top of page
Search

How I Used IAM To Provide Work Permissions to Engineers By Using Group Settings and the Principle of Least Privilege

In Today’s Article:

👱(Real-life scenario) Client’s Key Challenges

✍️Creating User Requirements

☁️Architectural Design

📈Implementation: Group Settings and Principle of Least Privilege

✅Determine IAM policies to use

✅Create an IAM group and attach policies

✅Add IAM users

🔍Testing

🎯Results and Benefits



Hi friends, welcome 😃

Today, we’ll wade into the waters of cloud security (just a little splash for now—no deep diving yet😉). Cue in AWS IAM! I’ll walk you through how I helped a client securely grant her growing team access to the company’s cloud resources using IAM policies, all with little hassle. 



👱(Real-life scenario) Client’s Key Challenges

My client has an existing AWS cloud environment and leads a team of engineers that is constantly growing. For the team to function, members must have access to some of the company’s cloud resources. To ensure security, staff should have different levels of access to cloud resources based on factors such as their role, hierarchy, location, and the type of resources they need to access. Hence, my client needs a way to manage permissions to the organization’s cloud resources in a way that limits her new team to only the resources they need. 


In her own words, my client expressed:

"... As this team grows, we want to be able to manage users efficiently, providing all support engineers the same set of permissions… I just want my support engineers to have read-only access to Amazon EC2 and Amazon RDS… How about the actual creation of a user? I would like my support engineers to have access to the AWS Management Console and to developer tools. I also want to assign users to the Support Engineering team right away.  "


✍️Creating User Requirements

You know the drill! Let’s break down my client’s statements and define clear user requirements. 


They are:

  • The system should only grant read access to Amazon EC2 and Amazon RDS instances.

  • The system should grant her team access to AWS Management Console and developer tools.

  • New users should be assigned to the Support Engineering team immediately upon creation.

  • New users assigned to the Support Engineering team should automatically inherit the team’s predefined IAM permissions.

  • All Support Engineers should have the same permissions.

  • The system should support the creation of new users with minimum administrative effort.



☁️Architectural Design

Architectural diagrams take us a step beyond gathering user requirements and move us one step closer to an effective implementation of the solution. Therefore, as part of the process of solving my client’s challenges, I designed the architecture below.


Architectural Design
Architectural Design

📈Implementation: Group Settings and Principle of Least Privilege

Using the design above, I followed these steps to implement a solution.


✅Step 1: Determine IAM policies to use

Since my client only wants to give read access to EC2 instances and RDS database instances, I used 2 predefined IAM policies that meet this requirement:

  1. AmazonEC2ReadOnlyAccess

  2. AmazonRDSReadOnlyAccess


IAM read policies for RDS and EC2 instances
IAM read policies for RDS and EC2 instances

Requirement met: The system should only grant read access to Amazon EC2 and Amazon RDS instances.


In the next step, I attached these two policies to an IAM group.


✅Step 2: Create an IAM group

From the IAM Management Console, I created an IAM group that will consist of the team of Support Engineers. I also attached the two policies from the previous step to this group.


Created IAM User Group
Created IAM User Group

Up to this point, the group is empty and has certain permissions associated with it. Any new user added to this group will then automatically inherit the permissions of the group.


Requirement met: All Support Engineers should have the same permissions.


✅Step 3: Add IAM users

From the IAM dashboard, I created a new user and assigned him to the existing IAM group with just a few clicks. For each new user, I repeated the same process. By adding users to the existing IAM group, they will automatically inherit the permissions of the group.


For each IAM user, I configured their accounts to require a password-based sign in. Initially, the team leader provided temporary passwords for first-time login, after which users could change their passwords. Additionally, I granted IAM users access to the AWS Management Console.


Configuring new users to sign in using passwords
Configuring new users to sign in using passwords

Summary of IAM user details
Summary of IAM user details

 

Requirements met: 

  • The system should grant her team access to AWS Management Console and developer tools.

  • New users should be assigned to the Support Engineering team immediately upon creation.

  • New users assigned to the Support Engineering team should automatically inherit the team’s predefined IAM permissions.

  • The system should support the creation of new users with minimum administrative effort.



🔍Testing

To test my implementation, I used an existing user’s console sign-in URL. This URL allows me to access an AWS account the same way an actual IAM user from the SupportEngineers IAM group would.

Console sign-in URL
Console sign-in URL

By copying this URL in a new private browser tab, I signed in to an AWS account using a password, a feature I configured in an earlier step. 


IAM user sign in using a password
IAM user sign in using a password

Once logged in, I get access to the AWS Management Console. To verify the effectiveness of read policies assigned to a user, one can execute an action that exceeds the permissions granted by the policy. For my case, I tried to delete an EC2 instance. Consequently, I got the error message displayed in the image below. 


Error message from performing an unauthorized action
Error message from performing an unauthorized action

This message demonstrates the effectiveness of the read policies I assigned to the IAM group as I am unable to make modifications to the assigned resources but can only access them. 



🎯Results and Benefits

Executing this implementation bears the following results for my client: 


  • 100% consistency in permissions assignment for all support engineers.

  • 50%+ reduction in admin overhead by centrally managing user permissions via IAM groups.

  • 0% unauthorized access; support engineers cannot terminate instances or modify RDS databases. 

  • 100% console access; support engineers can use the AWS Management Console and developer tools.

  • Audit readiness; client can easily track and verify access logs using AWS CloudTrail. 



Ultimately, by implementing IAM group settings and adhering to the Principle of Least Privilege, I was able to help my client streamline access management for her growing team all while ensuring security and efficiency. With IAM groups, new users can now be assigned the correct permissions automatically, minimizing administrative overhead and reducing the risk of unauthorized access. 


Have you implemented similar access control strategies in your cloud environment? Tell me all about it in the comments.


Until next time—toodooloos! 😊

 
 
 

Comments

bottom of page