EXPERIMENT-04

Simulation: Introduction to IAM

Simulation overview

In this simulation, you use some of the Amazon Identity and Access Management (IAM) features that you
just learned about.

You will get hands-on experience with creating IAM policies, groups, and users. You will experience logging
in as users with different permissions. You will learn how groups can be used to manage permissions for
users, based on their job role.

Objectives
After completing this simulation, you will know how to do the following:

• Create a custom managed policy.

• Create IAM user groups with permission policies.
• Create IAM users and assign users to groups.
• Use user groups to add users to a group.
• Explore policy permissions that users inherit from groups.
• Log in as users to test the user’s permissions.
• Modify a user’s permission to provide additional access.

Duration

This simulation requires approximately 40 minutes to complete. You can take as long as you need.

Prerequisites
Before you begin this simulation, you should complete the Getting Started with Security course content.

AWS service restrictions

In this simulation environment, you will be guided on which actions to perform. Because this is not a live
environment, you can only perform the actions you are instructed to perform. If you choose any other
actions, an error message will prompt you to the right actions. It is highly recommended that you review
How to
use this simulation in the introduction of the simulation.
Simulation scenario

For this simulation, you create users and groups to enable permissions that support the following business
scenario.

Your company is growing its use of AWS services, and is using many Amazon
Elastic Compute Cloud (Amazon EC2) instances and Amazon Simple Storage Service (Amazon S3) buckets.
You hire three new employees and want to give access to new staff, based on their job function, as
indicated in the following table.

User In Group Permissions

user-1 S3-Support Read-only access to Amazon S3

user-2 EC2-Support Read-only access to Amazon EC2

user-3 EC2-Admin View, start, and stop Amazon EC2 instances

Task 1: Creating a custom IAM policy

In this task, you create a custom IAM policy for limited administrative Amazon EC2 access. The permissions
will give any user attached to the policy access to view, start, and stop EC2 instances. You will create the
policy now, so that you can use it later.
1. In AWS Management Console, enter IAM in the search field.

2.
o Note: To record your entry, press Enter on your keyboard or choose any
3. the place outside of the entry field.

4. Then, choose IAM from search results.

5. In the left navigation pane, choose Policies.

IAM offers a wide variety of AWS managed polices. These are created and administered by AWS. However,
you can create your own policies that meet your specific needs.

6. Choose Create policy.

7. For the Policy editor, choose JSON.

The policy editor field generates a policy template where you can start editing your code. You can also
delete the existing code and paste your own code into the policy editor.

The following custom JSON policy provided for you grants the user the access to start, stop, and view
nano-type and micro-type instances. If this is the only policy that is attached to the user, the user will not
have access to perform any other actions.

6. Copy and paste the preceding code into the policy editor field. NOTE: Keyboard shortcuts won’t work
for this simulation. To simulate replacing the existing code with the preceding code, follow these
specific steps: o Open the context (right-click) menu for the policy editor field.
o From the menu, choose Select all. o Open the context (right-click) menu for the
highlighted text. o From the menu, choose Paste.

7. Choose the scroll bar to scroll down, then choose Next.

8. In the Policy name field, enter EC2-Admin-Policy .
o Note: To record your entry, press Enter on your keyboard or choose any place outside of the
entry field.

9. Choose the scroll bar to scroll down, then choose Create policy.

You have just created a custom managed policy that provides a user with the ability to start, stop, and view
instances. This policy will be used for the EC2Admin group.

Task 2: Creating user groups with permissions

In this task, you create a user group for each of the three roles and attach the appropriate permission to
the group. Users will inherit the permissions of the group or groups that they are added to. You can attach
permissions directly to a user. However, it is generally a best practice to manage permission by adding
users to user groups, especially when there are multiple users with the same set of permissions.

Create the EC2-Admin user group

10. In the left navigation pane, choose User groups.

11. Choose Create group.

12. In the User group name field, enter EC2-Admin .
o Note: To record your entry, press Enter on your keyboard or choose any place outside of the
entry field.

13. Choose the scroll bar to scroll down.

14. In the Attach permissions policies search field, enter EC2-Admin-Policy.
o Note: To record your entry, press Enter on your keyboard or choose any place outside of the
entry field.
This is the policy that you created in task 1.

15. Select the EC2-Admin-Policy check box.

16. Choose Create user group.

Create the EC2-Support group
17. Use what you learned from the previous steps to create the EC2-Support group. For the name of the
group, use EC2-Support. For the policy, use
AmazonEC2ReadOnlyAccess . If you need assistance, use the following steps:
o Choose Create group.
o In the User group name field, enter EC2-Support .
• Note: To record your entry, press Enter on your keyboard or choose any place
outside of the entry field. o Choose the scroll bar to scroll down.
o In the Attach permissions policies search field, enter AmazonEC2ReadOnlyAccess .
• Note: To record your entry, press Enter on your keyboard or choose any place
outside of the entry field.

o Select the AmazonEC2ReadOnlyAccess check box. o Choose Create user group.

