Easy way to use IAM (grant access) in AWS console
Before we begin, we assume you have root access to your AWS management console can view all the services in the dashboard.
As the administrator of your organization, only you should have access to the root credentials of your AWS (Amazon web services) account. And even then, you should only access your console via an administrator enabled user created within IAM or Identity and access management of your AWS management console.
The image above is where you should be for us to proceed on to the next steps. If you don't see it, click on 'Services' on the top left of the AWS management console.
Categories organize the services. Look under the category: Security, Identity, & Compliance. Here you find the IAM or Identity and access management service.
WARNING: Under no circumstances should you let your developer or integrator have in their possession the root credentials of your AWS account.
Another way to quickly locate the IAM service is to type 'IAM' in the search bar.
The service highlights under the search bar, as shown in the image here.
To proceed, click on 'IAM' to start.
We are not here to teach you how to use IAM at a high-level. Just what is needed to create or grant access by necessity? We also advise that before you create an IAM user account for the staff or a third-party developer/integrator, start by creating an administrator account for yourself. In the case of a security compromise, you can quickly gain back control of your AWS account through your root credentials, which is why root credentials are best left for emergency use only.
What we are trying to accomplish here is an easy and straightforward access setup. To illustrate our example, we imagine a scenario where we have to give the third-party vendor access to the 'Elastic Beanstalk' service within your AWS environment.
On the left-hand side panel, click on Users. And proceed to 'Add user' to see the window below.
Choose a username. Below we see programmatic access and AWS Management Console access. If you are unsure, click on both, which allow your third-party vendor either programmatic access (via SSH) or through their console access, similar to the interface access you have now. With fewer rights, of course.
Choose between autogenerated password or custom password at your discretion. You can also choose to make it a requirement for your vendor to change their password after their first successful login attempt. Again, all of this is up to your discretion. Choose what best suits your organization procedures. Click next: permissions.
We are now on the permissions page. Here we grant the user the right to access only the services they need access. Nothing more and nothing less is the best way to go about it. Rights assignments are with a purpose, try not to give anyone more rights than they need; this is to manage errors and security risks to your AWS environment. Ignore 'Add user to group' and 'copy permission from existing user'.
Click on 'Attach existing policies directly'.
So in our scenario, our third-part vendor requires permission to access Elastic Beanstalk. Search 'beanstalk', and you see a list of preset policies ready for you to assign. If you are not precisely sure the extent of the permission they require within Elastic Beanstalk, it is still acceptable to grant them full access to the service. Especially if they are the only vendor using that particular service, therefore we click the box right next to 'AWSElasticBeanstalkFullAccess', which as written grants them full access to the service. Once that is done, click Next: tags.
Tags are for higher-level purposes, in an AWS account where you have a large number of services, users and resources in use. One of the uses of tags is to allow administrators to quickly search through all the services tagged to a particular keyword or email address, for example. In any case, you can ignore this part. Click Next: Review.
In the review page, you see the policies you have attached. In our illustration here, you can see the new user has full access to Elastic Beanstalk, and they have to change their password after a successful login. So once you have checked the policies are what they should be, click 'Create User'.
Success! But it's not over yet. In the 'Success' green box, please save the AWS Management Console access URL. Click on 'download.csv' to download the Access key ID and Secret access key. They use for programmatic access. As for the password and user, these we use to login to the AWS management console via the copied URL link above. It is best to save these details somewhere.
Finally, click on send email and input the email of either yourself or the third-party vendor. We prefer to email the details to the third-party vendor ourselves, reduces the complication honestly. Alternatively, you can click on 'send email' and input the email of the third-party vendor. And the login details are sent to them.