Managing cloud access securely is critical in AWS environments. In this tutorial, we will walk you through the basics of AWS Identity and Access Management (IAM) and show you how to set up secure access for your AWS resources.
Prerequisites
Before you begin, ensure that you have:
- An active AWS account.
- AWS CLI installed and configured with admin credentials.
Step 1: Create an IAM User with AWS CLI
IAM users represent individual people or applications that interact with your AWS account.
# Create an IAM user with programmatic access
aws iam create-user --user-name MyNewUser
# Generate access keys for the new user
aws iam create-access-key --user-name MyNewUser
This creates an IAM user named `MyNewUser` and generates access keys for API or CLI access. **Store the access keys securely**.
---
## Step 2: Attach a Policy to the IAM User
IAM policies define permissions for the user. Let's attach the `AmazonS3ReadOnlyAccess` policy to allow the user to read data from Amazon S3.
bash
Attach a predefined policy to the user
aws iam attach-user-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
--user-name MyNewUser
This command grants the user read-only access to all S3 buckets.
---
## Step 3: Create a Custom Policy
If predefined policies don't meet your needs, you can create a custom policy.
### Example Custom Policy: Restrict S3 Access to a Specific Bucket
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-secure-bucket/*"
}
]
}
Save the policy to a file (e.g., `s3-read-policy.json`) and apply it:
bash
Create a custom policy
aws iam create-policy \
--policy-name MyCustomS3Policy \
--policy-document file://s3-read-policy.json
Attach the custom policy to the user
aws iam attach-user-policy \
--policy-arn arn:aws:iam:::policy/MyCustomS3Policy \
--user-name MyNewUser
Replace `<account-id>` with your AWS account ID and `my-secure-bucket` with your bucket name.
---
## Step 4: Test the Permissions
To test the permissions of the new user, configure AWS CLI with the access keys and try accessing the S3 bucket:
bash
List objects in the allowed bucket
aws s3 ls s3://my-secure-bucket/
Attempt to access a restricted bucket (should fail)
aws s3 ls s3://restricted-bucket/
---
## Conclusion
In this tutorial, you learned how to:
1. Create an IAM user with AWS CLI.
2. Attach predefined and custom policies.
3. Test user permissions for secure access.
Properly managing IAM users and policies is essential for maintaining a secure AWS environment. Always follow the principle of least privilege and regularly review access permissions.
Feel free to ask questions or share your thoughts in the comments!
---
**Further Reading:**
- [AWS IAM Documentation](https://docs.aws.amazon.com/iam/)
- [AWS CLI Reference for IAM](https://docs.aws.amazon.com/cli/latest/reference/iam/)
Top comments (0)