AWScloud~5 mins

IAM best practices in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

IAM helps control who can do what in your cloud account. Using best practices keeps your account safe and organized.

When you want to give a new team member access to only the tools they need.

When you need to allow an application to access cloud resources securely.

When you want to avoid using the root account for daily tasks.

When you want to track who made changes in your cloud environment.

When you want to remove access quickly if someone leaves your team.

Commands

Create a new IAM user named example-user to give them access without using the root account.

Terminal

aws iam create-user --user-name example-user

Expected OutputExpected

{"User":{"Path":"/","UserName":"example-user","UserId":"AIDAEXAMPLEUSERID","Arn":"arn:aws:iam::123456789012:user/example-user","CreateDate":"2024-06-01T12:00:00Z"}}

→

--user-name - Specifies the name of the new IAM user.

Attach the ReadOnlyAccess policy to example-user to give them permission to view resources but not change them.

Terminal

aws iam attach-user-policy --user-name example-user --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

Expected OutputExpected

No output (command runs silently)

→

--policy-arn - Specifies the ARN of the policy to attach.

→

--user-name - Specifies which user to attach the policy to.

Create access keys for example-user so they can use the AWS CLI or SDK securely.

Terminal

aws iam create-access-key --user-name example-user

Expected OutputExpected

{"AccessKey":{"UserName":"example-user","AccessKeyId":"AKIAEXAMPLEKEYID","Status":"Active","SecretAccessKey":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY","CreateDate":"2024-06-01T12:05:00Z"}}

→

--user-name - Specifies the user to create access keys for.

List all IAM users to verify example-user was created successfully.

Terminal

aws iam list-users

Expected OutputExpected

Users: - UserName: example-user UserId: AIDAEXAMPLEUSERID Arn: arn:aws:iam::123456789012:user/example-user CreateDate: 2024-06-01T12:00:00Z

Key Concept

If you remember nothing else from this pattern, remember: always give the least permissions needed and avoid using the root account.

Common Mistakes

Using the root account for everyday tasks.

The root account has full access and can cause big problems if compromised.

Create individual IAM users with limited permissions for daily work.

Giving users more permissions than they need.

This increases security risks if a user or their credentials are compromised.

Attach only the policies that allow the exact actions the user needs.

Not rotating or deleting unused access keys.

Old keys can be stolen and used to access your account.

Regularly rotate keys and delete keys that are no longer needed.

Summary

Create IAM users to avoid using the root account.

Attach only necessary policies to users for least privilege.

Create and manage access keys securely for programmatic access.

Verify users and permissions with list commands.