Blogs by Ashwin

  Resetting Lost or Forgotten Passwords or Access Keys for AWS The lost or forgotten passwords or access keys cannot be retrieved from IAM, however, they can be reset via following methods: AWS account root user password- The root user password can be reset from the AWS Management Console. AWS account access keys- The new account access keys can be created without disabling the existing ones and they can also be deleted when not in use anymore. IAM user password- You can ask your administrator to reset your IAM password if you have forgotten it. IAM user access keys- If you have permission you can create your own access keys in case you forget them and its instructions can be given at Managing access keys (console). However, if you don't have the permissions you have to ask your administrator to create the new ones and not to delete the old ones if they are still in use. Resetting a Lost or Forgotten Root User Password In case you forget your root user password, you can reset it fr

  Rotating IAM User Access Keys (Console) Access keys can be rotated from the AWS Management Console. To rotate access keys for an IAM user without interrupting your applications (console) You can create a second access key even if the first one is still active, which will lead to the user having two active access keys. Now you will have to update all the applications and tools in order to use the new access key. You can also check if the first access key is still in use with the help of Last used column for the oldest key. You can choose Make inactive to deactivate the first access key instead of completely deleting it because it has never been in use recently. If you want to confirm that your applications are working, then use only new access key, but, you can also choose Make active to reenable the first one and then return to the step 3 above and update the application to use the new key.    You can definitely delete the first access key after waiting for sufficient time period to

  Managing Access Keys (Console) An IAM user's access keys can be managed via AWS Management Console. To create, modify, or delete your own IAM user access keys (console) Sign-in  to the IAM console via AWS account ID or account alias, your IAM username, and password. Select your username and My Security Credentials in the navigation bar on the upper right. Now expand the Access Keys (access key ID and secret access key) section. You can perform any of the following tasks- Select Create New Access Key in order to create an access key; while, if you want to copy and paste the key somewhere else to secure it, then, select Show Access Key. If you want to disable an active access key, choose Make Inactive. If you would like to reenable an inactive access key, choose Make Active. Choose Delete, to delete your access key. To create, modify, or delete another IAM user's access keys (console) Firstly, sign-in to the AWS Management Console and open the IAM console at https://console.aws

  To Allow All IAM Users Change Their Own Passwords Firstly, sign-in to the AWS Management Console and open IAM Console at https://console.aws.amazon.com/iam/. Choose Account Settings in the navigation pane. If your account uses the default password policy, you have to select Change Password policy in the password policy section. However, if you use custom password policy, you have to choose Change. Now, select Allow users to change their own password and then Save changes which allows all the users in the account access to the iam: ChangePassword action for only their user and to the iam: GetAccountPasswordPolicy action. Provide the users with the instructions for changing their passwords.  To Allow Selected IAM Users Change Their Own Passwords First of all, sign-in to the AWS Management Console and open IAM Console at https://console.aws.amazon.com/iam/. Choose Account Settings in the navigation pane. Don't select Change Password policy in the password policy section as it will a

  To read part 1, please click  here Creating, Changing, or Deleting an IAM User Password (AWS CLI) The AWS CLI  API can help in managing the passwords for your IAM users. To Create a Password (AWS CLI) Firstly, run this command to know about a user's password: aws iam get-login-profile. (optional) Now, in order to create a password, this command can be run: aws iam create-login-profile. To Change a User's Password (AWS CLI) Run this command to know about a user's password:  aws iam get-login-profile.  (optional) Now, in order to change a password, this command can be run:  aws iam update-login-profile. To Delete (disable) a User's Password (AWS CLI) Run this command to know about a user's password:  aws iam get-login-profile.  (optional) This command will show the last usage of a password:  aws iam get-user.  (optional) Now, in order to delete a password, this command can be run:  aws iam delete-login-profile. Note:  The user's access to the AWS Management Cons

