Creating your first IAM delegated user and user group

By Ashwin Venugopal -

 













Creating a Delegated IAM User & User Group (Console)

AWS Management Console can be used to create an IAM user group with delegated permissions followed by an IAM user for another person with the help of following steps:
  • First of all, you have to sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  • Select Policies present in the navigation pane on the left.
  • Now, Create Policy.
  • After that, the JSON tab and Import managed policy will be chosen.
  • In order to minimize the list of policies, you can type Power within the Import managed policies window, and then select the PowerUserAccess row.
  • Now, choose Import, that will show the policy in the JSON tab.
  • Choose Next: Tags and then Next: Review.
  • Next, you have to type - PoweruserExampleCorp for Name and Allows full access to all services except those for user management for Description, on the Review policy page, and then pick Create policy to save your work. 
  • After successfully completing the above steps, choose User group and then Create group in the navigation pane.
  • Type PowerUsers in the User group name box.
  • Now select PowerUserExampleCorp in the list of policies.
  • Select Create group.
  • Select Users and Add users from the navigation pane.
  • At this point, you have to type maxy.major@examplecorp.com for User name.
  • Select Add another user and for the second one type diego.ramirez@examplecorp.com .
  • Now choose AWS Management Console access and an Autogenerated password along with the checkbox of the User must create a new password at next sign-in.
  • Select Next: Permissions.
  • After that, don't try to add any permissions to the users on Set permissions page. as it can only be done after the confirmation of the user's changed password after signing-in.
  • Choose Next: Tags.
  • You can also add metadata to the user by attaching tags as key-value pairs. (optional)
  • If you want to look at the list of the user group memberships that can added to the new user, you have to choose Next: Review and then Create users in order to proceed further.
  • Now you can easily download or copy the passwords for your new user and send them securely along with a link o your IAM console page and their user names.
  • After the confirmation of the user's successful sign-in, you can select Users in the navigation pane (if needed) and then the user's names.
  • Now you can also Add permissions in the permission tab and after that select Add user to group as well as the PowerUsers.

Reducing User Group Permissions

The members of the PowerUser user group have complete access to all the service except those who offers user management actions like IAM and Organizations, hence, you can easily review the services accessed by your group members after passing a predetermined period of inactivity (like 90 days) and minimize the permissions of the PowerUserExampleCorp policy so that only the permissions required by your team can be remained. 

Review Last Access Information

After passing the predefined period of inactivity, you can easily review the last accessed information for user or user groups in following ways:
  1. Firstly, Sign-in to your AWS Management Console and open the IAM Console. 
  2. Now, you can choose User groups and then the PowerUser group name in the navigation pane.
  3. Select the Access Advisor tab on the user group summary page.
  4. After that, you can easily review the table shown and prepare a list of the services that your user group members have recently accessed.

Editing a Policy to Reduce Permissions

After reviewing the last accessed information, you can also edit your policy (so that only the required services can be accessed by the users) in following ways:
  1. Choose Policies and then the PowerUserExampleCorp policy name in the navigation pane.
  2. Choose Edit policy, and then JSON tab.
  3. Now you can edit the JSON policy to allow only the required services.
  4. You can also see your events in CloudTrail Event history in order to reduce your policies' permissions to particular actions and resources which also shows the detailed information about the particular actions and resources accessed by your user.





































































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more