Cloud Security with AWS IAM
Why not brighten your watchman’s day with a warm cup of chai and some good conversation? Catch up on what’s buzzing in the neighborhood — because a little local intel can go a long way! After all, security isn’t just about locks and alarms; it’s about staying in the loop. So, buy him that chai and build some security! Now, speaking of security, it’s crucial for any organization, especially when managing access in cloud environments. Today, we’ll dive into how to add a user to your AWS environment, ensuring they have the correct permissions to access specific resources. In this guide, we’ll walk through setting up key structures to manage users efficiently. The structures include the following —
a) EC2 Instances
b) IAM Policies
c) IAM Users and User Groups
d) AWS Alias Accounts
These are basic but interesting topics. As my Algebra Lecturer, Mr. Kirumbu, used to say — it’s “cheap stuffs,” like chips. I wonder if he was hungry during our afternoon classes…There was never a dull moment in his class…
Let’s dive in! If you don’t have an AWS account yet or want to catch up on my previous work, you can easily set up your account using this link to my last article.
a) EC2 Instance
An EC2 (Elastic Compute Cloud) is a virtual server that runs in the AWS cloud. It’s elastic, meaning you can easily scale up or down, adding more computing power when you need it and reducing it when you don’t. It provides computing power, allowing you to process data or run applications. Since it’s in the cloud, you don’t need to manage any physical hardware — it’s all handled over the internet.
Steps to Launch Your EC2 Instance
1. Login to Your Management Console: Search for “EC2” in the search bar.
2. Switch to the Region Closest to You: This will help reduce latency.
3. Go to the EC2 Dashboard: After clicking on “EC2,” you’ll be redirected to the EC2 Dashboard. From here, scroll down to “Launch Instances.”
4. Name and Tags Section:
— Name your instance: e.g., `myinstanceone-name`.
— Add additional tags: Click Add Tag and enter Key: env, Value: production.
— Why Tagging?: Tags are labels that help you organize your AWS resources, filter them, manage costs, and apply policies based on environments like production or development.
5. Application and OS Images (Amazon Machine Image):
— Make sure the Amazon Machine Image (AMI) is a Free Tier eligible option.
— What’s an AMI?: An AMI includes the software configuration (OS, application server, applications) needed to launch your instance.
6. Instance Type:
— Choose a Free Tier eligible instance type.
— What’s an Instance Type?: It determines the hardware components like CPU power, memory size, and storage space.
7. Key Pair (Login):
— Select “Proceed without a key pair.”
— What’s a Key Pair?: A key pair is a set of security credentials (public and private keys) used to prove your identity when connecting to an EC2 instance. Since we won’t be SSHing into the instance, we can skip this.
8. Network and Storage Sections:
— We’ll skip these for now and proceed to launch the instance.
9. Launch Your Instance:
— You should see a green banner stating “Successfully initiated launch of instance (i-08eebe938f13bed27)” — the digits and letters here is auto-generated.
10. Set Up a Second Instance:
— Follow the same steps to launch a second instance.
— Name it `yourname2` and set `env` to `development`.
If you get stuck, feel free to comment below — I’m happy to help. We are setting two instances because we will test the our IAM Policy against the instances.
b) Creating an IAM Policy
IAM stands for Identity and Access Management. It helps you control who can access your AWS resources and what they can do with them. An IAM policy is like a set of rules that define what actions users, groups, or roles can take on your AWS resources.
Steps to Create an IAM Policy:
1. Open the IAM Console:
— Go to your AWS Management Console.
— In the search bar, type IAM and select it to open the IAM dashboard.
2. Navigate to Policies:
— On the left-hand side, under Access Management, click on Policies.
— In the top-right corner, click on Create Policy.
3. Switch to JSON Tab:
— You’ll see a page where you can create a policy.
— Click on the “JSON” tab and paste the following code:
{
"Version": "2012–10–17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Env": "development"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "*"
}
]
}The code block looks intimidating, right? But don’t sweat it — I’ve got you covered! Let me walk you through what’s happening here, step by step, so it’ll all make sense in no time.”
Understanding the Policy Code:
— Version: This tells AWS which version of the policy language to use. `2012–10–17` is the most current version.
— Statement: This is the main part of the policy where permissions are defined. It includes:
— Effect: Decides if the action is allowed or denied. It can be either Allow or Deny.
— Action: Specifies the actions that are allowed or denied. Here, it’s related to EC2 operations.
— Resource: Specifies the resources the actions apply to. The asterisk (“*”) means all resources.
— Condition: (Optional) Adds extra rules. In this policy, it only allows actions on EC2 resources that have the tag `Env=development`.
4. Finalize the Policy:
— Click “Next” and fill in the policy details.
