In this hands-on lab scenario, you are a security engineer working for a new startup that’s launching an online bookstore for rare and antique books. The founder, Kia, needs your help with setting up her system administrators with the proper access permissions. In order to provide access and ensure the proper security measures are in place, you will use AWS Identity & Access Management (IAM) to define a system administrators group and set permissions boundaries.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create a Group Controlled via an AWS-Managed Policy
- Navigate to IAM.
- From the left dashboard menu, click Users to view existing users.
- Click Groups.
- Click Create New Group.
- In *Group Name, enter "SysAdmins" and click Next Step**.
- On the Attach Policy page, select the
AdministratorAccess
policy and click Next Step. - Review the group, and then click Create Group.
- Assign Users to a Group
- Select the newly created
SysAdmins
group. - Select the Users tab and click Add Users to Group.
- Select
sysadmin-1
,sysadmin-2
, andsysadmin-3
and click Add Users.
- Select the newly created
- Limit Privileged Users by Setting Permissions Boundaries
- From the User tab, select the
sysadmin-2
user. - Expand the Permissions boundary section and click Set boundary.
- Select the
AmazonEC2FullAccess
policy and click Set boundary. - From the left dashboard, click Users and select
sysadmin-3
. - Expand the Permissions boundary section and click Set boundary.
- Select the
AmazonS3FullAccess
policy and click Set boundary. - Sign out by clicking your account name on the top navigation bar and clicking Sign Out.
- From the User tab, select the
- Verifying Limits on Privileged Users
Verifying S3 Limited Access on
sysadmin-3
- Log in to the AWS Management console as
sysadmin-3
withh3F#dJHk323k6D
as the password. - Navigate to EC2.
- In Resources, click Running instances. We should receive an error message.
- Navigate to S3 and click + Create bucket.
- In Bucket name, enter "acg-test-123456" and click Create. The bucket should be successfully created.
- Sign out by clicking your account name on the top navigation bar and clicking Sign Out.
Verifying EC2 Limited Access on
sysadmin-2
- Log in to the AWS Management console as
sysadmin-2
withh3F#dJHk323k6D
as the password. - Navigate to S3. We should receive an error message.
- Log in to the AWS Management console as