Restrict Access with IAM Service

Best practice: Avoid using the Root User. Instead, create IAM Users with minimal permissions needed to manage resources. This makes management easier and reduces security risks.

In this section, we will create a policy to restrict a user to only interact with EC2 Instances in the ap-southeast-1 region.

1. Access the AWS IAM Management Console

iam-management.png

2. Create Custom Policies

2.1. On the left navigation menu, select Policies policies.png

2.2. In the Policies interface, click Create policy. create-policy.png

2.3. Step 1 - Specify permissions, - Go to the JSON tab, paste the following JSON into the Policy Editor, and click Next.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ap-southeast-1"
        }
      }
    }
  ]
}

Specify permissions.png

This policy allows users to manage EC2 instances only in the ap-southeast-1 region.

2.4. Step 2 - Review and Create:

  • Enter a Policy Name: ec2-restricted-region-group.

  • Enter a Description: Allow access to EC2 only in ap-southeast-1.

  • Click Create policy.

    review-and-create

3. Create a User Group and Assign the Policy

To reuse this policy, assign it to an IAM Group. All IAM Users in this group will have the same permissions.

3.1. Access User groups from the left navigation menu.

  • In the User groups interface, click Create group.
  • In the Create user group interface:
    • Enter User Group Name: ec2-restricted-region-group.
    • Under Filter by Type, select Customer Managed.
    • Choose the policy created earlier.
    • Click Create user group.

user-group

  • After creation, you should see a summary like this: review-user-group

4. Create a User and Assign Them to the Group

4.1. Access Users from the left navigation menu. user-tab

4.2. Click Create user.

4.3. Step 1 - Specify user details: Step 1 - Specify user details:

  • Enter a username: restricted_user.
  • Select Provide user access to the AWS Management Console.
  • Choose I want to create an IAM user.
  • Set a custom password: restricted_user1.
  • Click Next. specify-user-detail

4.4. Step 2 - Set permissions:

  • Select Add user to group.
  • Choose the group created earlier (e.g., ec2-restricted-group).
  • Click Next. set-permission

4.5. Step 3 - Review and Create:

  • Review the user and permissions.
  • Click Create user. review

4.6. Step 4 - Retrieve password:

  • Save or download the .csv file to manage user credentials. review-pwd

4.7. Log in as the IAM User:

  • Copy the sign-in URL.
  • Log in using the username: restricted_user and password: restricted_user1. sign-in
  • After Signing in, change your password. change-password
  • Check the EC2 service in us-east-2: The policy should restrict access in this region. restricted-region.png
  • Check the EC2 service in ap-southeast-1: Access should be allowed. check_region.png

Done