Create the S3-Support group
18. Use what you learned from the previous steps to create the S3-Support group.
For the name of the group use S3-Support and for the policy use
AmazonS3ReadOnlyAccess . If you need assistance, use the following steps:
o Choose Create group.
o In the User group name field, enter S3-Support .
• Note: To record your entry, press Enter on your keyboard or choose any place
outside of the entry field. o Choose the scroll bar to scroll down.
o In the Attach permissions policies search field, enter AmazonS3ReadOnlyAccess .
• Note: To record your entry, press Enter on your keyboard or choose any place
outside of the entry field. o Select the AmazonS3ReadOnlyAccess check box. o Choose
Create user group.

Task 3: Creating users and adding them to groups

In this task, you will create three users based on the Simulation business scenario.
As you create each user, you add the user to a group that aligns with their job role. The user will inherit the
permissions that are attached to the group. If you need to re-familiarize yourself with the group that each
user belongs in, review the Business scenario.
Create user-1 and add to the S3-Support user group
19. In the left navigation pane, choose Users.
20. Choose Create user.
21. In User name field, enter user-1 . the place
outside of
o Note: To record your entry, press Enter on your keyboard or choose any
the entry
field.

22. Select the Provide user access to the AWS Management Console check box.

It is recommended that you use AWS IAM Identity Center to provide console access to a person. IAM
Identity Center is used to connect your existing workforce identity source and centrally manage access to
AWS. For this simulation, there is no existing identity source. Therefore, you create IAM users. Permissions
will work the same.

23. For User type, choose I want to create an IAM user.

24. Choose the scroll bar and scroll down. Then, for Console password, choose Custom password.
25. Select the Show password check box.
26. In the Custom password field, enter Sim- Password1 .
o Note: To record your entry, press Enter on your keyboard or choose any place outside of the
entry field.

27. Clear the User must create a new password at next sign-in check box.

It is a best practice to make users create a new password when the user logs in for the first time. But to
avoid the steps of creating a new password when you log in as each user, this configuration will be cleared.
If you were to leave the check box selected, the user would automatically be provided a policy that allows
the user to create a new password.

28. Choose Next.

29. Keep the Permissions options default setting Add user to group selected. In the User groups list,
select the S3-Support check box.
30. Choose Next.
Take a moment to review the user details.

31. Choose Create User.

Now that the user is created, you are provided with an opportunity to review the Console password and to
email sign-in instructions to the user.
32. On the Console sign-in details panel, choose Show to review the Console password.

33. Choose Return to users list.

Create user-2 and add to the S3-Support user group

User name field, enter user-2 .

o Note: To record your entry, press Enter on your keyboard or choose any
34. Choose Create user.
35. In the place outside of the entry field.

36. Select the Provide user access to the AWS Management Console check box.
37. For User type, choose I want to create an IAM user.
38. Choose the scroll bar and scroll down. Then for Console password, choose Custom password.
39. Select the Show password check box.
40. In the Custom password field, enter Sim- Password2 .
o Note: To record your entry, press Enter on your keyboard or choose any place outside of the
entry field.
41. Clear the User must create a new password at next sign-in check box.
42. Choose Next.
43. Keep the Permissions options default setting Add user to group selected.
44. In the User groups list, select the EC2-Support check box.
45. Choose Next.
46. Choose Create User.
47. Choose Return to users list.

You didn’t receive this warning for user-1, because you reviewed the password by choosing Show. But you
are confident that you know the password, so you continue to the user lists.

48. On the Continue without viewing or downloading console password pop-up box, choose Continue.

Create user-3 without adding the user to a group

49. Choose Create user.
50. In User name field, enter user-3 . the
o Note: To record your entry, press Enter on your keyboard or choose any
place outside
of the entry field.
51. Select the Provide user access to the AWS Management Console check box.
52. For User type, choose I want to create an IAM user.
53. Choose the scroll bar and scroll down. Then for Console password, choose Custom password.
54. Select the Show password check box.
55. In the Custom password field, enter Sim- Password3 .
o Note: To record your entry, press Enter on your keyboard or choose any place outside of the
entry field.
56. Clear the User must create a new password at next sign-in check box.
57. Choose Next.

In task 4, you will explore another way to add users to a group. Therefore, you will not select a group to
add user-3 to at this point.

