Embedded Files
Identity and Access Management
As a best practice, do not use the AWS account root user for any task where it's not required. Instead, create a new IAM user for each person that requires administrator access. Then make those users administrators by placing the users into an "Administrators" group to which you attach the AdministratorAccess managed policy.
Thereafter, the users in the administrators group should set up the groups, users, and so on, for the AWS account. All future interaction should be through the AWS account's users and their own keys instead of the root user. However, to perform some account and service management tasks, you must log in using the root user credentials. To view the tasks that require you to sign in as the root user, see AWS Tasks that Require Account Root User.
Thereafter, the users in the administrators group should set up the groups, users, and so on, for the AWS account. All future interaction should be through the AWS account's users and their own keys instead of the root user. However, to perform some account and service management tasks, you must log in using the root user credentials. To view the tasks that require you to sign in as the root user, see AWS Tasks that Require Account Root User.
Check User
Check User
The command below lists all users...
aws iam list-users --output table
Check Groups
Check Groups
The command below lists all groups...
aws iam list-groups --output table
The command below shows which groups a specified user belongs to...
aws iam list-groups-for-user --output table --user-name myuser
Check Policies
Check Policies
The command below lists all Policies...
aws iam list-policies --output table
The commands below help you discover which policies apply to a specified user or group...
aws iam list-user-policies --output table --user-name myuser
aws iam list-attached-group-policies --output table --group-name mygroup
Password Policy
Password Policy
This is the password policy that applies to the entire AWS account. All IAM users will have this policy enforced.
Show
Show
aws iam get-account-password-policy --output table
Set
Set
aws iam update-account-password-policy \
--minimum-password-length 15 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password \
--max-password-age 90 \
--password-reuse-prevention 6 \
--hard-expiry
This command will create a policy if one does not already exist.This shows an example password policy that:
Enforces a minimum 15 character passwordIt must have 1 or more symbolsIt must have 1 or more numbersIt must have 1 or more uppercase lettersIt must have 1 or more lowercase lettersThe password expires after 90 daysThe previous 6 passwords cannot be reusedAn administrator must reset the password if the password is not changed before expiry.
Symbols are: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ‘ -
Create User (CLI)
Create User (CLI)
Create User...
aws iam create-user --user-name myuser
Add User to a Group...
aws iam add-user-to-group --group-name mygroup --user-name myuser
Useful related commands...
aws iam get-account-password-policy --output tableaws iam list-users --output tableaws iam list-groups --output tableaws iam list-groups-for-user --output table --user-name myuser
aws iam get-account-password-policy --output tableaws iam list-users --output tableaws iam list-groups --output tableaws iam list-groups-for-user --output table --user-name myuser
Create User (Console)
Create User (Console)
Enable access to billing data for the IAM admin user to be created
Enable access to billing data for the IAM admin user to be created
Login to the IAM console as root.
On the navigation bar, choose your account name, and then choose My Account.
Next to IAM User and Role Access to Billing Information, choose Edit.
Select the check box to Activate IAM Access and choose Update.
Create User
Create User
Return to the AWS IAM Console
In the navigation pane, choose Users and then choose Add user.
Permissions
Permissions
Add user to group.
Create group.
Best practice suggests groups for such functions as Administrators, Developers, Accounting, etc.
For Administrators... Select the check box for the AdministratorAccess policy.
Choose Create group.
Back on the page with the list of groups, select the check box for your new group. Choose Refresh if you don't see the new group in the list.
Choose Next: Tags.
Tags
Tags
Optional
Bibliography
Bibliography
https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.htmlhttps://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentialshttps://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.htmlhttps://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.htmlhttps://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-user.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
MFAhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html
Page updated
Google Sites
Report abuse