Open In App

AWS CLI For Identity And Access Management

Last Updated : 11 Mar, 2024
Improve
Improve
Like Article
Like
Save
Share
Report

Amazon Web Services (AWS) is a comprehensive cloud computing platform offering many services, including storage, computing, databases, and more. AWS Identity and Access Management (IAM) is a core AWS service that allows you to securely control who can access your AWS resources and what actions they can perform. IAM enables you to create users, groups, and roles, and define granular permissions for each.

AWS CLI

Amazon’s command-line interface (CLI) is a powerful tool that allows users to interact with various AWS services through a command-line interface.

Install AWS CLI

Assuming you already have an AWS account, follow the steps below to install AWS CLI on your system (these steps are based on Ubuntu OS).

You can either follow the instructions from the AWS documentation or run the below commands in your terminal to install AWS CLI in your system

sudo apt-get install awscli -y
Install AWS CLI

Install AWS CLI

Configure AWS Credentials

  • Login to AWS Console
  • Click on your username at top right corner and click on Security Credentials
  • Under Access keys click on Create access key –> Choose Command Line Interface (CLI) –> add some description for it -> Create
  • Either copy Access key ID and Secret access key displayed on the screen or download csv file.
aws configure --profile <profile-name>

For example:

aws configure --profile dillip-tech
Configure AWS CLI with custom profile

Configure AWS CLI with custom profile

Fill the prompts for access key and secret you’ve copied in above steps, and now you’re all set to tryout AWS IAM resources.

Manage IAM resources with CLI

The AWS CLI offers a comprehensive set of commands for managing various aspects of IAM. Here’s the comprehensive list of examples demonstrating common operations:

Creating Users:

To create an IAM user, run the below command, This command creates a new IAM user named “new-user.”

aws iam create-user --user-name new-user
Create IAM User

Create IAM User

Listing Users and Roles:

aws iam list-users

This will list the IAM users in the mentioned profile, with basic details, like Username, UserId, Arn, and createdDate, refer the sample below.

List IAM Users

List IAM Users

aws iam list-roles

These commands list all the roles currently existed in your AWS account, with all basic details, RoleName, RoleID, Arn, and AssumeRolePolicyDoc.

List  IAM Roles

List IAM Roles

Create Access Keys for Users:

This below command generates a new access key ID and secret access key for the user new-user, we can use it for various use cases like CLI, SDK.

aws iam create-access-key --user-name new-user
Create Access key for user

Create Access key for user

Create IAM Groups:

aws iam create-group --group-name new-user-group

This command creates a new IAM group named new-user-group.

Create IAM Group

Create IAM Group

Add Users to Groups:

aws iam add-user-to-group --user-name new-user --group-name new-user-group

This command adds the user new-user to the group new-user-group.

Add User to IAM Group

Add User to IAM Group

Create IAM Roles:

aws iam create-role --role-name my-new-role --assume-role-policy-document file://trust-policy.json

This command creates a new IAM role named my-new-role.

Create IAM Role

Create IAM Role

Attach Permissions Policies to Roles:

aws iam attach-role-policy --role-name my-new-role --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess

This command attaches the managed policy “AmazonEC2FullAccess” to the role my-new-role, granting access to EC2 resources.

Attach Role Policy

Attach Role Policy

Assume IAM Roles:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/my-new-role --role-session-name my-temp-session
Assume IAM Role

Assume IAM Role

This command allows you to temporarily assume the permissions of the role my-new-role for a specific session named my-temp-session.

These are just a few examples, and the AWS CLI offers a comprehensive range of commands for managing IAM entities and permissions.