58. Choose Next.

Notice that the user has no permissions. This user will not be able to do anything in the AWS Management
Console at this point.

59. Choose Create User.

60. Choose Return to users list.
61. On the Continue without viewing or downloading console password pop-up box, choose Continue.

You have created the three users that are required for the Business scenario. You have added user-1 and
user-2 to their job-role related group. Both user-1 and user-2 have a 1 in the Groups column. This indicates
how many groups each user is in. User-3 has a 0 in the Groups column, because you did not add the user
to a group. You will add user-3 to a group in the next task

Task 4: Using the user group to add users

An alternative way to add users to groups is to go into the group and add users. You will do this with our
user-3 user.

62. In the left navigation pane, choose User groups.

63. Choose the EC2-Admin group name.
 64. Choose Add users.

65. From the list of users, select the user-3 check box.
Adding users in this way can save a lot of time because you can add many users at once, instead of going
into each user one by one. From here, you can also remove multiple users from a group at once.

66. Choose Add users.

67. In the left navigation pane, choose Users.

Notice that user-3 is now showing a 1 in the Groups column. This confirms that the user is now in a group.

Task 5: Reviewing polices attached to a user

If you need to confirm access that any user has, you can review the policies attached to a user. Next, you
will review the permission for user-2.

68. On the Users page, choose user-2 from the User name column.
The Permissions policy pane lists all of the policies that are attached to the user in the Policy name
section. Policies that are directly attached to a user and policies that are inherited from the user belonging
to a group will appear here.

69. In the Policy name section, choose AmazonEC2ReadOnlyAccess.

A new tab opens displaying the AmazonEC2ReadOnlyAccess information page.

70. On the Permissions defined in this policy pane, choose JSON.

71. Choose the scroll bar to scroll down.

From here, you can review the permission that this AWS managed policy grants to the user.

72. Close the AmazonEC2ReadOnlyAccess browser tab.

73. In the navigation pane on the left, choose Users.
Task 6: Testing the access of user-1

In this task, you will log in to the AWS Management Console as user-1 and test the permissions. User-1 is
in the S3-Support group.
The S3-Support group has the AmazonS3ReadOnlyAccess policy attached to it. Therefore, user-1 should
be able to go to the S3 console page and view buckets and content in the buckets. However, the user
should not be able to upload or delete objects.

Get the console sign-in URL

74. In the left navigation pane, choose Dashboard.

Notice the Sign-in URL for IAM users in this account section at the top right of the page. The sign-in URL
looks similar to the following: https://123456789012.signin.aws.amazon.com/console

This link can be used to sign in to the AWS account that you are currently using. (The account number is
blurred out for security reasons).

75. On the AWS Account pane, choose the copy icon for Sign-in URL for IAM users in this account to copy
the link.

Open an incognito window

76. Open a private or incognito window in your browser. To do this, follow these specific instructions:
o In the top right corner of your browser, choose the vertical ellipsis.
o Choose New Incognito window.
77. Simulate pasting the sign in browser URL in the incognito window’s search bar.
To do this, follow these specific instructions: o Choose the
browser’s URL search bar.
o Press Ctrl + v on your keyboard.
• Note: Mac users should also press Ctrl + v on their keyboard. This is not the pasting command for Mac
keyboards, but this simulation requires you to use your keyboard as a Windows keyboard. o Choose the
highlighted URL to load the page.

Next, you will duplicate the Sign in as IAM user page so that you have three duplicate tabs open. You will
use the tabs to sign in as each of your three users.

78. Open the context (right-click) menu for your browser tab.
79. Choose Duplicate.
80. Open the context (right-click) menu for your second browser tab.
81. Choose Duplicate.
You now have three duplicate tabs open. You will now sign in as user-1, who has been hired as your
Amazon S3 storage support staff.

Test user-1 permissions

82. Sign in with the following credentials:
o IAM user name: user-1
o Password: Sim-Password1
Note: To record each entry, press Enter on your keyboard or choose any place outside of the entry field.

83. In the Recently visited section, choose S3.

84. Choose the sim-website bucket.
Because this user is part of the S3-Support group in IAM, they have permissions to view a list of the
Amazon S3 buckets and their contents. However, the user cannot create buckets. The user is also
restricted from deleting or uploading files. Next, you test the restrictions by trying to upload a file.

85. Choose Upload.

86. Choose Add files.

87. Select the Index.html file.

88. Choose Open.

89. Choose the scroll bar to scroll down. Then, choose Upload.

The failed upload message confirms that the user’s permissions are working as expected.
90. Close the browser tab.

Task 7: Testing the access of user-2

In this task, you will log into the AWS Management Console as user-2 and test the permissions. User-2 has
been hired as an Amazon EC2 support person and is therefore in the EC2-Support group.

