Workshop AWS Account Setup > Master Account > Setting up IAM users and groups

Setting up IAM users and groups

This can initially only be performed with access keys for the AWS root account. These credentials should only be used for the initial step and deleted afterwards.

Getting access keys for the AWS root account from the AWS console

Create access keys for the root account under https://console.aws.amazon.com/iam/home?region=eu-west-1#/security_credentials. Please make sure to delete these keys later on.

Export the keys as environment variables in your shell:

export AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=2ufIeyPDm76QlXXXXXXXXX

Setting up IAM users and groups

Create a new Makefile in the infrastructure git project with the following content:

AWS_REGION              := eu-central-1

###############################################################################################

.PHONY: master-iam-users
master-iam-users:
	aws cloudformation deploy \
		--no-fail-on-empty-changeset \
		--template-file master/iam-users.yml \
		--stack-name iam-users \
		--capabilities CAPABILITY_NAMED_IAM \
		--region $(AWS_REGION)

Create a new cloudformation template in master/iam-users.yml and define your users in there, eg. :

---
AWSTemplateFormatVersion: 2010-09-09
Description: IAM users and groups in master AWS account

Resources:
  GroupAdministrators:
    Type: AWS::IAM::Group
    Properties:
      GroupName: Administrators
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
  UserFstehle:
    Type: AWS::IAM::User
    Properties:
      Groups:
        - !Ref GroupAdministrators
      UserName: mail@fstehle.com

Create the Cloudformation stack with the following command in the master AWS account

make master-iam-users

Deleting the access keys for the AWS root account

Delete the access keys for the AWS root account with the following command:

aws iam delete-access-key --access-key-id ${AWS_ACCESS_KEY_ID}

Delete the environment variables in your shell:

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY

Assigning an MFA device for the created users

Go to the user list under IAM -> Users https://console.aws.amazon.com/iam/home#/users.
Click on each user and go to the tab Security credentials.
Assign an MFA device by clicking on Assigned MFA device -> Manage.

Enabling Console access for the created users

Go to the user list under IAM -> Users https://console.aws.amazon.com/iam/home#/users.
Click on each user and go to the tab Security credentials.
Create a console password by clicking on Console password -> Manage.