Tasks for the Lab
Task 1: Users and Groups
Step 1: Open Vocareum -> Click on the lab -> My Work -> Start Lab. A pop-up window will appear and when it says, “Lab status: ready”, close the window -> Click on AWS tab on top right navigation bar.
Step 2: Click on Services -> Click on “IAM”
Step 3: Click “Users” from the panel on the left. There should be 3 users created by default for the purpose of the lab.
Step 4: Click user-1 -> “Permission”. We can see that there is no permissions assigned to the user yet. Click on the “Group” tab and we can see that the user does not belong to any group. The user is also assigned a Console password which can be viewed under “Security credentials” tab.
Step 5: Click “Groups” on the panel on the left side of the screen. There are 3 groups created by default for the purpose of this lab. We then need to investigate each group to know their permissions, policies, etc. Below are some images that represents the sections for each group.
EC2- Support Group
S3- Support Group
EC2-Admin Group
Task 2: Joining Users to Groups
Step 1: We will join the “user-1” to the “S3-Support” group. For that click on “Groups” -> Click “S3-Support” group -> Click the “Users” tab -> Click “Add Users to Group”.
Step 2: In the “Add Users to Group” window, tick “user-1” -> Click on “Add Users” button. Click “S3-Support” group and we can see under the “Users” tab, the “user-1” is included in the group.
Step 3: We will join the “user-2” to the “EC2-Support” group. For that click on “Groups” -> Click “EC2-Support” group -> Click the “Users” tab -> Click “Add Users to Group”.
Step 4: In the “Add Users to Group” window, tick “user-2” -> Click on “Add Users” button. Click “EC2-Support” group and we can see under the “Users” tab, the “user-2” is included in the group.
Step 5: We will join the “user-3” to the “EC2-Admin” group. For that click on “Groups” -> Click “EC2-Admin” group -> Click the “Users” tab -> Click “Add Users to Group”.
Step 6: In the “Add Users to Group” window, tick “user-3” -> Click on “Add Users” button. Click “EC2-Admin” group and we can see under the “Users” tab, the “user-3” is included in the group.
Step 7: Click on “Groups”. Beside the name of the groups we can now see how many users belong to the group.
Task 3: Testing Users and Signing in
Step 1: Click “Dashboard” in the navigation panel on the left.
Step 2: Copy the IAM users sign-in link.
Step 3: Click on “New incognito window” in Google Chrome -> Enter the IAM url and press “Enter”.
Step 4: Enter the username as “user-1” and the password as “lab-password”. Click on “Sign in”.
Step 5: Click on Services -> Click on “S3”. Since “user-1” is a member of “S3-Support” group, we should be able to view the S3 resources.
Step 6: Click on “Services” -> Click EC2 -> Click on Instances. An error will occur because the user is not allowed permission to access EC2.
Step 7: Sign Out so we can explore with other users.
Step 8: Enter the IAM users sign-in link. Press “Enter”. Enter the username as “user-2” and the password is “lab-password”
Step 9: Click Services -> Select EC2 -> Click on Instances. We should be able to only view the Instance because the user has only “Read Only” permissions.
Step 10: To test whether we can modify EC2 instances in user-2, we will stop an instance. Select the instance -> Click on “Actions” -> Click on “Instance State” -> Click on “Stop”.
Step 11: A “Stop Instances” window will appear. Click “Yes, Stop”.
Step 12: An error message is displayed saying the user is not authorised to take the specific action.
Step 13: Click on “Services” -> Select S3. We will receive access denied because “user-2” does not have permission to access S3.
Step 14: Sign Out.
Step 15: Enter the IAM user sign-in link -> Enter the username as “user-3” and user password as “lab-password”.
Step 16: Click on “Services” -> Select “EC2” -> click on “Instances”.
Step 17: Since “user-3” belongs to “EC2-Admin” group, they can modify the EC2 instances.
Step 18: Select “Actions” -> Click on Instance State -> click on “Stop”.
Step 19: Select “Yes, Stop” under “Stop Instances” and we can see that the instance will enter into stopping mode and can shutdown
Step 20: Close the private window. Go back to Volcareum and click on “End Lab”.
Discuss the use of the users, groups, roles and policies within your AWS account
- Users: Using IAM, allows use to creating multiple users which is used by a member to access the AWS account. It has sets of rules which allows and denies the permission based on the policy for AWS resources.
- Groups: It is a collection of users who jobs are similar. Groups makes it easier to modify permission for multiple users at once rather than going individually for each user and changing them.
- Role: Roles can be considered like an identity that have specific permission which allows the users or applications to get access to the resources which they normally cannot.
- Policies: Their main purpose is to define the set of rules/ permissions that are implemented in the system. They describe the requirements that are needed in order to be eligible to access a resource.
Reflection and Critical Thinking
In this lab, I was guide through where users and groups are. I was able to see the policies set for each group that were made by default for the purpose of the lab. After that I learned how to join each user to each group. Then we had to sign into AWS account using each users’ credentials and tested whether the policies are working or not. Due to the policies being set in the group and each user belongs to a group, the users were only allowed to access the resources that they had permission for. This system of hierarchy is a good thing in terms of assigning what each user needs to access. The users get general permission, the groups categories the users based on their common attribute. This allows admin to easily implement changes to all users by just implementing them in the group. After that setting policies for groups makes it easier for admin to assign permissions to a group of users. Then there is role, which can used to allow an individual user or application to get access to the particle resource based on the role’s permission for a limited time or it can be set permanently.
King's Blog 