IAM

Identity and Access Management

AWS

AWS Security

Check User

Create User (Console)

Bibliography

As a best practice, do not use the AWS account root user for any task where it's not required. Instead, create a new IAM user for each person that requires administrator access. Then make those users administrators by placing the users into an "Administrators" group to which you attach the AdministratorAccess managed policy.
Thereafter, the users in the administrators group should set up the groups, users, and so on, for the AWS account. All future interaction should be through the AWS account's users and their own keys instead of the root user. However, to perform some account and service management tasks, you must log in using the root user credentials. To view the tasks that require you to sign in as the root user, see AWS Tasks that Require Account Root User.

AWS IAM Console

AWS CLI

Check User

The command below lists all users...

aws iam list-users --output table

Check Groups

The command below lists all groups...

aws iam list-groups --output table

The command below shows which groups a specified user belongs to...

aws iam list-groups-for-user --output table --user-name myuser

Check Policies

The command below lists all Policies...

aws iam list-policies --output table

The commands below help you discover which policies apply to a specified user or group...

aws iam list-user-policies --output table --user-name myuser

aws iam list-attached-group-policies --output table --group-name mygroup

Password Policy

This is the password policy that applies to the entire AWS account. All IAM users will have this policy enforced.

Show

aws iam get-account-password-policy --output table

Set

aws iam update-account-password-policy \

--minimum-password-length 15 \

--require-symbols \

--require-numbers \

--require-uppercase-characters \

--require-lowercase-characters \

--allow-users-to-change-password \

--max-password-age 90 \

--password-reuse-prevention 6 \

--hard-expiry

This command will create a policy if one does not already exist.

This shows an example password policy that:

Enforces a minimum 15 character passwordIt must have 1 or more symbolsIt must have 1 or more numbersIt must have 1 or more uppercase lettersIt must have 1 or more lowercase lettersThe password expires after 90 daysThe previous 6 passwords cannot be reusedAn administrator must reset the password if the password is not changed before expiry.

Symbols are: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ‘ -

Create User (CLI)

create-user

Usernames & Passwords

Create User...

aws iam create-user --user-name myuser

Add User to a Group...

aws iam add-user-to-group --group-name mygroup --user-name myuser

Useful related commands...
aws iam get-account-password-policy --output tableaws iam list-users --output tableaws iam list-groups --output tableaws iam list-groups-for-user --output table --user-name myuser

Create User (Console)

Enable access to billing data for the IAM admin user to be created

Login to the IAM console as root.
On the navigation bar, choose your account name, and then choose My Account.
Next to IAM User and Role Access to Billing Information, choose Edit.
Select the check box to Activate IAM Access and choose Update.

Create User

Return to the AWS IAM Console
In the navigation pane, choose Users and then choose Add user.

Permissions

Add user to group.
Create group.
Best practice suggests groups for such functions as Administrators, Developers, Accounting, etc.
For Administrators... Select the check box for the AdministratorAccess policy.
Choose Create group.
Back on the page with the list of groups, select the check box for your new group. Choose Refresh if you don't see the new group in the list.
Choose Next: Tags.

Bibliography

IAM

Check User

Check Groups

Check Policies

Password Policy

Show

Set

Create User (CLI)

Create User (Console)

Enable access to billing data for the IAM admin user to be created

Create User

Permissions

Tags

Bibliography