IAM user

You create an IAM user in AWS as an entity to allow people to sign into the AWS Management Console or to make requests to AWS services from your programs using CLI or API. An IAM user can be a person, an application, or an AWS service that interacts with other AWS services in one way or another. When you create a user in IAM, you provide it with a name and a password that is required to sign into the AWS Management Console. Additionally, you can also provision up to two access keys for an IAM user consisting of the access key ID and a secret access key, that are needed to make requests to AWS from CLI or API.

As we know, by default IAM users have no permissions, so you need to give this brand new user permissions either by assigning them directly or by adding them to a group that has all the necessary permissions, the latter being recommended by AWS and a much preferred way to manage your users and their permissions. Alternatively, you can also clone permissions of an existing IAM user to copy policies and add users to the same groups as the existing IAM users. With every IAM user, there are the following three types of identification options available:

• Every IAM user has a friendly name such as Albert or Jack that's helpful in identifying or associating with people for whom we have created this user account. This name is given when you create an IAM user and it is visible in the AWS Management Console.
• Every IAM user has an Amazon Resource Name (ARN) as well; this name is unique for every resource across AWS. An ARN for an IAM user in my AWS account looks like arn:aws:iam::902891488394:user/Albert.
• Every IAM user has a unique identifier for the user that's not visible in the AWS Management Console. You can get this ID only when you create a user in the IAM programmatically through API or AWS command line tools such as AWS CLI.

Whenever we create a new IAM user, either through AWS console or programmatically, there aren't any credentials assigned to this user. You have to create credentials for this user based on access requirements. As we have seen earlier, a brand new IAM user does not have any permission to perform any actions in AWS account for any AWS resources. Whenever you create an IAM user, you can assign permissions directly to each individual users. AWS recommends that you follow the least privilege principles while assigning permissions, so if a user named Jack needs to access S3 buckets, that's the only permission that should be assigned to this user.

The following figure shows IAM users for my AWS account:

Let us look at the steps to create a new IAM user by using the AWS console. You can also create an IAM user through AWS CLI, IAM HTTP API, or tools for Windows PowerShell:

1. Navigate to the IAM dashboard.
2. Click on the Users link. It will show you the existing users (if any) for your AWS account as shown in the preceding figure – AWS IAM users.
3. IAM is a global service so you will see all users in your AWS account.
4. Click on the Add user button.
5. Add a friendly name for the user in the username textbox.

1. If this user is going to access AWS through the console then give this user the AWS Management Console Access, if the user will access AWS resources only programmatically then give only programmatic access by selecting the appropriate checkbox. You can select both options as well for a user.
2. Click on the Permissions button to navigate to the next page.
3. On the Permissions page, you have three options for assigning permissions to this user. You can assign permissions at this stage or you can assign them after you have created this user:
   • You can add this user to a group so the user gets all the permissions attached to a group.
   • You can copy permissions from an existing user so this new user will have the same permissions as an existing use
   • You can attach permissions directly to this user
4. Click on the Next: Review button.
5. On this page, review all information for this user that you have entered so far and if all looks good, click on the Create User button to create a new IAM user. If you want to edit any information, click on the Previous button to go back and edit it.
6. On the next page, you are presented with the success message along with credentials for this user. AWS also provides you with a .csv file that contains all credentials for this user. These credentials are available for download only once. If these credentials are lost, they cannot be recovered, however, new credentials can be created anytime.

When you navigate to the Users page through the IAM dashboard, on the top right-hand corner, you see global written inside a green rectangle. This indicates that users are global entities, that is when you create a user you do not have to specify a region. AWS services in all regions are accessible to an IAM user. Moreover, each IAM user is attached to one AWS account only, it cannot be associated with more than one AWS account. Another thing to note is that you do not need to have separate payment information for your users stored in AWS, all the charges incurred by activities of users in your AWS account is billed to your account.

As noted earlier, an IAM user can be a person, an AWS service, or an application. It is an identity that has permissions to do what it needs to do and credentials to access AWS services as required. You can also create an IAM user to represent an application that needs credentials in order to make requests to AWS. This type of user account is known as a service account. You could have applications with their own service accounts in your AWS account with their own permissions.