Lab 2

IAM user, roles, and policies

Overview
This lab will provide a tutorial on basic IAM concepts for securely controlling access to your
AWS account. In this lab, we will cover how to create IAM users, put them into groups, and
learn about the basics of how the IAM access policy language works.

Next, youll perform a common use case: deploying an instance with an IAM role, enabling
applications running on that instance to call AWS APIs without any hardcoded credentials.

Lastly, well learn about how delegation works by enabling a user in your account to assume a
role. As a bonus exercise, you can try setting up cross-account access between two accounts
that you own.

Objectives
After completing this lab, you will be able to:

Use IAM resources to enforce the basic principles of least-privilege

Call AWS services from an EC2 instance without hardcoding credentials on the instance

Delegate trust to an AWS service and to other AWS accounts

Prerequisites
This lab requires the following:

Access to an AWS account with sufficient permissions to create IAM users, create groups,
create roles, and create policies

That you have already set up the AWS CLI

Duration
This lab will take approximately 40 minutes.
Task 1: Create IAM users and assign them to a group

Overview
In this section you will be creating IAM users, put them into groups, and learn about the basics
of how the IAM access policy language works.

Command Reference File

None

Scenario
Creating users and organizing them into groups enables you to control who has access to what
services and resources in your AWS account. In this Task, youll create two IAM users and
assign them to a group. The group will have a permissions policy on it, meaning that all group
members will inherit that policy. In addition, well also observe that policies are additive. Youll
attach an additional permission policy to one of the group members and observe how that users
permissions are different, despite it being in the same group as the other user.

Steps
Create two IAM users: Alice and Bob

1. Login to the IAM console using your admin user (you should already have one from the
previous lab).

a. If you didnt attend the previous lab, you can log in as root to execute Task 1.
However, root is not recommended for routine usage of AWS.

2. On the left navigation panel click Users.

3. Click the blue button at the top labeled Create New Users.

4. Enter the user name Alice in the first field.

5. Enter the user name Bob in the second field.

a. Note: If you wish to use Alice and Bob to test the SDK and CLI, check Generate
an access key for each user.

6. Click Create.

7. Click Close.

a. Note: If you wish to use Alice and Bob to test the SDK and CLI, click Download
Credentials and store it securely.
 8. In the list of Users click on Alice.

9. Navigate to the Security Credentials tab.

10. Click Manage Password.

11. Choose Assign a Custom Password.

12. Type in the password that you will use for testing.

13. Repeat steps #8-12 for Bob.

Create an IAM group and assign Alice and Bob to that group

14. On the left navigation panel click Groups.

15. Click the blue button at the top labeled Create New Group.

16. Name the group LoftLab

17. In the Attach Policy step, select AmazonS3FullAccess and click Next Step.

18. Click Create Group.

Review the permissions that you just assigned to the LofLab group.

19. Select the LoftLab group, then navigate to the Permissions tab.

20. Click Show Policy to view the JSON text of the policy.

a. The Effect element governs whether the polices grants or denies access

b. The Action element describes the AWS activity thats being governed

c. The Resource element describes which AWS resources are governed by the
policy.

Assign Alice and Bob to the LoftLab group

21. Select LoftLab from the list of groups

22. Click Add Users to Group

23. Check Alice and Bob, then click Add Users

Grant Alice additional permissions beyond what the LoftLab group provides

24. On the left navigation panel click Users.

25. Select Alice

26. Go to the Permissions tab

 27. Click Attach Policy.

28. Look for the policy named AmazonEC2FullAccess, check it, and click Attach Policy

Prepare to validate your user configuration

29. Click Dashboard on the left navigation panel and take note of the IAM users sign-in
link.

Validation Steps
1. Open a separate browser. This is so you can be logged in as your admin user and Alice/Bob
at the same time for testing.

2. Navigate to the IAM users sign-in link you noted above and click Sign In to the Console.

3. Enter in Alice as the user name.

4. Enter in the password you gave to Alice.

5. Click Sign In.

6. Navigate to the S3 console and look around. Then navigate to the EC2 console and look
around. Both consoles should be available to you.

7. In the upper right hand corner, click on Alices name and click sign out.

8. Repeat steps #2-5 for Bob.

9. Navigate to the S3 console and look around. Then navigate to the EC2 console and look
around. Youll notice that you were allowed to access the S3 console (which is granted by
the LoftLab group policy), but not the EC2 console (which was a permission unique to Alice).
Task 2: Basic delegation launching an EC2 instance
with an IAM role

Overview
Delegation refers to granting other AWS entities (such as users or applications) access to
resources in your AWS account. One of the most common examples of this is delegating
permissions to an EC2 instance running your application. When the EC2 instance needs
permission to access an AWS service, it needs credentials to do so. This section introduces the
concept of roles, which can be used to provide those credentials.

Command Reference File

None

Scenario
In this scenario, we will create a role, launch an instance with it, and test it out. EC2 instances
dont come with default AWS credentials loaded onto them, so you would need to deploy
credentials to the instance in order to call AWS services. However, you can use IAM roles
to delegate permissions as well as deploy credentials to the instance, enabling the role
to call AWS services on your behalf.

Steps
Create an IAM role

1. Login to the IAM console using your admin user (you should already have one from the
previous lab).

2. On the left navigation panel click Roles.

3. Click the blue button at the top labeled Create New Role.

4. Enter the name AWSFullAccess

5. In the box labeled AWS Service Roles, select Amazon EC2

6. In the Attach Policy page, select AdminstratorAccess, then click Next Step

7. Click Create Role

Launch an EC2 instance with that role

8. From the AWS Management Console click on EC2.

9. Using the Navigation panel select the US West (Oregon) region on the top left.
 10. Click on Instances from the left panel and ensure that Alice can view any instances. If
you do not have any instances in the account for this region this section will be blank.

