01
Go to Amazon Web Services website at http://aws.amazon.com/ and click Create an AWS account.
02
On the Sign In page, enter your email or mobile number, select I am a new user and click Sign in using our secure server.
03
On the Login Credentials page, fill out the registration form and click Create account.
04
Follow the AWS instructions to complete the registration process. Once your new account is ready, sign in to the AWS Management Console.
05
Navigate to IAM dashboard at http://aws.amazon.com/iam/.
06
First, create the IAM policy that will define the access permissions to your AWS environment resources (i.e. the resources available in all AWS accounts created in Section I). To create the policy, perform the following:
- In the left navigation panel, choose Policies and click Create Policy button from the dashboard top menu.
- On the Create Policy page, select Create Your Own Policy to create your custom managed policy.
- On the Review Policy page, enter the following information:
- In the Policy Name box, enter a name for your custom policy. Choose a unique name that will reflect the policy usage (e.g. MyCrossAccountPolicy).
- In the Description textbox, enter a short description for the policy (optional).
- In the Policy Document textbox, paste the following data and replace the highlighted details with your own details. The highlighted bits represent the AWS accounts IDs and the IAM roles created for each of these accounts in the Section I of this guide:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::565392545550
:role/Dev-Admin-Role
",
"arn:aws:iam::565392545552
:role/Test-Admin-Role
",
"arn:aws:iam::565392545553
:role/Staging-Admin-Role
",
"arn:aws:iam::576539245557
:role/Prod-Admin-Role
"
]
}
}
- Click Validate Policy button to validate the policy document then click Create Policy to save it.
07
Now create the IAM group that will manage the access permissions to your AWS environment resources, permissions that will be automatically inherited by any IAM users attached to this group. This can be very useful when an employee/team member leaves your organization because you just need to detach his user from the group in order to revoke his access. To create the IAM group, perform the following actions:
- In the left navigation panel, choose Groups and click the Create New Group button from the IAM dashboard top menu.
- On the Set Group Name page, enter a name for the new group and click the Next Step button.
- On the Attach Policy page, in the Filter box, search for the policy name created at step no. 6. Select the policy name returned and click the Next Step button.
- On the Review page, review the new group configuration then click Create Group.
08
Before any users are created and attached to the Identity Account IAM group, you must define a managed policy to set the users baseline permissions to change their password, attach MFA devices and generate and update their own access keys. (!) IMPORTANT: the policy will not grant user access to the AWS resources (regardless of the account), instead it will provide only basic user-related access, useful to change their own credentials. To create the policy, perform the following:
- In the left navigation panel, choose Policies and click Create Policy button from the dashboard top menu.
- On the Create Policy page, select Create Your Own Policy to create your custom managed policy.
- On the Review Policy page, enter the following information:
- In the Policy Name box, enter a name for your custom policy. Choose a unique name that will reflect the policy usage (e.g. IAMUserCredentialsPolicy).
- In the Description textbox, enter a short description for the policy (optional).
- In the Policy Document textbox, paste the following data and replace the highlighted details with your own details. The highlighted bits represent the Identity Account ID and the IAM group name created at previous step:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464432593000",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::123456789012
:group/Staff
"
]
}
]
}
- Click Validate Policy button to validate the policy document then click Create Policy to save it.
09
Now it’s time to create the IAM users that will access your AWS environment resources based on the roles which these will assume. By default, the IAM users created at this step have no permissions to assume roles in order to access other AWS accounts. The ability to switch (role) to other AWS accounts and access their resources is enabled only after these users are attached to the group created at step no. 7. To create the necessary IAM users, perform the following:
- In the left navigation panel, choose Users.
- On the Users page, click Create New Users button set up the new IAM user.
- On the Create User page, under Enter User Names, enter the name for the new user in the first box. You can create multiple IAM users at once if necessary.
- Make sure that the Generate an access key for each user checkbox is selected if you need access keys for your user so that AWS can generate the key pair for you.
- Click Create to create the IAM user.
- Click Download Credentials to save the CSV file that contain your user access key (Access Key ID and Secret Access Key) to a secure location on your machine. Once the file is downloaded, click the Close link to return to the Users page.
- Click on the newly created IAM user name to access its configuration page.
- Select the Permissions tab and click the Attach Policy button to define the user access permissions.
- On the Attach Policy page, in the Filter box, search for the policy name created at step no. 8. Select the policy name returned and click the Attach Policy button.
- Select the Security Credentials tab to set up a password for the newly created IAM user.
- Under Sign-In Credentials section, click the Manage Password button to assign a new password.
- On the Manage Password page, select one of the following options to create the user password:
- Select Assign an auto-generated password if you want AWS IAM to generate automatically a new password for you.
- Select Assign a custom password to provide your own custom password.
- Click Download Credentials to save the file that contains your new IAM user password to a secure location on your machine. Once the file is downloaded, click the Close link to return to the user configuration page.
- In the left navigation panel, choose Dashboard and copy the sign-in link available under IAM users sign-in link section.
- Repeat steps a – n to create new IAM users (as per your requirements).
11
Once you create all the necessary IAM users, attach them to the IAM group by performing the following:
- In the left navigation panel, choose Groups and click on the group name to access its configuration page.
- On the group configuration page, select the Users tab.
- Click Add Users to Group button and select the IAM users that you need to access your AWS environment resources.
- Click Add Users to attach the selected users to the group. Now all the IAM users within the group will inherit its access permissions.
12
To revoke a certain user access to the environment simply detach the user from the group by using the following:
- In the left navigation panel, choose Groups then click on the group name.
- On the group configuration page, select the Users tab.
- Click Remove Users to Group button and select the necessary IAM users that are no longer required to access your AWS environment.
- Click Remove Users to detach the selected users from the IAM group and revoke their access.