AWS IAM Configuration for Secure Access Management

Task Overview

This task aims to implement Identity and Access Management (IAM) on AWS by setting up IAM users, groups, roles, and policies to control access to AWS resources securely. The project ensures least privilege access, role-based access control (RBAC), and security best practices.

Project Objectives

• Create IAM Users – Define multiple users with specific permissions.
• Create IAM Groups – Organize users based on roles.
• Attach Predefined and Custom Policies – Use AWS Managed and Custom Policies.
• Enable Multi-Factor Authentication (MFA) – Secure user authentication.
• Configure IAM Roles – Allow services to access AWS resources securely.
• Implement Access Keys and CLI Access – Provide programmatic access.
• Audit IAM Access Using AWS IAM Reports – Generate security audit reports.

AWS Services Used

• IAM (Identity and Access Management)
• S3 (Simple Storage Service)
• EC2 (Elastic Compute Cloud)
• CloudTrail (for logging IAM activity)
• AWS CLI (Command Line Interface)

Implementation Steps

Step 1: Create IAM Users

1. Navigate to the AWS IAM Console.
2. Click on Users → Add User.
3. Provide a username (e.g., dev-user, admin-user).
4. Select AWS Management Console Access and set a password.
5. Enable Programmatic Access (for CLI and SDK access).
6. Click Next → Review and Create the user.

Step 2: Create IAM Groups and Assign Users

1. Navigate to IAM Console → Groups.
2. Click Create Group.
3. Provide a Group Name (e.g., Developers, Admins, Billing-Team).
4. Attach AWS Managed Policies:
   • Developers: AmazonS3ReadOnlyAccess, AmazonEC2ReadOnlyAccess
   • Admins: AdministratorAccess
   • Billing-Team: AWSBillingReadOnlyAccess
5. Click Create Group.
6. Assign users to the appropriate groups.

Step 3: Attach Predefined Policies

Attach AWS Managed Policies to groups:

• AdministratorAccess (for Admins)
• AmazonS3FullAccess (for Developers requiring full S3 access)
• ReadOnlyAccess (for security compliance users)

Step 4: Create Custom IAM Policies

Custom Policy 1: Restrict S3 Access to a Specific Bucket

1. Navigate to IAM → Policies → Create Policy.
2. Select JSON Editor and define the following policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": ["s3:ListBucket", "s3:GetObject"],
                "Resource": [
                    "arn:aws:s3:::my-secure-bucket",
                    "arn:aws:s3:::my-secure-bucket/*"
                ]
            }
        ]
    }
    

3. Click Next → Review → Name it S3-Bucket-Access → Create Policy.

Custom Policy 2: Restrict EC2 Actions to Specific Regions

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": "ec2:*",
                "Resource": "*",
                "Condition": {
                    "StringNotEquals": {
                        "aws:RequestedRegion": "us-east-1"
                    }
                }
            }
        ]
    }
    

Purpose: This policy restricts EC2 operations outside us-east-1.

Step 5: Apply IAM Role for AWS Service Access

1. Navigate to IAM Console → Roles.
2. Click Create Role.
3. Select AWS Service → Choose EC2 (for granting access to EC2 instances).
4. Attach AmazonS3FullAccess to allow EC2 to access S3.
5. Click Create Role → Assign it to an EC2 instance.

Step 6: Enable MFA for IAM Users

1. Navigate to IAM → Users.
2. Click on a user and go to Security Credentials.
3. Click Enable MFA → Select Virtual MFA Device.
4. Use Google Authenticator to scan the QR code and enter the generated code.
5. Click Enable.

Step 7: Configure CLI and Access Keys

1. Generate Access Keys for a user:
   • Go to IAM Users → Select a user.
   • Click Create Access Key.
   • Download .csv file containing the Access Key ID and Secret Key.
2. Configure AWS CLI:

   aws configure
   

   Enter:

   • Access Key
   • Secret Key
   • Region (e.g., us-east-1)
   • Output format (json)

Step 8: Monitor IAM Activity Using AWS CloudTrail

1. Navigate to CloudTrail Console.
2. Create a new Trail to monitor IAM actions.
3. Enable logging to an S3 Bucket for auditing.

Project Deliverables

1. IAM User, Group, and Policy Implementation.
2. IAM Role Configuration for EC2 Access.
3. MFA Implementation for IAM Security.
4. Custom IAM Policies for Security Restrictions.
5. AWS CLI Configuration for Programmatic Access.
6. CloudTrail Audit Logging Setup.

Security Best Practices Implemented

• Least Privilege Principle – Users and groups get only the permissions they need.
• MFA for Enhanced Security – Enforces two-factor authentication.
• IAM Role-based Access Control – Secure service-to-service interaction.
• Access Restriction via Policies – Custom policies enforce security compliance.
• Audit Logging via CloudTrail – Tracks IAM activity for security audits.

Conclusion

This project provides a secure IAM setup by defining users, groups, policies, and roles with proper access control. It also ensures security compliance by restricting access using IAM policies, enforcing MFA, and monitoring IAM activities with CloudTrail.