The IAM (Identity and Access Management) service is a service that enables us to manage identities and authorizations for the use of various cloud infrastructures and services.

This guide will accompany you (in five short steps) in the initial settings that you should follow after setting up a new AWS account and granting permissions to the user in Ec2 and S3 services.

First, connect to the AWS management console. Notice throughout the guide We manage user permissions and security policies using the root user who is the default user with whom you created the account.

Once connected, access the management console of the IAM service, accessed via the search bar or through the Services-> Security, Identity & Compliance menu.

Step one - Delete the key access to the root user

The Access key allows users to access through the API in order to access and operate various services.

As I mentioned earlier, the root user is the default user and therefore has the highest access privileges.

Using this account to operate AWS services (except IAM and billing) is not recommended and should therefore be restricted to the use of the Admin Console only

Now that we return to our Dashboard we can see that we have completed the first task in implementing the AWS security recommendations.

Step 2 - Enable MFA to the root account

I believe that until now you have understood the importance of the root user and his security, so we will move on to the MFA

(Multi Factor Authentication).

To add an extra layer of security besides the username and password, Amazon is collaborating with Google's OTP solution.

To sync your mobile device to receive a one-time password on your Admin console, download the Google Authenicator app. Then scan the bar code on the screen and insert two consecutive passwords to synchronize the Google OTP with the root account on Amazon.

Note: MFA can be set up later for your organizational users (recommended) and not just the root user

Attached is an animation with the addition of MFA:

Step Three - Create Users

Once you have secured your root account you can proceed and create our first user.

For the demo we will create an admin user to whom we will subsequently assign full privileges to EC2 and S3 services.

Note that you can create a user with access to the API only (Access key), in our example we will create a user that can connect with the console only.

Creating access keys is always available after user creation. In the password option I asked the system to provide me with a password for the user.

We will now assign full access privileges to the ec2 service.

When you finish creating the user you can view the password and pass it on to the user.

Please note that the send email button will send the user a link to our organizational management console (see below) without a password.

Step four - Create user groups

Managing user groups allows us to manage permissions more easily and associate them with a group of users in addition to the specific permissions given to them.

We will now create a group called s3-fullaccess with a service-compatible s3. At the end we will associate our user with the group.

Create a group named s3-fullaccess.

Associate policy with S3FullAccess permissions.

Finally, after we have created the group, go to the groups menu on the left side of the Dashboard and your users will use the group.

Attached is an animation:

Now if we look at the user's permissions we can see that he inherited the permissions from the group and the specializations given to him earlier.

Go to Users-> admin-> Permissions.

Step Five - Hardening Password Policy

We recommend hardening password policies especially in multiuser environments.Keep in mind that some users may have permissions to reset the IAM user password, so it is important to harden password policy anyway.

Here is an example:

Change the access domain to the organizational portal

As I mentioned in the third step (user creation), users access the management console through a separate domain from the root account.

The resulting domain contains the organization code that AWS has created for you, a long number that is not easy to remember.

The same domain can be set to the organization name (if available) and make it easier for users to remember the default management interface address.

You can now refer operational users to the new link :)

In the following article we will discuss the IAM's advanced capabilities in creating custom policy and best practices for secure and proper use of the IAM service.