arrow_back

AWS Technical Essentials – Lab 1: Introduction to AWS Identity and Access Management

AWS Technical Essentials – Lab 1: Introduction to AWS Identity and Access Management

2 hours Free

© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Objectives

After completing this lab, you will be able to:

  • Explore IAM Users and Groups
  • Inspect IAM policies applied to groups
  • Follow a real-world scenario that adds users to groups and explores group permissions
  • Locate and use the IAM sign-in URL
  • Experiment with policies and service access

Prerequisites

This lab requires:

  • Notebook computer with Wi-Fi and Microsoft Windows, macOS, or Linux (Ubuntu, SuSE, or Red Hat). Tablet devices cannot access the lab environment, but they can display the student guide.
  • Administrator access (Microsoft Windows users)
  • Internet browser, such as Chrome, Firefox, or IE9 (previous versions of Internet Explorer are not supported)

Duration

This lab requires 30 minutes to complete.

Scenario

This lab provisions the following IAM resources for you to explore:

  • Three users: , , and
  • Three groups with the following policies:
    • S3 Support: access to Amazon Simple Storage Service (Amazon S3).
    • EC2 Support: access to Amazon Elastic Compute Cloud (Amazon EC2).
    • EC2 Admin: Ability to , , and EC2 instances.

IAM Resources

You might receive error messages when performing actions beyond the steps provided in this lab guide. The lab relies on IAM, which limits your access to the services authorized for use in the lab. The error messages will not impact your ability to complete the lab.

Start lab

  1. To launch the lab, at the top of the page, choos Start Lab.

This starts the process of provisioning the lab resources. An estimated amount of time to provision the lab resources is displayed. You must wait for the resources to be provisioned before continuing.

If you are prompted for a token, use the one distributed to you (or credits you have purchased).

  1. To open the lab, choose Open Console.

The AWS Management Console sign-in page opens in a new web browser tab.

  1. On the Sign in as IAM user page:
  • For IAM user name, enter .
  • For Password, copy and paste the Password value listed to the left of these instructions.
  • Choose Sign in.

Do not change the Region unless instructed.

Common sign-in errors

Error: You must first sign out

If you see the message, You must first log out before logging into a different AWS account:

  • Choose the click here link.
  • Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.
  • Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button from working as intended. If you experience an issue starting the lab:

  • Add the lab domain name to your pop-up or script blocker's allow list or turn it off.
  • Refresh the page and try again.

Task 1: Explore IAM

In this task, you will access the IAM dashboard and explore the existing groups, users, roles, and policies. In addition, you will learn how to manage users and groups, and add users to groups so that they inherit specific group capabilities.

Note: You must use the same Region throughout the lab.

Task 1.1: Explore IAM users, groups, and policies

In this task, you will explore the users and groups that we created for you in IAM.

  1. In the AWS Management Console, choose the Services menu, and then choose IAM. Alternatively, you can type the service name in the Search box to access the service directly.

  2. In the left navigation pane, choose Users.

As described earlier, the following IAM users are available:

  • user-1
  • user-2
  • user-3
  1. Choose the user-1 link.

The summary page for user-1 opens, with the Permissions tab displayed. Notice that user-1 does not have any permissions.

  1. Choose the Groups tab.

user-1 is not a member of any groups.

  1. Choose the Security credentials tab.

In the Sign-In credentials section, you can see that user-1's Console password is enabled.

  1. In the left navigation pane, choose User groups.

The following groups are available:

  • EC2-Admin
  • EC2-Support
  • S3-Support

  1. Choose the EC2-Support group link.

  2. In the summary page for the EC2-Support group, choose the Permissions tab.

This group has a managed policy associated with it, called AmazonEC2ReadOnlyAccess. Managed policies are pre-built policies (built either by AWS or by your administrators) that can be attached to IAM users and groups. When a policy is updated, the changes to the policy are applied against all users and groups that are attached to the policy.

  1. Choose the Plus to expand the contents of AmazonEC2ReadOnlyAccess.

A policy defines which actions are allowed or denied for specific AWS resources. This policy grants permission to list and describe information about EC2, Elastic Load Balancing, Amazon CloudWatch, and Auto Scaling. The ability to view resources, but not modify them, is ideal for a support role.

The basic structure of the statements in an IAM policy is as follows:

  • Effect indicates whether to Allow or Deny the permissions.
  • Action specifies the API calls that can be made against an AWS service (such as cloudwatch:ListMetrics).
  • Resource defines the scope of entities covered by the policy rule (for example, a specific Amazon S3 bucket or Amazon EC2 instance, or * which means any resource).

