Create users and Groups

Access to users

Programmatic:- If a user connects to AWS using a program or Aws CLI then you need to provide the programmatic access. It is has confidential inforation like 

• Secret key
• AccessKey
• Username
• Password

Console:- If a user connects to AWS using console then you need to provide userid and initial password to connect a user to AWS console.

Step 1: Select IAM service

Step 2: Click on Users Link on the left panel

Step 3 Add users by providing user name(s), Max 10 users at a time you can create using IAM.

Step 4: Select Access Type: Check both Programmatic Access and Console Access

Step 5: Console password:- select the option Autogenerated Password.

Step 6: Select Required Password reset.

Step 7: Click on Next Button

Step 8: Create a Group here by clicking on Create Group (You can also create the group before user creation ).

        Group name: DevGrp

        Attach a policy: AmazonEC2FullAccess

  Click on Create Group button.

Step 9: Click on Next Add Tags button

              you can add max 50 tags

              Name: devusers

Click on Next button

Step 10: Review and Click on Create Users button.

Step 11: Download user details in csv files and you can share this information to the respective users.

Experiment

• You can try by yourself to connect to AWS Console using the “Console Login Link” and check out that you have only access to EC2 services.
• Add S3full access permission to Group DevGrp and again check that users have S3 access as well.
• Delete the user and Group.
• Create a user (providing programmatic and console access)  without assigning to a group and check whether you are able to assign permission to that user.
• Add a user to multiple groups and provide permission for the first Group as EC2FullAccess and SecGroup S3 full access and log in with console access and check whether the user can have both s3 and Ec2 full access.
• Delete a Group and check the users also get deleted or not.

How to access AWS services using AWS CLI

To access the AWS services using AWS CLI then first the user should have the Access key and Secret key means programmatic access.

Step 1: Install AWS CLI on your host system.

Step 2: Verify AWS is installed or not by running aws –version command.

Step 3: Configure AWS on your system using aws configure command, it will ask for Access key,Secret key,region

Step 4: If user has S3 full access then run below command to check that with aws cli you can access the S3 buckets

     aws s3 ls

How to access AWS services using Console

Step 1: A user id, password, and a console link is shared with you so use the console link to connect to the AWS Console.

Step 2: If a user has only EC2 Access then check if are you able to create the EC2 instances or not.

Step 3: Verify that you don’t have any other service access like s3,RDS etc.

MFA(Multi-Factor Authentication)

1. First Install Google Authenticator software on your mobile from Google play store.
2. Select the user for whom you want to enable MFA
3. Select Security credentials Tab
4. Select Assigned MFA device and Click on Manage
5. Select Virtual MFA device and click on continue
6. Then Click on Show QR Code
7. Use Google Authenticator App Scan this QR Code
8. Type 2 consective MFA code from App
9. Then assign MFA.
10. Signout and connect with user on console
11. After entering correct credential it will ask you to enter the MFA code to Sign in to the app.

Roles:

An IAM role is an identity you can create that has specific permissions with credentials that are valid for short durations. Roles can be assumed by entities that you trust.

Step 1: Create an EC2 instance.

Step 2: Connect to the above Ec2 instance and make sure AWS CLI is already configured on this machine.

Step 3: Goto IAM Service and Select Roles and Click on Create Roles button

Step 4: Select Trusted Entity as AWS Service and Use Case EC2 instance and then click on Next Button

Step 5: Add the permissions to the Role add policy s3FullAccess and click on Next

Step 6: Provide the role name and click on Create Role button

Step 7: Goto EC2 instances and Select the Ec2 instance which you have create on Step1

Step 8: Goto Action —> Security—> ModifyIAM Role and Choose the role as the one which you have created in step 6 and click on save

Step 9: Connect EC2 instances and run the command 

          aws s3 ls

you will be able to see all the buckets even though you did not configure any profile on this system, it is because of the role.