IAM Policies govern the rights an individual user has in the AWS environment.  Policies can be assigned to both groups and individual users.  Inline policies are those granted directly to a user account.   It is best practice to assign policies to groups and then assign each user to a group.,

Policies consist of:

• Version – mandatory specifies the iteration of the policy. 
• ID – optional specifies the identifier of the policy. 
• Statements – mandatory specified policy right. 

Policy Statement consists of:

• SID – optional specifies the statement identifier. 
• Effect – specifies the action of the statement ie(“Allow”,”Deny”) 
• Principle –  specifies the account, user, role that this policy applies to. 
• Action – list of actions this policy allows or denies. 
• Resource – list of resources to which the actions are applied to. 
• Condition – optional specifies when the policy is in effect.  

1. The following is required before you create IAM Policies. 

• An Active AWS Account. 
  • An Active email to receive alerts. 
  • Access to IAM User with administrative rights.  

2. Logon to AWS as the IAM user at URL:  https://signin.aws.amazon.com/ 

3. In the search bar type IAM, highlight the Star next to IAM (So it will appear on you Console) and select IAM. 

4. On the left hand side of the screen, scroll down and select policies. 

5. All default AWS policies will be presented to you on the screen as well as a button on the right hand side to create a custom policy.   First let us view an existing policy definition.  Select “AdministratorAccess “ policy 

6. On this page you will be presented with all the services contained in the “AdministratorAccess” policy,  click on the JSON tab to see the code for this policy. 

7. The page displayed is the actual JSON code that governs the “AdministratorAccess” policy. This is key because it allows you to build, edit and assign policies with code outside of the AWS GUI.  In future lesson we will learn to deploy various types of code to control your AWS enviornment. 

8. From the left hand sidebar select Policies ? Create Policy. You will be presented with a two step process to create a custom policy or you can choose the JSON editor to write you own code. 

9. We will create a policy for viewing objects.   Type list in the actions allowed, Select all the listed options, under resource select ALL, and press the next button. 

10. In the policy detail section type a Policy name and description.  The policy Access Analyzer is already selected and press Create policy.  

11. You will be brought back to the policy list page and can see your newly created policy.  Select the newly created policy ? JSON tab to view the code. 

12. Code for policy.   Admin_view will be displayed. 

13. Now we will create a new group with the policy of Admin_view.  On the left hand side of IAM menus select User Groups. 

14. Select Create group. 

15. On the create group page we are going to name the group “AdministrativeViewGroup”, select user “ljcatt_aws”, and policy “Admin_view”.  Than select button Create user group. 

16.  Now we have a new policy Admin_view in the group of AdministrativeViewGroup assigned to the user ljcatt_aws. 

IAM (Identity and Access Managment)   is a global AWS Service which provides access for administrative and development functions in AWS.   We will demonstrate the creation of a user besides the ROOT user.

Points that should be remembered in AWS and IAM users and groups.

• Root user should not be used except for setting up AWS and creation of Users and Groups. 
• Users should correlate to unique individuals 
• Groups are collections of like users 
• Rights can be granted to both users and groups. 
• Users can belong to multiple groups or no group at all. 
• Groups cannot be assigned to other groups. 
• IAM users and groups are global setting in AWS, they are not part of a region.  

1. The following is required before you create IAM user for your AWS Free Tier Account. 

• An Active AWS Account. 
  • An Active email to receive alerts. 
  • Access to the root user account. 

2. Logon to AWS as the root user at URL:  https://signin.aws.amazon.com/ 

3. Validate that you are not a robot. 

4. Enter your password. 

5. Open your email and retrieve the validation code. 

6. Enter your validation code. 

7. You will now have your AWS account console displayed. In the Search bar type IAM and a link to the IAM console will be displayed.  NOTE:  You can have a link created on your home page by clicking the star next to any resource in AWS. 

8. The IAM Console will now be displayed, select Users on the left hand menu selection. 

9. Currently we have no users other than root, which is not part of IAM.  Select Create User in the upper right hand side of screen. 

10.  You will be presented with a 4 step screen to create your new IAM user.  Enter a user name. Select IAM user, select custom password and enter a password, unselect change password at next logon.    NOTE:  When creating a user for another account ensure that you have the password generated for you and change password at next logon is selected. 

11. On the next step we will be granting permissions to the user.   Select create group in lower right hand side. 

12.  We will enter “root_group” and select AdministratorAccess for permissions.  Select Create User Group. 

13. Now you will see a group available to access.   Select the root_group and press Next 

14. A Review page will be displayed and select Create user. 

15. A Retrieve password Page will be displayed which allows you to download the credentials for the new account or email them to specific user.   Click Return to user list. 

16. A warning may appear about you saving the password.  Click continue. 

17. In the uppper right hand corner of you screen click on the user_id and select sign out.  NOTE: record the Account ID in this example it is 393795841763 

18. In the upper right hand side of the screen select Sign In to the console. 

19.  Enter the account ID, IAM username and password you just create.   Select Sign in. 

20.  You are now logon as your IAM user