  To read part 2, please click  here Creating, Changing, or Deleting IAM User Password (Console) The AWS Management Console can help in managing the passwords for your IAM users. To Add a Password for an IAM User (Console) Firstly, sign-in to the AWS Management Console and open IAM console at https://console.aws.amazon.com/iam/. Choose Users in the navigation pane. Select the username whose password will be created. Now, select the Security Credentials tab, and then Manage next to Console password under Sign-in credentials. You can also choose either to have IAM generate a password, or create a custom password for Set Password. Choose Require Password Reset if you want the user to create a password while signing-in and then Apply. If a password is being generated, then, select Show in the New Password dialog box in order to view the password and share it with the user.  To Change the Password for an IAM User (Console) Sign-in to the AWS Management Console and open IAM console at https:

  To read part 1, please click  here Setting a Password Policy (Console) The AWS Management Console can help you to create, delete, or change a custom password policy. To create a custom password policy (console) Sign-in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. Now select Account Settings in the navigation pane. Choose Change Password Policy in the Password Policy section. After all that, you can select the options that you want to apply to your password policy and then Save Changes. To change a custom password policy (console) Sign-in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. Now select Account Settings in the navigation pane. Choose Change in the Password Policy section. After all that, you can select the options that you want to apply to your password policy and then Save Changes. To delete a password policy (console) Sign-in to the AWS Management Console and open the IAM conso

  To read part 2, please click  here Rules for Setting a Password Policy Although most of the password policy settings are enforced when next time the users change their passwords, some of the settings are enforced immediately, for example: Whenever the minimum length and character type requirements change. Users are not required to change their existing passwords, even if they don't stick to the updated password policy. Whenever a password expiration period is set; so, if you set a password for 90 days, then, the password older than 90 days of all the IAM users will get expired and needed to changed the next time they sign-in. Permissions Required to Set a Password Policy The following password policy actions can be included in an IAM policy: iam: GetAccountPasswordPolicy- Enables the entity to view the password policy for their account. iam: DeleteAccountPasswordPolicy- Enables the entity to delete the custom password policy for their account and revert to the default password po

  Changing the AWS Account Root User Password In order to do so, you must be signed-in as the AWS account root user instead of an IAM user and perform the following steps: You have to use your AWS account email address and password to sign-in to the AWS management console as the AWS account root user. Now you can select your account name or number as well as My Security Credentials from the upper right corner of the console. After that you have to expand the Password section and choose Click here text to change the password. Finally, you can pick a strong password. Here, you can also set an account password policy for IAM users, but, it will not apply to your AWS account root user. However, your password must fulfill these conditions: It must contain a minimum of 8 characters and a maximum of 128 characters. It must include a mixture at least any of the three - uppercase, lowercase, numbers, and ! @ # $ % ^ & *() <> {} [] | _ + - = symbols. It should not be same as your AWS a

  To read part 1, please click  here Changing Permissions for a User (console) The following methods will help you in achieving the said goal- Editing a permissions policy attached to a user  First of all, sign-in to the AWS Management Console and open the IAM console at https:// console.aws.amazon.com/iam/. Now select Users in the navigation pane. Select the user name whose permissions policy you want to modify. Now you can click the Permissions tab, and open the Permissions policies section if necessary. Select the policy name required to be edited to see all the details about the policy and then Used as tab to have a look at the other entities that might be affected after the change. After that, you can choose the Permissions tab to review the permissions granted by the policy and the Edit policy. Edit the policy via the Visual editor tab or the JSON tab and resolve any policy validation recommendations. Lastly, you have to choose Review policy, to review the policy summary, and the

  To read part 2, please click  here View User Access If you want to change the permissions for a user, you must review its recent service-level activity before doing anything as it will prevent you to delete access from a principal (person or application) who is still using it. Generate a Policy based on a User's Access Activity An IAM policy can be easily generated according to access activity of an entity to refine your granted permissions. A policy template is generated containing all the permissions used by the entity in your specified data range (based on the IAM Access Analyzer reviews on your AWS CloudTrail logs), that can be used to create a managed policy with fine-grained permissions and attach it to an IAM entity. This allows you to only permit the AWS resources that the user or role needs to interact with for a particular use case. Adding Permissions to a User (console) The following ways can help in adding permission policies to a user, but, if the user already has a