  1. In the left navigation pane, choose User groups.

  2. Choose the S3-Support group link.

  3. Choose the Permissions tab.

  4. Choose the Plus to expand the contents of AmazonS3ReadOnlyPolicy.

The S3-Support group has the AmazonS3ReadOnlyAccess policy attached. This policy has permissions to get and list resources in Amazon S3.

  1. In the left navigation pane, choose User groups.

  2. Choose the EC2-Admin group link.

This group is slightly different from the other two. Instead of a managed policy, it has an inline policy, which is a policy assigned to one user or group. Inline policies are typically used to apply permissions for one-off situations.

  1. Choose the Permissions tab.

  2. Choose the Plus to expand the contents of EC2-Admin-Policy.

This policy grants permission to view (describe) information about Amazon EC2, and start and stop instances.

Task 1.2: Manage users and groups

In this task, you will work with the users and groups to enable permissions that support a business scenario.

You can ignore any "not authorized" errors that appear during this task. They are caused by your lab account having limited permissions. The error messages will not impact your ability to complete the lab.

Business scenario

Your company is growing its use of Amazon Web Services. It's using many Amazon EC2 instances and a great deal of Amazon S3 storage. You want to grant access to new staff members based on their job functions, as shown in the table.

User Group Permissions
user-1 S3-Support Read-Only access to Amazon S3
user-2 EC2-Support Read-Only access to Amazon EC2
user-3 EC2-Admin View, Start, and Stop Amazon EC2 instances



Add user-1 to the S3-Support group

You recently hired user-1 into a role where they will provide support for Amazon S3. You will add them to the S3-Support group so that they inherit the necessary permissions in the attached AmazonS3ReadOnlyAccess policy.

  1. In the left navigation pane, choose User groups.

  2. Choose the S3-Support group link.

  3. In the Users tab, choose Add users.

  4. In the Add Users window, do the following:

  • Select user-1.
  • At the bottom of the screen, choose Add users.

In the Users tab, you can see that user-1 is added to the group.

Add user-2 to the EC2-Support group

You hired user-2 into a role where they will provide support for Amazon EC2.

  1. Repeat the steps you used for user-1 to add user-2 to the EC2-Support group.

  2. Confirm user-2 is part of the EC2-Support group.

Add user-3 to the EC2-Admin group

You hired as your Amazon EC2 administrator, who manages your EC2 instances.

  1. Add user-3 to the EC2-Admin group.

  2. Confirm user-3 is part of the EC2-Admin group.

  3. In the left navigation pane, choose User groups.

Each Group should have a 1 in the Users column for the number of users in each group.

If you do not have a 1 beside each group, revisit the preceding instructions to ensure that each user is assigned to a group, as shown in the table in the Business Scenario section.

Task 2: Use the IAM sign-in URL

In this task, you will test the permissions of each IAM user.

Task 2.1: Locate and access the IAM sign-in URL

  1. In the left navigation pane, choose Dashboard.

In the AWS Account section on the top right side of the dashboard, the Sign-in URL for IAM users in this account URL is displayed. It should look similar to the following:

The link can be used to sign in to the AWS account you are currently using.

  1. Copy the IAM users sign-in link to a text editor.

You will need this link later to sign in as the users you added to the groups in the previous tasks.

Task 2.2: Log in with different IAM users

  1. In your browser, open a private window, as follows:

If you are using Mozilla Firefox:

  • Choose the menu bars at the top-right of the screen.
  • Select New Private Window.

If you are using Google Chrome:

  • Choose the ellipsis at the top-right of the screen.
  • Choose New incognito window.

If you are using Microsoft Edge:

  • Choose the ellipsis at the top-right of the screen.
  • Choose New InPrivate window.

If you are using Microsoft Internet Explorer:

  • Choose the Tools menu option.
  • Choose InPrivate Browsing.
  1. Paste the IAM users sign-in link you copied earlier into the private window, and press Enter.

You will now sign in as user-1, who was hired as your Amazon S3 storage support staff.

Sign in as user-1

  1. In the sign-in screen, use the following information:
  • IAM user name:
  • Password: Paste the value of AdministratorPassword located to the left of these instructions.

  1. In the AWS Management Console, on the Services menu, choose S3. You can type the service name in the Search box to access it quickly.