— Under “Name,” enter a meaningful name like `yourname-devpolicy`.
— In the description, write something that explains the purpose of the policy, like “IAM Policy for dev environment.”
That’s it! You’ve created an IAM policy that controls what can be done with your EC2 instances in the development environment.
c) Creating an AWS Alias Account
An Account Alias is a user-friendly name for your AWS account that you can use instead of your account ID to sign in to the AWS Management Console.
Steps to Create an AWS Alias:
1. Go to the IAM Dashboard:
— Open your AWS Management Console.
— Navigate to the IAM dashboard.
2. Scroll Down to AWS Account Settings:
— On the IAM dashboard, scroll down to the “AWS Account” section.
3. Create Your Alias:
— In the AWS account, just below Account Alias click on the link to create. A screen will popup with a box telling you to input your prefferd alias. Enter your preffered name… yourname … and click on create alias.
Let’s take a little break, grab a coffee or juice or sour Uji— and enjoy some great hits from my favorite artist. Trust me, I’ve got great taste in music!
Back to the grind,
d) Create IAM Users and User Groups
Step 1: Create a User Group
1. Navigate to User Groups:
— On the IAM dashboard, in the left navigation pane, click on User groups.
— Then, click on Create group.
2. Name Your Group:
— In the Group name section, enter a name like yourname-dev-group.
3. Attach Permission Policies:
— Scroll down to the Attach permission policies section.
— Search for the policy you created earlier, select it, and then click on Create user group.
Step 2: Add Users to the Group
1. Navigate to Users:
— In the left navigation pane, click on Users.
2. Create a New User:
— On the user dashboard, click on Create user (top right corner).
3. Enter User Details:
— On the Create user page, give the user a name (e.g., `yourname`).
4. Provide Console Access:
— Check the box that says Provide user access to the AWS Management Console.
— Then, click on I want to create an IAM user.
5. Skip Password Reset:
— Uncheck the box that says Users must create a new password at next sign-in (for simplicity), and click on Next.
6. Set Permissions:
— Under Set permissions, add the user to the group you just created by selecting your user group.
7. Create the User:
— Click on Create user.
— Once created, you’ll see the user’s details, including the username, password, and a sign-in link.
The page will display the newly created user, their password, and a link for signing in.
Testing Your IAM Policy
1. Sign In as the New User:
— Copy the sign-in URL you were given and open it in an incognito tab.
— Enter the user’s password to sign in.
2. Notice the Access Denied Messages:
— As a new user, you might see some “Access Denied” messages on certain dashboard panels.
— Don’t worry — this is normal and expected!
3. Test the Policy on Your EC2 Instances:
— Go to the EC2 dashboard in the region where you created your instance.
— Select the instance that has the production tag.
4. Try to Stop the Production Instance:
— Click on the “Actions” dropdown, then choose Manage instance state.
— Select the Stop option, and try to change the state to Stop.
5. See the Red Banner:
— You’ll see a red banner saying the action failed.
— Why? Because your IAM policy is working! It’s preventing the user from stopping instances with the production tag, as intended. (We specified this in the policy under the JSON code (“ec2:ResourceTag/Env”: “development”)
6. Now, Try the Development Instance:
— Go to the instance with the development tag.
— Repeat the steps to stop the instance.
7. Success!:
— This time, you’ll see a green banner indicating that the instance has been successfully stopped.
This shows that your policy is correctly enforcing what the user can and cannot do based on the instance’s tags.
Throughout this project, you’ve successfully completed several key tasks —
1. Launched EC2 Instances: We have created and configured EC2 instances, understanding how to use Amazon Machine Images (AMIs) and instance types, and the importance of tagging for organization and management.
2. Created and Applied IAM Policies: We have crafted an IAM policy that enforces specific permissions on our EC2 instances based on our tags, ensuring that only the right actions can be performed on the appropriate resources.
3. Set Up IAM Users and User Groups: We have created a user group and assigned permissions to it by applying the IAM policy. We have also added users to this group, giving them controlled access to your AWS environment.
4. Tested IAM Policies: By signing in as a new user, we verified that our IAM policy correctly restricts actions on production instances while allowing actions on development instances. This hands-on test confirmed that your security controls are functioning as intended.
Through these steps, we’ve gained practical experience in AWS resource management, from instance setup to access control. This project has not only solidified our understanding of EC2 and IAM but also demonstrated the importance of precise permissions in maintaining a secure cloud environment.
Catch you next week — I’ll do a short preview of a simulator environment provided by AWS called IAM Policy Simulator…
Enjoy your weekend!
Got questions? Don’t be shy — drop them in the comments, and I’ll be more than happy to help you out!
