Setting up IAM user with limited Web Console Access

Posted on Sunday, November 18, 2012

Create an IAM user

Click on My Account/Console à AWS management Console

Sign in with your amazon account email and password

Click on IAM

Click on Users then Create New Users.

You can create more than 1 user at a time.  In this case create a test user named test_bob and do not generate an access key for him as he will only be using the web console.

Set password

Select the user “test_bob” then click User Actionsà Manage Password

You can select to auto generate a password or make a custom one for this user.

In this case I will choose the auto generate and hit apply.

Click on “Show User Security Credentials”

Copy the password, in this case its Mn{}Gu^e4Rg{

Click on Close Window.

Login to the web Console

The URL for your users of AWS is

Where XXXX is your AWS account ID, without any dashes.

If you do not know your account ID log into your main web console

Click on My Account/Console à My Account

I covered up my personal number here to be safe.

But assume the number is  8140-6891-92

Then the address would be

Go to your web site and open it up

Enter the user name and password and sign in.    (If you need to get back to your main account you can click on the link “Sign in using AWS Account Credentials”

This user could try to go to any service but he will not be able to see anything, as he does not have any permissions set up.

Create a Policy

I have an S3 bucket called pats-test-bucket  Lets give this user access to this bucket and all its contents but nothing else.

Log out as this user and Log back into the IAM service as the account holder.

Select Users then the actual user.  Now select Permission -> Attach User Policy

There are lot of canned permissions to choose from but in this case we want to make a specific one.

Select Policy generator and click Select.

Select Allowm  Amazon S3,  then for actions select


For ARN enter

, then click Add Statement

Then do the same thing but use the ARN


Then click Add Statement.

Then add another statement  With Action of


then for the arn list


Click add statement

Click Continue

Review and click Apply Policy

Log out and log back in as this test user.


This user can see all the buckets but can only open the pats-test-bucket.    If I click on pat2-test-bucket

I get an access denied.

The policy attached to this user can be modified after the fact.  I can add permissions so he can see EC2 instances but not be able to start one himself for example.

[1]  IAM Policies
       Visited 11/2012

No comments:

Post a Comment