AWS Identity and Access Management (IAM) is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems in the cloud that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access. The main purpose of the IAM is to enable a securely control access to AWS services and resources. With the help of AWS we can manage ,create policies to different users. they are many access authorizes to users like giving access keys , passwords and multi-factor authentication devices. We can create roles and add permissions to control which operation can be performed by the entity.

In this lab I have blocked some services to a particular user and when that user tries to login and try to use that service it would not be accessible.


  • Creating users and adding them to group
  • Manage user accounts passwords and policies
  • Edit a group policy
  • Locating and using the IAM sign-in URL


STEP 1: For the understanding of giving permissions and managing password policies, I have created a couple of users with the name ‘userone’, ‘usertwo’, ‘userthree’. First I will show how the dashboard will look alike when you will select the IAM services under AWS console.

Screenshot (32)

Screenshot (33)

Now from the Dashboard image above you can clearly see items on the left side under details panel like groups, users, policies, account settings etc. You can actually create as many users according to the need of your organizational need. So to create new users you will go into users option and create new users as shown in image below:

Screenshot (34)

Screenshot (35)Screenshot (36)

Screenshot (38)Screenshot (39)

STEP 2: Now I will create a couple of groups also to add the users I have created above. Then question can arise why You need to create groups. The answer to this question is that you can apply policies to groups only, the policies which allow and block some services of AWS just the same way you did in your Group policy management in VMware Server machines. Also, you have to add groups one by one and while creating the group you can assign the policies or you can apply them later.

So for creating the Groups again we have to look on the right side panel the same way we did in creating users. Image below shows one group ‘EC2 support’ that I have created and the policy that I have given to that group:

Screenshot (40)Screenshot (41)

Next image will give you a hint about the list of services under AWS which we can use as a policy to block and allow.

Screenshot (42)Screenshot (43)

Group0 has been created administrative policies and Group1 has been created with full EC2 Policy. The Image below will show that the particular policy while creating the group is being applied.

Screenshot (44)

STEP 3: The next step can be adding users into the groups.This can be done by selecting the group in which you want to add the selected user. For this lab post I have added userthree into an EC2 support group, means ‘userthree’ will only have access to the EC2 instance as clear from the policy I added in the EC2 group.
Images below will show the user that has been added into the group:

Screenshot (45)Screenshot (46)Screenshot (47)

** IMPORTANT: You can actually try doing this thing by adding policy to different group but just for the demonstration I have explained 1 group, 1 users in this lab post.**

STEP 4: After adding a user into the group and applying policies, you have to set the password for the users. There are two things that you can do in a password.
— First, you can set password policy, For example, you can give minimum password length, requires one upper case letter etc. The creating policy is necessary these days for better security. Password policies for better understanding is shown in the image below:

Screenshot (31)

STEP 5: Now all set up with policies and password. You need to sign-in with the user, for that you have to copy the link that is given in the dashboard. So If you think at the level of organization you can clearly understand that being an Admin I will provide certain user this link, their username, and password so that they can login and use the services that I have allowed him/her under policy.

The image below will guide you where you can find that link:

Screenshot (48)

with the particular credentials that have provided:

Screenshot (49)

Now as you know that I have given ‘User3’ of ‘Group1’ full access of EC2, so Image below will describe that ‘User3’ can use all services of EC2:

Screenshot (50)

But we cannaot use other services such as S3 since the access will be deinied:

Screenshot (51)


AWS Identity and Access Management (IAM) is a web service that lets you securely control access to AWS resources for users. People (AWS resources that are available using the IAM authentication ) and use its resources and how they can be used. With the help of IAM you can Share access to the AWS Account, Granular permissions, Security access AWS resources for applications running on Amazon EC2, Credentials works, Credentials for ensuring, Eventual Consistency.


Q1) What kinds of security credentials can IAM users have?
Ans- IAM users can have any combination of credentials that AWS supports, such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device. This allows users to interact with AWS in any manner that makes sense for them.

Q2) What are the features of IAM roles for EC2 instances?
Ans- IAM roles for EC2 instances provides the following features:
– AWS temporary security credentials to use when making requests from running EC2 instances to AWS services.
– Automatic rotation of the AWS temporary security credentials.
– Granular AWS service permissions for applications running on EC2 instances

Q3) Mention few IAM best Practises?

Ans- Some of the best practises to be followed during IAM are mentoned below:

  • Lock Away Your AWS Account Root User Access Keys
  • Create Individual IAM Users
  • Use AWS Defined Policies to Assign Permissions Whenever Possible
  • Use Groups to Assign Permissions to IAM Users
  • Grant Least Privilege
  • Use Access Levels to Review IAM Permissions
  • Configure a Strong Password Policy for Your Users
  • Enable MFA for Privileged Users
  • Use Roles for Applications That Run on Amazon EC2 Instances
  • Delegate by Using Roles Instead of by Sharing Credentials
  • Rotate Credentials Regularly
  • Remove Unnecessary Credentials
  • Use Policy Conditions for Extra Security
  • Monitor Activity in Your AWS Account