Creating policy's, groups and users in AWS AWS image

Creating policy’s, groups and users in AWS

Today, I’ll demonstrate how you can add policy’s, groups and users within AWS. In a couple of days, I’ll demonstrate the use of AWS Elastic Container Services (ECS) to a group of people. After the demonstration, they can play with ECS themselves.

It is, of course, not the intention to give these people permissions on AWS to other services than ECS: we don’t want them for example to create DynamoDB tables, or create Route53 DNS entries. We also want to limit the use of ECS to region EU-Central-1 (Frankfurt).

Policies

The place to start is service IAM, menu policies. In this screen, you will see a lot of predefined policies.

Creating policy's, groups and users in AWS IAM 1

We will create our own policy, so click on the blue button “Create policy”. Now, click on the link “Choose a service”

Creating policy's, groups and users in AWS IAM 2

In this screen, services are shown either based on their abbreviation (like “EC2”) or their full name (like “Elastic Container Services”). When you cannot find the services based on the abbreviation, just try the full name.

Creating policy's, groups and users in AWS IAM 3
Creating policy's, groups and users in AWS IAM 4

Click on Elastic Container Services, you will now see all the actions that are possible within ECS. Click for example on List, you will see all the permissions that deal with showing ECS objects.

Creating policy's, groups and users in AWS IAM 5
Creating policy's, groups and users in AWS IAM 6

I want to give the people in my workshop all the permissions in ECS, so I simply click on “All Elastic Container Service actions (ecs:*)”. AWS assumes that you want to connect specific resources to the actions, so I get some warnings.

Creating policy's, groups and users in AWS IAM 7

Click on resources:

Creating policy's, groups and users in AWS IAM 8

Click on “all resources”, so people will be able to create their own objects:

Creating policy's, groups and users in AWS IAM 9

To restrict on the region that is used, click on “Request conditions”:

Creating policy's, groups and users in AWS IAM 10

The condition that we need isn’t shown yet, so click on “Add condition”:

Creating policy's, groups and users in AWS IAM 11

When you open the condition key, you will see a lot of options. We need something with “region”, when we scroll through this list, we find aws:RequestedRegion:

Creating policy's, groups and users in AWS IAM 12

In qualifier, we select “For all values in request”:

Creating policy's, groups and users in AWS IAM 13

In operator, we select “String Equals”:

Creating policy's, groups and users in AWS IAM 15

For Frankfurt, we can use the text “eu-central-1”. For a complete list of regions, see this AWS webpage [1].

Creating policy's, groups and users in AWS IAM requested region eu central 1

Now, click on Add:

Creating policy's, groups and users in AWS IAM review

Without being aware of it, we just created a JSON file for permissions. Let’s look at that JSON, by clicking on the JSON tab on top of this screen:

Creating policy's, groups and users in AWS iam create policy json

This looks fine to me, so click the “Review Policy” button on the bottom of the screen. We can give a name and a description here:

Creating policy's, groups and users in AWS IAM ECSWorkshop

After that, click on “Create Policy” – we’re done!

Groups

I’d like to have all users in the same group. So, click on groups:

Creating policy's, groups and users in AWS IAM 20

Create a new group:

Creating policy's, groups and users in AWS IAM 21

Give a group name:

Creating policy's, groups and users in AWS IAM 22

Click on the checkbox before the previous created policy. You can find it, by typing the first characters of the policy name:

Creating policy's, groups and users in AWS IAM 23

You can see that from these five policies, the first four are default policies that are created by AWS. If possible, use these policies instead of your own ones: when services change, AWS will change the policies with them. In our case, we need a specific one, because AWS doesn’t restrict the access to regions by default.

When you click on “Next step”, you can review your changes. You can click on the “Create group” button on the bottom of the screen to create this group.

Users

Click in the menu on the left on Users, you will see a button to add a new user:

Creating policy's, groups and users in AWS IAM 26

Fortunately, we can add a maximum of 10 users at the same time. My workshop will be attended by five people, so I will add the users AMIS1 to AMIS5 to this list:

Creating policy's, groups and users in AWS IAM 27

I want them to use the AWS console, they don’t need to use the Command Line Interface (CLI) or programs to connect with these users. By using a auto generated password, they will get a strong password. The password doesn’t need to be reset: by un-clicking this checkbox, I encourage that they will keep using the strong passwords that I give them: there are no IAM policy rules in the policy that we just wrote, though they will be able to change the password by clicking on their account name and using menu option My Security Credentials.

When you click on “Next: permissions”, you can add permissions. We already created a group for this workshop, so we only have to click the checkbox before ECSWorkshop.

Creating policy's, groups and users in AWS IAM 28

Click in the bottom of the screen on “Next: Tags”. Tags can be used for many things, one of them is letting your colleagues know which users use these accounts. Let’s add a tag “Workshop” with value “AMIS 10 March”:

Creating policy's, groups and users in AWS IAM 29

Click on the button “Next: Preview”: you can look at the configuration that should be added. When this is right, press the “Create users” button.

Creating policy's, groups and users in AWS IAM 30

In the next screen, you can get the password or send logon instructions to an e-mail account. Please mind, that it is impossible to get the password after this step. For my workshop, it is nice to get the passwords via the button “Download .csv”:

Creating policy's, groups and users in AWS IAM 31 1

When you open this file, you will see something like this:

Creating policy's, groups and users in AWS IAM 32 1

Testing…

When you would use the newly created users AMIS1 to AMIS5 to create (f.e.) a cluster in ECS, this will not work. This is, because ECS depends heavily on other AWS services. How to solve this will be the topic of my next blog.

Conclusion

The wizard is very useful, to have a quick overview of the names that we can use to allow or deny tasks in an AWS service. This will work for simple services like EC2 or VPC, but not for services (like ECS) that depend on other AWS services. How to find out which services this specific service depends on and how we can achieve our goal of restricting access to our workshop users will be explained in my next blog.

Footnote

[1] https://docs.aws.amazon.com/general/latest/gr/rande.html