AWS provides very powerful constructs for managing permissions across resources. Granular permissions can be assigned to users and groups, with the ability to create accounts for console access and API access. Additionally, specific roles can be created and assigned to resources, which provides the flexibility to manage permissions at the resource level.
Estimated time to complete: 10 minutes
Cost: No cost is associated with this lab
Perform the following from the IAM console.
- Create a new group with a descriptive name, such as "labgroup"
- Attach full access policies for the following services:
- VPC
- EC2
- Elastic File System
- RDS
Perform the following from the IAM console.
- Add a new user
- Specify a desired user name
- This user should only be used for this series of labs, so use something descriptive like "labuser"
- Specify the Access Type as "AWS Management Console access"
- Use a custom password of your choice
- Uncheck the setting for "Require password reset"
- Assign the user to the group created in Step 1
- Navigate to the IAM users sign-in link
- This can be found on the front page of the IAM console
- Ensure that you can log in as your newly created IAM user
- Perform subsequent lab activities using this user
Document the information below about your environment. This documentation will be useful during later labs.
Be sure to keep the created username and password private
| Username | Password | Group |
|---|---|---|
| labuser | labgroup |
| Group Name | Policies |
|---|---|
| labgroup |
None of the resources provisioned during this lab will incur any costs. However, the teardown process is below.
- Delete the user that was created in the IAM console
- Delete the group that was created in the IAM console
-
What is the difference between programmatic access and AWS management console access? When would each type of access be appropriate?
-
Review the Policies page on the IAM console. What data format are policies written in?