11. Click Launch Instance.

12. Select the first instance in the list that falls under Free Tier: Amazon Linux AMI
2016.09.0 (HVM), SSD Volume Type.

13. Ensure that t2.micro is selected as the Instance Type.

14. In the Configure Instance Details page, go the selection prompt labeled IAM Role.
Select the AWSFullAccess role you just created.

15. Click Next: Add Storage

16. Click Next: Tag Instance

17. Click Next: Configure Security Group

18. Click Review and Launch

19. Launch the instance with a new key pair or an existing one (assuming you still have the
key pair from your previous lab)

Validation Steps
Log in to the EC2 instance

20. Locate the public DNS of your instance

a. Viewing the list of running instances in the EC2 console (make sure to specify
the Oregon region)

b. Select your instance and look in the Description tab. Copy the Public DNS
name in the bottom detail window.

21. A. Once the instance is running, change the permissions on your .pem file and login to
the instance with the key pair you created. Remember to replace the code below with
the public DNS of your instance.

chmod 400 <path to key>/<key pair name>.pem

ssh -i "<path to key>/<key pair name>.pem" ec2-user@ec2-54-165-190-
222.compute-1.amazonaws.com

22. [Optional way to log in to your instance] Using PuTTY, follow the instructions on
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html?icmpid=docs_ec2_
console

a. If you havent already installed Putty, install it now

 b. Convert your private key using PuttyGen: Create a .ppk file from the .pem file so
you can login using PuTTY

c. Starting a Putty Session: Login using PuTTY

23. Check that there are no hardcoded credentials on the instance.

$ aws configure

24. Run an AWS CLI command. Youve just issued an AWS API call without any hardcoded
credentials on the instance!

$ aws ec2 describe-instances

25. What credentials did the instance use to call the EC2 API? You can view them with the
following command (note that the command you need may differ depending on how you
named the role attached to the instance):

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
AWSFullAccess

26. These credentials will be automated rotated multiple times per day and will be
automatically deployed to the instance.
Task 3: Basic delegation Assuming a role as an IAM
user

Overview
IAM roles are a multi-purpose tool in AWS. They can be used for delegating access to
your AWS account to EC2 instances, to team members, to users in other AWS accounts,
and to third party software services that act in your account on your behalf.

Command Reference File

None

Scenario
In this task, well set up a simple example of delegating AWS account access to an IAM
user. You will create a role with limited permissions, then use an IAM user to assume that
role. Once the user assumes the role, the users original permissions will be discarded
and the user will use the permissions granted by the assumed role (until the user stops
assuming the role).

The element that enables the IAM user to assume the role is the Trust Policy associated with
the role. You configure the Trust Policy to define who is and isnt allowed to assume the role.

Steps
Create an IAM role

1. Login to the IAM console using your admin user (you should already have one from the
previous lab).

2. Go to the IAM console.

3. On the left navigation panel click Roles.

4. Click the blue button at the top labeled Create New Role.

5. Enter the name AssumeRoleSelfTrust

6. In the Select Role Type page, expand the section named Role for Cross-Account
Access and select Provide access between AWS accounts you own

7. Enter the 12-digit account_id of the account you are using for this lab

8. Select the AmazonEC2ReadOnlyAccess policy

9. Click Create Role

Assume the Role

10. Make sure that you are logged in as an IAM user in the account

11. In the upper-right hand corner of the console, click your username and click Switch
Role

12. Enter the 12-digit account ID of your account in the Account prompt

13. Enter the name AssumeRoleSelfTrust in the Role prompt

14. Click Switch Role

Validation Steps
15. Try interacting with the console now that youve assumed the role.

16. The only permissions you should have are read-only permissions for EC2. Check this by
attempting to launch an EC2 instance.

a. This was a trivial example of how an IAM user assumes a role, but this
model is generalizable towards a variety of situations.

b. When an AWS service needs permissions to act in your account on your

behalf (for example, if you use services such as AWS Elastic Beanstalk or
AWS Lambda), you will usually be prompted to create a standardized role
for that service to assume.

c. If you want to grant cross-account access between accounts belonging to your

company or organization, you set up roles and trust policies to define who can
get cross-account access.

d. When you sign up for 3rd-party SaaS services (see the AWS Partners page for
examples), they will often prompt you to create a standardized role for the 3rd-
partys AWS account to assume, enabling the 3rd-party service to act in your
account on your behalf.

Bonus Task
Set up cross-account access to another account that you own.

17. [If necessary] Create another AWS account and an IAM user with admin privileges.

18. Go to the IAM console (using this secondary account)

19. On the left navigation panel click Roles.

20. Click the blue button at the top labeled Create New Role.

21. Enter the name AssumeRoleCrossAccount

 22. In the Select Role Type page, expand the section named Role for Cross-Account
Access and select Provide access between AWS accounts you own

23. Enter the 12-digit account_id of the original account you were using for this lab

24. Select the AdministratorAccess policy

25. Click Create Role

Assume the Role

1. Log out of your secondary account

2. Log into your original account as an IAM user

3. In the upper-right hand corner of the console, click your own name and click Switch
Role

4. Enter the 12-digit account ID of your secondary account in the Account prompt

5. Enter the name AssumeRoleSelfTrust in the Role prompt

6. Click Switch Role

7. Now try interacting with AWS in your secondary account.