Identity and access management is central to an organization's security strategy and day-to-day functionality. Personnel need access to information to do their jobs, but the IT team must keep sensitive data safe.
AWS identity and access management (IAM) helps manage these permissions on the cloud. Even with an AWS IAM process in place though, user and group creation is time-consuming work, especially as an organization grows. To speed up the process, learn how to automate AWS IAM resources and account management.
This AWS IAM video tutorial demonstrates how to create and manage users and groups with CloudFormation templates.
To get started, define the AWS IAM environment with a YAML-formatted document -- this tutorial takes place in a Microsoft Visual Studio integrated development environment -- and select the parameters section. Set up a one-time password so that the user can initially log in. The user will reset this password when you create their IAM account.
With the password parameters complete, start creating individual AWS IAM user accounts. To set up a user, define the type and choose a username. After you define and name user resources, set up a login profile, which the one-time password will be used for.
Once the first user is built, you can create more by replicating the initial user's code block in Visual Studio. To do that, use a preset Visual Studio plugin to select the code paragraph for the initial user and replicate it with Ctrl+P. Propagate the desired amount of accounts from the copied code and assign usernames for each.
Next, create AWS IAM groups for the different types of users. For this demonstration, define an example group as Accountants. Then, create a policy. The group policy provides IAM group members access to data relevant to their roles. In this example, set a TaxDataAccess for the accountants in the group and link it to the accountants with accountantsGroup reference in the policy. Use rules to grant permissions for the group, such as access to a particular S3 bucket for the IAM group. In this example, allow the accountantsGroup to list items in the myorgaccounting S3 bucket.
Follow the remaining steps in the AWS IAM automation tutorial video above to complete the process.
CloudFormation templates can be a great way to manage your users, groups and permissions in AWS. We'll get started in Visual Studio Code by creating a YAML document to define our IAM environment.
Let's start with the parameters section. By creating a one-time-use password parameter, we are able to pass in the value of our password without storing it in our YAML file. This password will be a one-time-use password that the user will use to log in the first time and then reset their password.
Next, we'll start creating some actual resources and we'll start by creating our first user, exampleuser1. We'll define the type and specify the username. We'll also add a LoginProfile and this will enable our user to be able to log in and have that one-time password set with the requirement to reset the password on first login.
So to create more users, we'll just replicate this block. I have a Visual Studio plugin installed called select paragraph. So I can hit Ctrl+P to select the entire paragraph. You'll notice that the username exampleuser1 is replicated twice. To prevent errors, we can use another Visual Studio trick. Select the username and press Ctrl+D. This will highlight the next instance of that username.
So we could continue to do this for each user in our environment. But what good is a user if they don't have any permissions or group memberships? So let's create a group.
We'll create our first IAM group and we'll name it Accountants. Next, we'll create a managed policy called taxDataAccess that we want our accountants to have. In the group section of our managed policy, we'll add the reference to our accountantsGroup and this will tie the two together. And then, we'll define our policy. This first allow rule is a standard rule that will allow the user to be able to use the S3 web interface. Next, we'll allow them to be able to list the items in our myorgaccounting S3 bucket that I already created. Finally, we'll set an allow rule to let them take any action inside of that S3 bucket, including uploading and downloading files.
So we have our group defined and we have our policy linked to that group. Now, we need to link a user to our accounting group under exampleuser1. And one of the properties that we can set in the IAM user object is groups. And here, we will put a reference to our accountantsGroup.
So you can see that there is a lot of flexibility here in that we can create our groups and assign different individuals to multiple groups. And then each of those groups can have different access control permissions. And from a security perspective, this really makes it easy in one place to see who has access to what in our AWS environment.
So let's go ahead and upload this CloudFormation template. We can see before we get started we have two users and one group defined in this AWS account. So let's go ahead and create a stack in our CloudFormation and we'll select 'Upload a template file.' Then, we'll choose a file and select our IAM YAML file we just created. If there are any syntax errors, it will alert you now. If not, just click 'Next.'
This next screen is a result of our parameters. So we'll go ahead and type in what we want to use for our one-time password. And this will only apply to users that we've added since the last time we modified the stack.
Another key point here is you want to make sure that this password meets your complexity requirements or it will fail later on when it's trying to create the accounts. We'll name our stack iamstack.
We can click next through the configure stack options and on the bottom of the last page, we will need to acknowledge that we are using IAM roles and groups and click 'Create stack.'
You'll see the progress of your stack creation on the invent section on your right. You may need to hit the refresh button to see that your stack is done. If it is and you don't have any errors, you can look at your resources to see what's been created. And we can see we created two users, an accountantsGroup, and a taxDataAccess managed policy. If we click on exampleuser1 and then groups, we'll see that they are a member of the accountantsGroup.
So congratulations, you created and managed IAM groups, policies and users using CloudFormation templates. Thanks for watching.