The EC2-Support group has the AmazonEC2ReadOnlyAccess policy attached to it.

Therefore, user-2 should be able to go to the EC2 dashboard and view instances.
However, the user should not be able to stop and start the instance.
91. Sign in with the following credentials:
o IAM user name: user-2
o Password: Sim-Password2
Note: To record each entry, press Enter on your keyboard or choose any place outside of the entry field.

92. In the Recently visited section, choose EC2.

93. In the left navigation pane, choose Instances.

You can see two EC2 instances. However, you cannot make any changes to Amazon EC2 resources because
you have read-only permissions.

94. Select the Application server instance check box.

95. Choose the Instance state menu. Then, choose Stop instance.
96. To confirm you want to stop the instance, choose Stop.

An error message appears that says, You are not authorized to perform this operation. This
demonstrates that the policy only allows you to view information without making changes.

97. Close the Instances browser tab.

Task 8: Testing the access of user-3

In this task, you will log into the AWS Management Console as user-3 and test the permissions. User-3 has
been hired as an Amazon EC2 admin person and is therefore in the EC2-Admin group.
The EC2-Admin group has the EC2-Admin-Policy policy attached to it. This is the custom policy that you
created in task 1. Therefore, user-3 should be able to go to the EC2 dashboard and view instances.
However, unlike user-2, user-3 should be able to stop and start instance.

98. Sign in with the following credentials:

o IAM user name: user-3
o Password: Sim-Password3
Note: To record each entry, press Enter on your keyboard or choose any place outside of the entry field.

99. In the Recently visited section, choose EC2.

100. In the Resources pane, choose Instances (running).

EC2 instances are listed. As an Amazon EC2 Administrator, this user should have permissions to Stop the
EC2 instance.

101. Select the Application server instance check box.

102. Choose the Instance state menu. Then choose Stop instance. 103. To confirm that you want to stop
the instance, choose Stop.

This time, the action is successful because user-3 has permissions to stop EC2 instances. The Instance
state changes to Stopping and begins to shut down.

Modifying access to grant user-3 read only access to Amazon S3

Next, you will test whether the EC2-Admin-Policy that user-3 inherits from the EC2-Admin group provides
any access to view buckets in Amazon S3.

103. To return to the AWS Management Console Home page, choose the AWS icon in the top left
corner. In the Recently visited section, choose S3. 105. In the left navigation pane, choose Buckets.
An error message appears that says, You don’t have permissions to list buckets. This demonstrates that
the policy does not grant any access for S3.

If you wanted to give your EC2 administrator access to view buckets and bucket objects, you could add the
user to the S3-Support group. Next, you will update the user-3 permissions so that the user can view
buckets, in addition to having administrative access to EC2.

106. Return to your normal browser window, where you are logged into the IAM console. To do this, do
the following: o Hover near the bottom of the browser to bring up the task bar, then choose the
Google Chrome icon.
107. Choose User groups.
108. In the list of user groups, choose S3-Support.

The group provides a list of users that are in the group already.
109. Choose Add users.

Notice that user-1 is not among the list of users on the Add users to S3-Support page. That is because this
page does not show users that are already in the group.

110. On the Other users in this account pane, select the user-3 check box.
111. Choose Add users.
112. Return to the incognito window, by closing the current window. 113. On the top left of your browser,
choose Refresh.

The new access is available immediately. There is no requirement for the user to log out and log back in for
the changes to take effect. User-3 now has the same access to S3 that user-1 has. However, user-1 cannot
access EC2.

Conclude the simulation by logging out.

114. Choose the user-3 account dropdown list.

Note: The account number 0000-0000-0000-0000 is a fictitious account number that is used for security
purposes. Only share your account number with trusted sources.

115. Choose Sign out.

 Wrap up
In this simulation, you created a custom managed IAM policy. You created user groups that had permission
policies based on job roles. You created users and assigned them to the appropriate group. You learned how
to review the policies that a user inherits from a group or policies that are directly attached to the user. You
discovered how to add many users to a group to save time. You also logged in as each user and tested the
permission. Excellent work!

Simulation complete
Congratulations! You have completed the simulation.

For more information about AWS Training and Certification, see AWS Training and Certification.

Your feedback is welcome and appreciated.

If you would like to share any suggestions or corrections, please provide the details in our AWS Training
and Certification Contact Form at https://support.aws.amazon.com/#/contacts/aws-training.

© 2024 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be
reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web
Services, Inc. Commercial copying, lending, or selling is prohibited.

SUBMITTED BY:-
NAME-Aditya Kumbhar
REG NO.-2201020647
GROUP-6
BRANCH-CSE(DS)