 Title :

Introduction to AWS Identity and Access Management (IAM).

 Objective :
 Exploring pre-created IAM Users and Groups
 Inspecting IAM policies as applied to the pre-created groups
 Following a real-world scenario, adding users to groups with specific capabilities enabled
 Locating and using the IAM sign-in URL
 Experimenting with the effects of policies on service access

 Introduction :

AWS Identity and Access Management (IAM) is a web service that enables Amazon Web
Services (AWS) customers to manage users and user permissions in AWS.
AWS IAM can be used to:

 Manage IAM Users and their access: We can create Users and assign them individual
security credentials (access keys, passwords, and multi-factor authentication devices). We
can manage permissions to control which operations a User can perform.
 Manage IAM Roles and their permissions: An IAM Role is similar to a User, in that it
is an AWS identity with permission policies that determine what the identity can and cannot
do in AWS. However, instead of being uniquely associated with one person, a Role is
intended to be assumable by anyone who needs it.
 Manage federated users and their permissions: We can enable identity federation to
allow existing users in our enterprise to access the AWS Management Console, to call AWS
APIs and to access resources, without the need to create an IAM User for each identity.

 Working Methodology :

1. Access the AWS Management Console: To access the AWS Management Console we
have to choose . When the panel will show the message "Lab status: ready” we have
to close the panel and choose . This will open the AWS Management Console in a new
browser tab.
2. Explore the Users and Groups: Now we can explore the Users and Groups that have
already been created for us in IAM. To do this we have to select “IAM” from the “Services”
menu. Three IAM users (user-1, user-2, and user-3) and three groups (EC2-Admin, EC2-
Support and S3-Support) have been created for us.
By clicking on the users and groups name we can see the summary page of the users and groups.
From the “Permissions” tab of group we can see the associated policy with it. Currently, no
user is associated with any group. We have to give access to the users depending on their job
function below.

Page | 1
 User In Group Permissions
user-1 S3-Support Read-Only access to Amazon S3
user-2 EC2-Support Read-Only access to Amazon EC2
user-3 EC2-Admin View, Start and Stop Amazon EC2 instances

3. Add Users to Groups: We can now add users to groups according to the table above. Each
Group should now have a 1 in the Users column for the number of Users in each Group.
4. Sign-In and Test Users: To test users we have to sign-In using the link from the Dashboard.
To sign-in we have to use username and password as above:
For user-1, User name: user-1 & Password: Lab-Password1
For user-2, User name: user-2 & Password: Lab-Password2
For user-3, User name: user-3 & Password: Lab-Password3
User-1: Since this user is part of the S3-Support Group in IAM, it has permission to view a list
of Amazon S3 buckets and the contents. But it does not have write access.
User-2: Since this user is part of the EC2-Support Group in IAM, it has permission to view an
Amazon EC2 instance. Now if we try to stop the instance “LabHost” we will receive an error
message. This demonstrates that the policy only allows us to view information, without making
changes.
User-3: Since this user is part of the EC2-admin Group in IAM, it has permission to stop the
Amazon EC2 instance. Now we can stop and also restart the instance.

 Discussion:

AWS Identity and Access Management (IAM) is a web service that lets us securely control
access to AWS resources for users. In this lab, we have added users to groups with specific
capabilities enabled following a real world scenario. We have been introduced with the effects
of policies on service access. During sign-in of the users, we have faced problems related to
region. We solved this by changing region. We also faced problem during user sign-In, by
using incognito mode we solved his problem. We can now design access permissions of
amazon web services with a number of users and groups according to a business scenario. With
the help of IAM we can Share access to the AWS Account, Granular permissions, Security
access AWS resources for applications running on Amazon EC2, Credentials works,
Credentials for ensuring, Eventual Consistency.

Page | 2