AWS IAM Users & Groups

AWS Identity and Access Management (IAM) is a service that enables you to manage users, groups, roles, and permissions securely in AWS. It controls who can access AWS resources and what action they can perform.

Key Features of AWS IAM

• Granular Access Control:

Allows precise control over who can do what in AWS.

• Supports Users, Groups, and Roles:

Organizes access management efficiently.

• Policy-Based Permissions:
  Users JSON-based Policies to define access.

• Multi-Factor Authentication (MFA):
  Enhances security by requiring an extra authentication Step.

• Federated Access:
  Allows users from Active Directory, Google, or SAMl to sign in.

• AWS Organizations Integration:
  Manages IAM across multiple AWS Accounts.

IAM User

An IAM user represents a person or an application that needs access to AWS. Each user has credentials and is assigned permissions to perform specific actions on AWS resources.

• Unique Identity:
  Each user gets a unique name within an AWS Account.

• Access credentials:

Can have password for console login and access keys for CLI/API Access.

• Custom Permissions:
  Users only get access to services as defined in their policies.

• MFA Support:
  Multi-Factor Authentication (MFA) can be enabled for additional security.

• Part of IAM Groups:
  Users can be grouped to manage permissions more easily.

How IAM Users Works

An IAM user can authenticate in two ways:

• AWS Management Console Access: Requires a Username and Password.

•  Programmatic Access (CLI/API/SDK): Requires Access Key ID and Secret Access Keys.

Creating an IAM User

Method 1: Using AWS Console

Step1: Add a New User

• Open the AWS Management Console.

• Go to IAM → Click Users.

• Click Add Users.

• ENter User Name (e.g: Vanith)

• Select Access Type:

1. AWS Management Console Access (password Required).

2. Programmatic Access (Access keys required).

• Click Next: Permissions

Step2: Assign Permissions

• Attach policies directly to the user (Inline Policy)

• Add the user to an IAM Group (Recommended)

• Copy Permissions from an existing User.

Step3: Create and Download Credentials

• Click Create users.

• If Access keys were generated, download them 

Method 2: Using AWS CLI

• Create an IAM User

$ aws iam attach-user-policy --user-name 'VanithBadam' --policy-arn 'arn:aws:iam::aws:policy/AdminAccess'

• Attach a Policy to the user

$ aws iam attach-user-policy --user-name 'VanithBadam' --policy-arn 'arn:aws:iam::aws:policy/AdministratorAccess'

• Set a Password for the IAM User

$ aws iam create-login-profile --user-name 'VanithBadam' --password 'TS16EW5473@a' --password-reset-required

• Generate Access Keys

$ aws iam create-access-key --user-name 'VanithBadam'

    

IAM Group

An IAM Group is a collection of IAM Users that share the same set of permissions. Instead of assigning policies to individual users, you can add them to a group, which simplifies permissions management.

• Simplifies Access Control: Assign permissions once to the group instead of multiple users.

• Flexible user management: Users can be added/removed anytime with modifying policies.

• Follow least Privilege: Assign only necessary permissions to a group.

• No Direct Access Credentials: IAM Groups do not have passwords or access keys.

Creating an IAM Group:

Method 1: AWS Management Console (GUI)

Step1: Create New IAM Groups

• OPen the AWS Console → Go to IAM.

• Click Groups → Create Groups

• Enter a Group Name (e.g: Developers).

• Click Next.

Step2: Attach Policies

• Select Managed Policies or create a custom Policy.

• Example: Attach AmazonS3FullAccess if developers need full access to S3.

• Click Next → Create Group.

Step3: Add Users to the Group

• Click on the Developers Group.

• Click Add users.

• Select users 

• Click Add Users.

Method 2: Using AWS CLI

Create an IAM Group

$ aws iam create-group --group-name 'Developers'

Attach a Policy to the User

$ aws iam attach-group-policy --group-name 'Developers' --policy-arn 'arn:aws:iam::aws:policy/AmazonS3FullAccess'

Add users to the group

$  aws iam add-user-to-group --user-name 'VanithBadam' --group-name 'Developers'

Best Practices for IAM Users and Groups

• Always use IAM Groups Instead of Assigning Individual Permissions.

• Enable Multi-Factor Authentication (MFA)

• Follow the Least Principle Privileges 

• Rotate Access Keys Regularly

• Monitor IAM Activity using AWS CloudTrail

Common IAM User and Group Issues

• IAM User Cannot Access a Resources

• Check Attached Policies - Ensure the user has the right permissions.

• Verify IAM Group Membership - The User Must be part of a Group with the correct Permissions.

• Explicit Denny Policies - If a policy has "Effect" : "Deny", it overrides "Allow"

• User Cannot login to AWS Console.

• Check login credentials - Ensure the correct IAM sign-in link is used.

• Enable Console Access - If only programmatic access was granted, console login won't work.

• New Group Permissions Not Taking Effect:

• Wait for AWS to apply changes (IAM changes may take a few minutes).

• Ensure policies are attached to the group (Check IAM → Groups → Attached Policies).