Login
    Contents x
    AWS Permission Boundary
    • 10 Sep 2024
    • 2 Minutes to read
    • Print
    Contents

    AWS Permission Boundary

    • Updated on 10 Sep 2024
    • 2 Minutes to read
    • Print
    Article summary

    Permission boundaries are needed in Amazon Web Services (AWS) labs where user accounts are created.
    Following the principle of least privilege, the permissions boundary ensures that users you create have only the permissions they require to perform lab tasks.

    Use the IAM Dashboard to Create a Group

    IAM users belong to user groups and user groups are assigned policies.

    Create a group:

    1. In the AWS Management Console, navigate to IAM.

    2. From the IAM dashboard, select Groups from the menu on the left.

    3. Select Create New Group.

      Create New Group button

    4. For the Group Name, enter a name and then select Next Step.

    5. Select the checkbox next to any policies you wish to apply to the group and then select Next Step.

    6. Review the details of the group and select Create Group.

    If you need additional groups, repeat the steps above.

    Use the IAM Dashboard to Create Users and Assign Them to their Respective Group

    1. From the IAM dashboard, select Users from the menu on the left.

    2. Select Add User.

    3. For the User name, enter a name for the user.

    4. (Optional) If you would like additional users created, select Add another user.

      1. For the 2nd User name, enter another name and select Add another user                              .

      2. For the 3rd User name, enter another name.

    5. Select the checkbox next to AWS Management Console access.

      AWS Management Console access

    6. Select Next: Permissions.

    7. Select the checkbox next to the group created in previous steps.

    8. Select on the arrow next to Set permissions boundary to expand the available selections.

      Set permission boundary link

    9. Select Use a permissions boundary to control the maximum user permissions.

    10. In the search box, enter LabSecureAccess and select the policy.

    11. Select Next: Tags.

    12. Select Next: Review.

    13. Select Create User.

    Use the AWS PowerShell to Create Users

    This procedure requires that you know the access key and the secret key for the AWS account you will use to create the user account.

    1. Open Windows PowerShell and run the following command to sign in to AWS.

      Set-AWSCredential -AccessKey [AccessKey] -SecretKey [SecretKey]

    2. Run the following command to create the IAM user with the permissions boundary..

      New-IAMUser -UserName [UserName] -PermissionsBoundary "arn:aws:iam::@lab.CloudSubscription.Id:policy/LabSecureAccess"

      @lab.CloudSubscription.Id is variable that contains the AWS account ID.

    Use the AWS CLI to Create Users

    This procedure assumes that you have properly configured AWS CLI and have connected to the AWS account by using your access and secret keys.

    1. At the shell prompt, enter the following command to create the IAM user with the permissions boundary.

    aws iam create-user --user-name [UserName] --permissions-boundary "arn:aws:iam::@lab.CloudSubscription.Id:policy/LabSecureAccess"

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout