Identity and Access Management

The next AWS service we will be looking at is the Identity and Access Management or IAM. IAM allows you to manage access to other AWS services and resources securely. AWS offers enterprise-grade security and access control, which is great for building production-ready applications in the cloud. However, if you are new to AWS, working around IAM can be challenging at first. If the necessary access was not granted, the services will simply refuse to perform the desired actions. We will be working with IAM quite a lot to build the projects in this book. You will get familiar with concepts such as users, groups, and roles so that you can provide your applications with the necessary access to the required services.

Let's go to the IAM home page by clicking on IAM from the list of services under Security, Identity, and Compliance in order to navigate to its home page. The IAM home page should look similar to this:

The IAM dashboard gives you an overview of the IAM resources and their security status. So far, we don't have any users or groups, but AWS has created two roles by default.

We have been accessing the AWS Management Console using our root account. This account, by default, can only access the AWS Management Console; it will not be able to interact with AWS services programmatically. Let's create a new user with programmatic access for the hands-on projects.

Click on Users on the left-hand pane, and then click on the Add user button:

After entering the desired username, be sure to select only Programmatic access. Programmatic access will enable an access key ID and a secret access key pair. This key pair can be used by AWS APIs, the CLI, and the SDK. It is good practice to limit each user to either programmatic access or AWS Management Console access.

Here, we created an aws_ai user with only programmatic access:

On the next screen, let's also create a group to manage the permissions. We recommend adding users to one or more groups with the necessary permissions, rather than attaching the individual permissions and policies to the users directly. This way, it's much easier to manage the permissions when there are numerous users that require different permissions in your organization.

Click on the Create group button under Add user to group, as follows:

For our group, let's name it Developer, and then attach the AdministratorAccess policy to this group:

We do not need to create any tags, so just review and create the user.

Once the user has been created, you will see the Success screen:

On this screen, you have the option to view or download the access key pair that we mentioned earlier. This is the only time that the secret access key can be displayed or downloaded, so go ahead and download the CSV file onto your computer. We will need this key pair when we use the AWS CLI and the AWS SDK later in this chapter.

Congratulations, you just used the IAM service to create a user and added it to a group with administrative permissions! If you go back to the dashboard, you will see that we have added it to the IAM resources and made progress regarding the security status: