AWS - Creating IAM users for programming

IAM users

1. Instead of logging in with root user access, create an IAM user and use the credentials for the IAM user to login to the console or do programming.
2. Sign-in URL for IAM users for this account will look like this: https://179412345.signin.aws.amazon.com/console

Creating users

1. Login to the root account to create users.
2. Create a password for the user and assign IAMUserChangePassword policy to the user so that the user can change the password on first login.
3. Assign the users to groups (create groups separately and use the groups to control access levels like AmazonS3FullAccess) based on the need.
4. Create access key for the user.
   1. Download the Access Key ID and Secret Access Key combination.
   2. The users will have to use these while configuring aws-cli in local computers.
5. Give it to the user so that they can use the access keys to connect to the account from their computers.

Creating user groups

1. Preferably, do not assign default policies to user groups directly. Instead, use custom policies to edit policies and then assign the custom policies to user groups.
2. If you want to assign default policies to user groups,
   1. Create user groups with names like S3 access group or SQS access group and assign policies to these groups. Look at Permissions policies in IAM.
      1. AmazonS3FullAccess
   2. Add users from the previous step to these user groups.

Assigning policies to user groups

1. Instead of assigning policies to user groups directly, create custom policies like policies-for-app1
2. And then edit the permissions assigned to this policy.
   1. e.g.

      {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "iam:ListRoles",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                        "cloudformation:DescribeStacks",
                        "cloudformation:DescribeStackEvents",
                        "cloudformation:DescribeStackResource",
                        "cloudformation:DescribeStackResources"
                ],
                "Resource": "*"
            }
        ]
      }
      

3. Assign this custom policy to user-groups.