Today, I’ll demonstrate how you can add policy’s, groups and users within AWS. In a couple of days, I’ll demonstrate the use of AWS Elastic Container Services (ECS) to a group of people. After the demonstration, they can play with ECS themselves.
It is, of course, not the intention to give these people permissions on AWS to other services than ECS: we don’t want them for example to create DynamoDB tables, or create Route53 DNS entries. We also want to limit the use of ECS to region EU-Central-1 (Frankfurt).
Policies
The place to start is service IAM, menu policies. In this screen, you will see a lot of predefined policies.
We will create our own policy, so click on the blue button “Create policy”. Now, click on the link “Choose a service”
In this screen, services are shown either based on their abbreviation (like “EC2”) or their full name (like “Elastic Container Services”). When you cannot find the services based on the abbreviation, just try the full name.
Click on Elastic Container Services, you will now see all the actions that are possible within ECS. Click for example on List, you will see all the permissions that deal with showing ECS objects.
I want to give the people in my workshop all the permissions in ECS, so I simply click on “All Elastic Container Service actions (ecs:*)”. AWS assumes that you want to connect specific resources to the actions, so I get some warnings.
Click on resources:
Click on “all resources”, so people will be able to create their own objects:
To restrict on the region that is used, click on “Request conditions”:
The condition that we need isn’t shown yet, so click on “Add condition”:
When you open the condition key, you will see a lot of options. We need something with “region”, when we scroll through this list, we find aws:RequestedRegion:
In qualifier, we select “For all values in request”:
In operator, we select “String Equals”:
For Frankfurt, we can use the text “eu-central-1”. For a complete list of regions, see this AWS webpage [1].
Now, click on Add:
Without being aware of it, we just created a JSON file for permissions. Let’s look at that JSON, by clicking on the JSON tab on top of this screen:
This looks fine to me, so click the “Review Policy” button on the bottom of the screen. We can give a name and a description here:
After that, click on “Create Policy” – we’re done!
Groups
I’d like to have all users in the same group. So, click on groups:
Create a new group:
Give a group name:
Click on the checkbox before the previous created policy. You can find it, by typing the first characters of the policy name:
You can see that from these five policies, the first four are default policies that are created by AWS. If possible, use these policies instead of your own ones: when services change, AWS will change the policies with them. In our case, we need a specific one, because AWS doesn’t restrict the access to regions by default.
When you click on “Next step”, you can review your changes. You can click on the “Create group” button on the bottom of the screen to create this group.
Users
Click in the menu on the left on Users, you will see a button to add a new user:
Fortunately, we can add a maximum of 10 users at the same time. My workshop will be attended by five people, so I will add the users AMIS1 to AMIS5 to this list:
I want them to use the AWS console, they don’t need to use the Command Line Interface (CLI) or programs to connect with these users. By using a auto generated password, they will get a strong password. The password doesn’t need to be reset: by un-clicking this checkbox, I encourage that they will keep using the strong passwords that I give them: there are no IAM policy rules in the policy that we just wrote, though they will be able to change the password by clicking on their account name and using menu option My Security Credentials.
When you click on “Next: permissions”, you can add permissions. We already created a group for this workshop, so we only have to click the checkbox before ECSWorkshop.
Click in the bottom of the screen on “Next: Tags”. Tags can be used for many things, one of them is letting your colleagues know which users use these accounts. Let’s add a tag “Workshop” with value “AMIS 10 March”:
Click on the button “Next: Preview”: you can look at the configuration that should be added. When this is right, press the “Create users” button.
In the next screen, you can get the password or send logon instructions to an e-mail account. Please mind, that it is impossible to get the password after this step. For my workshop, it is nice to get the passwords via the button “Download .csv”:
When you open this file, you will see something like this:
Testing…
When you would use the newly created users AMIS1 to AMIS5 to create (f.e.) a cluster in ECS, this will not work. This is, because ECS depends heavily on other AWS services. How to solve this will be the topic of my next blog.
Conclusion
The wizard is very useful, to have a quick overview of the names that we can use to allow or deny tasks in an AWS service. This will work for simple services like EC2 or VPC, but not for services (like ECS) that depend on other AWS services. How to find out which services this specific service depends on and how we can achieve our goal of restricting access to our workshop users will be explained in my next blog.
Footnote
[1] https://docs.aws.amazon.com/general/latest/gr/rande.html