Setting up IAM user with limited Web Console Access

Posted on Sunday, November 18, 2012

Create an IAM user


Go to http://aws.amazon.com/

















Click on My Account/Console à AWS management Console




























Sign in with your amazon account email and password









Click on IAM



















Click on Users then Create New Users.

































You can create more than 1 user at a time.  In this case create a test user named test_bob and do not generate an access key for him as he will only be using the web console.





Set password
















Select the user “test_bob” then click User Actionsà Manage Password


















You can select to auto generate a password or make a custom one for this user.

In this case I will choose the auto generate and hit apply.




Click on “Show User Security Credentials”

















Copy the password, in this case its Mn{}Gu^e4Rg{

Click on Close Window.


Login to the web Console


The URL for your users of AWS is

https://XXXXXXX.signin.aws.amazon.com/console/

Where XXXX is your AWS account ID, without any dashes.

If you do not know your account ID log into your main web console

Go to http://aws.amazon.com/

















Click on My Account/Console à My Account

















I covered up my personal number here to be safe.

But assume the number is  8140-6891-92

Then the address would be

https://8140689192.signin.aws.amazon.com/console/

Go to your web site and open it up






Enter the user name and password and sign in.    (If you need to get back to your main account you can click on the link “Sign in using AWS Account Credentials”
























This user could try to go to any service but he will not be able to see anything, as he does not have any permissions set up.





Create a Policy


I have an S3 bucket called pats-test-bucket  Lets give this user access to this bucket and all its contents but nothing else.

Log out as this user and Log back into the IAM service as the account holder.































Select Users then the actual user.  Now select Permission -> Attach User Policy































There are lot of canned permissions to choose from but in this case we want to make a specific one.






















Select Policy generator and click Select.





Select Allowm  Amazon S3,  then for actions select

DeleteObject
GetObject
ListBucket
PutObject





For ARN enter
arn:aws:s3:::pats-test-bucket

, then click Add Statement





Then do the same thing but use the ARN

arn:aws:s3:::pats-test-bucket/*

Then click Add Statement.





Then add another statement  With Action of

ListAllMyBuckets

then for the arn list

arn:aws:s3:::*


Click add statement

































Click Continue



Review and click Apply Policy


Log out and log back in as this test user.

Review
















This user can see all the buckets but can only open the pats-test-bucket.    If I click on pat2-test-bucket



I get an access denied.


The policy attached to this user can be modified after the fact.  I can add permissions so he can see EC2 instances but not be able to start one himself for example.


For more information on policies go check out http://docs.amazonwebservices.com/IAM/latest/UserGuide/ExampleIAMPolicies.html [1]
References
[1]  IAM Policies
       http://docs.amazonwebservices.com/IAM/latest/UserGuide/ExampleIAMPolicies.html
       Visited 11/2012



Category:

No comments:

Post a Comment