  To read part 1, please click  here Deleting an IAM User If a user quits then you can delete an IAM user from your your AWS account, but, if the user is away only temporarily, then, you can just deactivate the user's access. Deleting an IAM User (console) While doing this, the IAM automatically deletes the following information: The user. Any user group memberships, i.e., the user is removed from all the IAM user groups where user was a member. Any password linked with the user. Any access keys belonging to the user. All inline policies embedded in the user (however, policies applied via user group permissions remains unaffected). Any associated MFA devices. To Delete an IAM User (console) First of all, sign-in to the AWS Management Console and open the IAM console at https:// console.aws.amazon.com/iam/. Now, select Users and the user name you want to delete, in the navigation pane. Choose Delete at the top of the page. After this, you can enter the user name in the text input fi

  To read part 2, please click  here   View User Access Reviewing a user's recent service-level activity is very important before doing anything to it as it might delete an access from a principal (person or application), who is still using it. Listing IAM Users You can easily list the IAM users in your AWS account or in a specific IAM user group, and list all the user groups that a user is in, as described below. To list all the users in the account AWS Management Console shows the users in your AWS account and you can choose Users from the navigation pane. AWS CLI: aws iam list-users. AWS API: ListUsers. To list the users in a specific group You can select the User groups, their name, and the Users tab from the navigation pane of the AWS Management Console. AWS CLI: aws iam get-group. AWS API: GetGroup. To list all the user groups that a user is in Select the Users, user name, and then, the Groups tab from the navigation pane of the AWS Management Console. AWS CLI: aws iam list-g

  Signing-in with Multiple MFA Devices Enabled If this situation happens, then, the user only requires to use one MFA device to sign-in and after authenticating the user's password, they can select the type of MFA device they would like to use to finish it. After that, the user is prompted to authenticate with the type of device that they selected. Signing-in with a FIDO Security Key If MFA is used by the users, they have to tap the FIDO security key on the second sign-in page. However, the Google Chrome users doesn't require to choose any of the available options, they have to just tap on the security key and if the FIDO security key is broken or lost, then, the administrators can easily deactivate it. Signing-in with a Virtual MFA Device If MFA is used by the users, they have to enter the numeric code provided by the MFA application, in the MFA code box, on the second sign-in page. As the virtual MFA device may go out of sync, the user can be urged to synchronize it if they c

  To read part 1, please click  here Creating IAM Users (AWS CLI) In order to do that: Firstly, create a user (aws iam create-user). Now, give the user access to the AWS Management Console along with the URL of your account's sign-in page and password (aws iam create-login-profile). (optional) Provide the user with programmatic access with access keys (aws iam create-access-key). (optional) Now, you can add the user to one or more groups with attached policies to grant appropriate permissions for the user (aws iam add-user-to-group). If you want, you can also attach a policy to the user that specify the user's permissions (aws iam attach-user-policy). Custom attributes can also be added to the user by attaching tags. (optional) User permissions can be given in order to manage their own security credentials. (optional)  Creating IAM Users (AWS API) We follow the steps give below: Create a user. (CreateUser) Now, give the user access to the AWS Management Console along with the U

  To read part 2, please click  here Creating IAM Users (Console) If you want to create on or more IAM users (console), then, you have to- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. Select Users and Add users in the navigation pane. Now you can type the user name for the new user (i.e. sign in name for AWS) and you can also add up to 10 users at a time by choosing Add another user for each additional user. After that you can pick any of the following types of accesses for the set of users: Programmatic Access  helps the users to get access to the API, AWS CLI, or Tools for Windows PowerShell creating access keys for each one them that can also viewed or downloaded at the Final page. AWS Management Console Access enable the users to acquires access to the AWS Management Console creating a password for each user.  Now you can choose Next: Permissions. Next, the Set permissions page will allow you to specify permissions for the n