Lab 1: Introduction to AWS IAM
Version 3.1.2 (spl66)
(Amazon,AWS identity and access management(IAM),2020, https://aws.amazon.com/iam/ )
(Image Source: MSP360,AWS IAM policy explaind,2020, https://www.msp360.com/resources/blog/aws-iam-policy/ )
Accessing the AWS Management Console:
Click on the start lab to launch your lab:
The initializing process would take a few minutes::
click on X to close lab panel after you see the message "Lab status: ready"
Task 1: Explore the Users and Groups:
Explore the Users and Groups that have already been created for you in IAM.
AWS Management Console
Click IAM on the service menu:
You will find the following IAM users already created for you when
you click the Users:
When you click on the User 1, a
summary page on user 1 will be displayed and in addition to that a
message stating on the permission tab that user-1
does not have any permissions.
When you click on the Group icon you will notice that user-1 also is not a member of any
groups.
Return back to User 1 and click on the Security credentials tab:
You will find that the following groups have
already been created, when you click Groups available in the navigation panel on the left:
This will bring you to
the summary page for the EC2-Support group:
Click
the Permissions tab:
This
group has a Managed Policy, called AmazonEC2ReadOnlyAccess. Managed
Policies can be built either by AWS or your administrators and these will be
attached to the users and groups. Any updates or changes will also be applied
to all the users and groups as soon as they are
implemented:
Under Actions, click
the Show Policy link.
The basic structure of the statements in an IAM Policy is:Effect says whether to Allow or Deny the permissions.
Action specifies the API calls that can be made against an AWS Service (eg cloudwatch:ListMetrics).
Resource defines the scope of entities covered by the policy rule (eg a specific Amazon S3 bucket or Amazon EC2 instance, or which means any resource*).
AmazonS3ReadOnlyAccess policy:
Click the EC2-Admin group:
This Group is slightly
different from the other two as it has an Inline Policy rather than a Managed
Policy, Inline policies are usually used in one off situations and are assigned
to just one user or group.
Business Scenario:
For the
remainder of this lab, you will work with these Users and Groups to enable
permissions supporting the following business scenario:
Your
company is growing its use of Amazon Web Services, and is using many Amazon EC2
instances and a great deal of Amazon S3 storage. You wish to give access to new
staff depending upon their job function:
Task 2: Add Users to Groups:
Add user-1 to the S3-Support
Group:
Add user-2 to the EC2-Support Group:
Add user-3 to the EC2-Admin Group:
Task 3: Sign-In and Test Users:
Mozilla Firefox
- Click the menu bars at the top-right of the screen
- Select New Private Window
Google Chrome
- Click the ellipsis at the top-right of the screen
- Click New incognito window
Microsoft Edge
- Click the ellipsis at the top-right of the screen
- Click New InPrivate window
Microsoft Internet Explorer
- Click the Tools menu option
- Click InPrivate Browsing
User 1
Sign user-1 out of the AWS Management Console:
User 2:
In the left navigation pane, click Instances.
it says An error occurred fetching instance data.
You are not authorized to perform this operation.
This is because your user has not been assigned any
permissions to use Amazon EC2.
An error stating You are not authorized to perform this operation.
This demonstrates that the policy only allows you to information, without making changes
Click Stop.
User 3:
Click stop instance state in the action bar to Stop Instances window and stop instance window
by clicking stop.
You now have successfully:
- Explored pre-created IAM users and groups
- Inspected IAM policies as applied to the pre-created groups
- Followed a real-world scenario, adding users to groups with specific capabilities enabled
- Located and used the IAM sign-in URL
- Experimented with the effects of policies on service access.
Comments
Post a Comment