Creating your first IAM delegated user and user group

 













Creating a Delegated IAM User & User Group (Console)

AWS Management Console can be used to create an IAM user group with delegated permissions followed by an IAM user for another person with the help of following steps:
  • First of all, you have to sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  • Select Policies present in the navigation pane on the left.
  • Now, Create Policy.
  • After that, the JSON tab and Import managed policy will be chosen.
  • In order to minimize the list of policies, you can type Power within the Import managed policies window, and then select the PowerUserAccess row.
  • Now, choose Import, that will show the policy in the JSON tab.
  • Choose Next: Tags and then Next: Review.
  • Next, you have to type - PoweruserExampleCorp for Name and Allows full access to all services except those for user management for Description, on the Review policy page, and then pick Create policy to save your work. 
  • After successfully completing the above steps, choose User group and then Create group in the navigation pane.
  • Type PowerUsers in the User group name box.
  • Now select PowerUserExampleCorp in the list of policies.
  • Select Create group.
  • Select Users and Add users from the navigation pane.
  • At this point, you have to type maxy.major@examplecorp.com for User name.
  • Select Add another user and for the second one type diego.ramirez@examplecorp.com .
  • Now choose AWS Management Console access and an Autogenerated password along with the checkbox of the User must create a new password at next sign-in.
  • Select Next: Permissions.
  • After that, don't try to add any permissions to the users on Set permissions page. as it can only be done after the confirmation of the user's changed password after signing-in.
  • Choose Next: Tags.
  • You can also add metadata to the user by attaching tags as key-value pairs. (optional)
  • If you want to look at the list of the user group memberships that can added to the new user, you have to choose Next: Review and then Create users in order to proceed further.
  • Now you can easily download or copy the passwords for your new user and send them securely along with a link o your IAM console page and their user names.
  • After the confirmation of the user's successful sign-in, you can select Users in the navigation pane (if needed) and then the user's names.
  • Now you can also Add permissions in the permission tab and after that select Add user to group as well as the PowerUsers.

Reducing User Group Permissions

The members of the PowerUser user group have complete access to all the service except those who offers user management actions like IAM and Organizations, hence, you can easily review the services accessed by your group members after passing a predetermined period of inactivity (like 90 days) and minimize the permissions of the PowerUserExampleCorp policy so that only the permissions required by your team can be remained. 

Review Last Access Information

After passing the predefined period of inactivity, you can easily review the last accessed information for user or user groups in following ways:
  1. Firstly, Sign-in to your AWS Management Console and open the IAM Console. 
  2. Now, you can choose User groups and then the PowerUser group name in the navigation pane.
  3. Select the Access Advisor tab on the user group summary page.
  4. After that, you can easily review the table shown and prepare a list of the services that your user group members have recently accessed.

Editing a Policy to Reduce Permissions

After reviewing the last accessed information, you can also edit your policy (so that only the required services can be accessed by the users) in following ways:
  1. Choose Policies and then the PowerUserExampleCorp policy name in the navigation pane.
  2. Choose Edit policy, and then JSON tab.
  3. Now you can edit the JSON policy to allow only the required services.
  4. You can also see your events in CloudTrail Event history in order to reduce your policies' permissions to particular actions and resources which also shows the detailed information about the particular actions and resources accessed by your user.





































































Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)