groups

First things first is creating a IAM Group, in this article we will create a default Administrator Group.

  1. Go to IAM Dashboard by navigating to “Services” dropdown then navigate to “Security, Identity & Compliance” > IAM.
  2. Click on the Groups on the left sidebar, this will forward you to the main page, where you can see the lists of group that active, then click Next Step button on the lower right corner.
  3. Set a Group Name it is important to designate a distinct name for these group, which is this case we will name it as “Administrator”. Click Next Step.
  4. In this page you will be ask about the Policy Type of this particular Group, for now we can set it as Administrator Access so select the checkbox. Take not that you can attach up to 10 more policies into a Group. After clicking Next Step then you should be forwarded into a Review Page.
  5. Click Create Group.

Creating Users

Once we had the Group created we can assign a user to it.

  1. On the IAM Console Dashboard, navigate to Users on the left sidebar, and on the Users Main page, click Add user.
  2. On the Add User page, there are 2 panels, Set User details and Select AWS access type. Provide a appropriate name under User name. For the Access Type it is clearly stated on AWS:
  3. Programmatic Access - A user that can do API calls, use AWS CLI or tools for Windows Powershell.
  4. AWS Management Console Access - A user that can access AWS management Console. For now we will give them all the access since this is the main Administrator user that we will give access to everything, so let us check both checkboxes.
  5. Now lets select the Group Administrator we created earlier to this newly added user.
  6. Once you added this user you can now download the users credentials to be used as a access to the server. And also a link to the sign-in page.

Best Practices

Amazon provides a lists of topics to cover the best practices to consider when managing Identity and Access, you can follow a more details lists and information here. It is targeted to certain types of usage that may involve multiple users to a particular set of activities or access on the AWS Services. In this article however I will narrow it down to what I found is the most important that would work when you are starting your minimal requirement server.

  1. Secure your AWS Account Root User Access Keys - I think it’s a no brainer to keep these root keys safe and secure, be mindful that these keys should not be used to do a programmatic request to AWS, for a reason that this key can access restricted information on your AWS Account such as Billing Information. 
  2. Create Individual IAM Users - It is always a bad decision to share your root user access keys, as explained in first point. So it a good practice to create different user for a specific type of access to AWS. By doing this you have control on these individual and you can keep track of their activity on the server.
  3. Use Groups to Assign Permission to IAM Users - To add another layer of security and manageability, creating Groups offers a different approach when dealing with Permissions. Assigning a User to a Group will give it a bit of scope and ease.
  4. Configure a Strong Password Policy for your Users - It goes without saying that having a secure password is the first line of defense, this is the most common mistake in the internet. Advice to users to rotate their password periodically. AWS provide an easy way to implement such policies in creates these types of password.
  5. Use Roles for Applications That Run on Amazon EC2 Instances - As your business Applications becomes more and more complicated, there is a growing demand to add a secure identity so it would access different types of services in AWS. Using IAM Roles is the best solution. Role is a type of entity with its own credential, completely different from IAM Users/Groups.
  6. Delegate by Using Roles Instead of Sharing Credentials - Since Roles is not of User/Group type credential, you are prevented to share Keys when using a Roles to access AWS service this will keep a minimal and controlled access given to a particular user.
  7. Rotate Credentials Regularly - This may not be very friendly in some case, but this is always been true in practice. That it is always safe to regularly change the credentials.
  8. Monitor Activity of your AWS Account - As an administrator, this is a responsibility that you are going to take, given that AWS already provided so much to manage these transactions.

What now?

Having these level of control on your server is crucial, given the nature of business that it will always evolve overtime. Introducing an access control will give a sense of managed risks, based on accountability of a certain personnel.

Social Links