  2. In the S3 dashboard, choose the link for the bucket that has s3bucket in its name.

The name of your S3 bucket is also located to the left of these instructions. A bucket named awslabs-resources might also be present along with an error. This is normal. You do not have access to this bucket.

Since your user is part of the S3-Support group in IAM, they have permission to view a list of Amazon S3 buckets and the contents of the s3bucket.

Now, test whether they have access to Amazon EC2.

  1. In the AWS Management Console, on the Services menu, choose EC2. You can type the service name in the Search box to access it quickly.

  2. Navigate to the Region that your lab was launched in, as follows:

  • Choose the drop-down arrow at the top of the screen, to the left of user-1 drop-down in the top bar.
  • Select the Region value that matches the value of Region to the left of these instructions.
  1. In the left navigation pane, in the Instances section, choose Instances.

You cannot see any instances. This is because your user has not been assigned any permissions to use Amazon EC2.

Next, you will sign in as user-2, who was hired as your Amazon EC2 support person.

  1. In the AWS Management Console, sign out user-1 by following these steps:
  • At the top of the screen, choose user-1.
  • Choose Sign Out.

Sign in as user-2

  1. Paste the IAM users sign-in link (the one you copied earlier to your text editor) into your private window and press Enter.

  2. In the sign-in screen, use the following information:

  • IAM user name:
  • Password: Paste the value of AdministratorPassword located to the left of these instructions
  1. In the AWS Management Console, on the Services menu, choose EC2. You can type the service name in the Search box to access it quickly.

In the top-left area of the screen, enable New EC2 Experience by toggling the button, if it is not enabled by default.

  1. Navigate to the Region that your lab was launched in (if you are not currently in that Region), as follows:
  • Choose the drop-down arrow at the top of the screen, to the left of user-2 drop-down in the top bar.
  • Select the Region value that matches the value of Region to the left of these instructions.
  1. In the left navigation pane, in the Instances section, choose Instances.

You can view an Amazon EC2 instance because you have read-only permissions. However, you cannot make any changes to Amazon EC2 resources.

  1. Make sure that the EC2 instance is selected, by choosing the checkbox beside the instance.

  2. On the Instance state menu, choose Stop instance.

  3. In the Stop instance? window, choose Stop.

You should receive an error stating that You are not authorized to perform this operation. This demonstrates that the policy only allows you to view the information, without making changes.

  1. Close the error message.

Next, you will check to see if user-2 can access Amazon S3.

  1. In the AWS Management Console, on the Services menu, choose S3. You can type the service name in the Search box to access it quickly.

You should receive an You don't have permissions to list buckets because user-2 does not have permission to use Amazon S3.

Sign in as user-3 (optional)

  1. Next, you will sign in as user-3, who was hired as your Amazon EC2 administrator.

  2. In the AWS Management Console, sign out user-2, as follows:

  • At the top of the screen, choose user-2.
  • Choose Sign Out.

  1. Paste the IAM users sign-in link into your private window and press Enter.

  2. Sign in with the following:

  • IAM user name:
  • Password: Paste the value of AdministratorPassword located to the left of these instructions

  1. In the AWS Management Console, choose the Services menu, and then choose EC2. Alternatively, you can type the service name in the Search box to access the service directly.

  2. Navigate to the Region that your lab was launched in (if you are not currently in that Region), as follows:

  • Choose the drop-down arrow at the top of the screen, to the left of to the left of user-3 drop-down in the top bar.
  • Select the Region value that matches the value of Region to the left of these instructions.
  1. In the left navigation pane, in the Instances section, choose Instances.

As an EC2 administrator, you should have permission to stop the Amazon EC2 instance.

  1. Make sure that the EC2 instance is selected.

  2. On the Instance state menu, choose Stop instance.

  3. In the Stop instance? window, choose Stop.

The instance will enter the stopping state and will shut down.

  1. Close your private window.

Lab complete

Congratulations! You completed the lab.

End lab

Follow these steps to close the console, end your lab, and evaluate your lab experience.

  1. Return to the AWS Management Console.

  2. At the upper-right corner of the page, choose awsstudent@<AccountNumber>, and then choose Sign out.

  3. Choose End Lab.

  4. Choose OK.

  5. (Optional):

  • Select the applicable number of stars to rate your lab experience.
    • 1 star = Very dissatisfied
    • 2 stars = Dissatisfied
    • 3 stars = Neutral
    • 4 stars = Satisfied
    • 5 stars = Very satisfied
  • Enter a comment.
  • Choose Submit.

You can close the window if you don't want to provide feedback.

Additional resources