Limiting Privileged User Access by Setting Permissions Boundaries in AWS IAM

30 minutes
  • 4 Learning Objectives

About this Hands-on Lab

In this hands-on lab scenario, you are a security engineer working for a new startup that’s launching an online bookstore for rare and antique books. The founder, Kia, needs your help with setting up her system administrators with the proper access permissions. In order to provide access and ensure the proper security measures are in place, you will use AWS Identity & Access Management (IAM) to define a system administrators group and set permissions boundaries.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Group Controlled via an AWS-Managed Policy
  1. Navigate to IAM.
  2. From the left dashboard menu, click Users to view existing users.
  3. Click Groups.
  4. Click Create New Group.
  5. In *Group Name, enter "SysAdmins" and click Next Step**.
  6. On the Attach Policy page, select the AdministratorAccess policy and click Next Step.
  7. Review the group, and then click Create Group.
Assign Users to a Group
  1. Select the newly created SysAdmins group.
  2. Select the Users tab and click Add Users to Group.
  3. Select sysadmin-1, sysadmin-2, and sysadmin-3 and click Add Users.
Limit Privileged Users by Setting Permissions Boundaries
  1. From the User tab, select the sysadmin-2 user.
  2. Expand the Permissions boundary section and click Set boundary.
  3. Select the AmazonEC2FullAccess policy and click Set boundary.
  4. From the left dashboard, click Users and select sysadmin-3.
  5. Expand the Permissions boundary section and click Set boundary.
  6. Select the AmazonS3FullAccess policy and click Set boundary.
  7. Sign out by clicking your account name on the top navigation bar and clicking Sign Out.
Verifying Limits on Privileged Users

Verifying S3 Limited Access on sysadmin-3

  1. Log in to the AWS Management console as sysadmin-3 with h3F#dJHk323k6D as the password.
  2. Navigate to EC2.
  3. In Resources, click Running instances. We should receive an error message.
  4. Navigate to S3 and click + Create bucket.
  5. In Bucket name, enter "acg-test-123456" and click Create. The bucket should be successfully created.
  6. Sign out by clicking your account name on the top navigation bar and clicking Sign Out.

Verifying EC2 Limited Access on sysadmin-2

  1. Log in to the AWS Management console as sysadmin-2 with h3F#dJHk323k6D as the password.
  2. Navigate to S3. We should receive an error message.

Additional Resources

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab. The passwords for the IAM user accounts are set to h3F#dJHk323k6D.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?