Create an IAM user for Testing

Create an IAM user for Testing

In this section, we attach the policy to the previously created role to ensure the role has the appropriate permissions defined in the policy.

  1. Access IAM Dashboard

    • Search for the IAM.
    • Click it to access IAM Dashboard.

    IAM

  2. Create a IAM policy in IAM Dashboard

    • Look for Policies in the side panel, select Create policy.

    IAM

    • Under Specify permission within the Policy editor click the JSON to switch to JSON format and then paste the JSON below into the editor.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/status": "isolated"
                }
            }
        }
    ]
}

IAM

  • After that click Next.
  • In the Review and create under Policy details, name the policy : Deny-termination-of-isolated-instances.

IAM

  • Leaves the rest unchanged, click the Create policy. This should take you back to the Policy Interface.

In real life scenario the author recommend using Service control policies (SCP)

  1. Create a Group

    • In the Policy Interface, In the side panel you should see User groups access it.
    • Click Create Group.

    IAM

    • Under Create user group, name the group : ec2-user.
    • Under Attach permissions policies, attach these policies to the group :
      • The AmazonEC2FullAccess AWS Managed Policy
      • The prior created Deny-termination-of-isolated-instances

    IAM

    • Click Create group, the results should be like this.

    IAM

  2. Create a user

    • Head back in the side panel click the Users and click Create user.

    IAM

    • Under Specify user details, name the User name is : testuser.
    • Select yes for the Provide user access to the AWS Management console.
    • Select I want to create an IAM user, You can choose autogenerated password or custom password.
    • You can unselect User must create a new password at next sign-in as shown below.

    IAM

    • Click next to go to the Set permission interface.
    • Under Permissions options leave it as Add a user to group.
    • Under User groups add the user to the prior created ec2-users.

    IAM

    • Proceed next to Create user.

You should copy the password to a notepad or a text editor if you choose the autogenerated password avoid losing access to the account.

  • After the user creation, the user should have permission like below

IAM

This is just for demo purposes, to show that once the instance is tagged as isolated, the regular users with this policy will not be able to terminate the instance. In real life you should follow the best practice of using only temporary credentials, as per Well-Architected-Framework’s best practice

After testuser creation is complete, head on to the next step Configure Response