Beyond the Basics: Advanced Features

The AWS CLI empowers you with advanced functionalities for IAM management:

  • User Password Rotation: Reset or rotate user passwords to maintain security.
  • MFA (Multi-Factor Authentication) Configuration: Enforce MFA for enhanced security when accessing AWS resources.
  • Granular Permission Policies: Craft custom IAM policies with fine-grained control over user and role actions.
  • Simulate User Actions: Test IAM policies to verify user permissions before granting access.
  • By leveraging these advanced capabilities, the AWS CLI becomes a powerful tool for managing IAM within your AWS environment.

AWS CLI for Identity and Access Management – FAQ’s

How can I enhance security when using AWS CLI access keys?

Implement best practices such as rotating access keys regularly, using IAM roles instead of long-term access keys.

What considerations should I keep in mind when creating IAM roles?

Clearly define the role’s purpose and attach policies with the minimum required permissions, restrict based on aws services, users as principals, so that the purpose would not deviate.

Can i update the credentials for Profile?

Yes, you can update credentials at any time, just run the command again, i.e aws configure –profile <profilename>, it will prompt for updated credentials, enter the credentials, these will be replaced with old ones.



Similar Reads

Identity and Access Management (IAM) in Amazon Web Services (AWS)
Pre-requisite: AWS Identity and Access Management (IAM) manages Amazon Web Services (AWS) users and their access to AWS accounts and services. It controls the level of access a user can have over an AWS account &amp; set users, grant permission, and allows a user to use different features of an AWS account. Identity and access management is mainly
5 min read
How to Use Cloud Identity and Access Management (IAM) For Access Control on GCP?
IAM defines "who can do what on which resource". Cloud IAM (Identity Access Management) offers a standardized set of functions and integrates access management for Google Cloud services into a single solution. You can create and manage permissions for Google Cloud resources using the Identity and Access Management (IAM) service provided by Google C
7 min read
Identity and Access Management (IAM) vs Security Information and Event Management (SIEM)
Identity and Access Management (IAM) and Security Information and Event Management (SIEM) are two critical components of an organization's security posture. Both are designed to ensure the protection of sensitive data, resources, and systems, but they do so in different ways. IAM focuses on managing who has access to resources and what they can do
8 min read
How To Use AWS EC2, EBS, and S3 Services Using AWS CLI?
Pre-requisite: EC2, EBS and S3 The AWS Command Line Interface (AWS CLI) is an open-source tool that enables you to interact with AWS services using commands in your command-line shell. With minimal configuration, the AWS CLI provides you with the ability to quickly and easily access the same functionality as the browser-based AWS Management Console
6 min read
How To Aceses AWS S3 Bucket Using AWS CLI ?
The AWS Command Line Interface (AWS CLI) is an open-source tool that allows you to interact with AWS services using syntax in your shell. It provides you with the ability to quickly and easily access the same functionality as the browser-based AWS Management Console from the comfort of your terminal program. S3 (Simple Storage Service) is a storage
5 min read
AWS Lambda Functions With AWS CLI
Amazon Web Services (AWS) is a comprehensive cloud computing platform offering many services, including storage, computing, databases, and more. AWS Lambda is a serverless computing service provided by Amazon Web Services (AWS). we can create functions and self-contained applications. With AWS Lambda functions, we can perform any kind of computing
6 min read
Amazon DynamoDB - Identity and Access Management(IAM)
Security in the cloud remains one of the main barriers to cloud adoption. For security operations and development teams to follow security best practices ensuring a smooth transition. AWS IAM (Identity and Access Management) is one of the most widely used security platforms for data protection. It follows an incredibly granular approach in providin
7 min read
Architecture of Identity Access Management in Cloud Computing
Pre-requisite: IAM Identity Access Management is used by the root user (administrator) of the organization. The users represent one person within the organization, and the users can be grouped in that all the users will have the same privileges to the services. Shared Responsibility Model for Identity Access ManagementCloud Service Provider (CSP)In
3 min read
How To Install and Set Up an AWS CloudWatch Agent Using CLI?
We will see how to install and configure the new unified CloudWatch agent on a running EC2 Linux instance. Collect logs from the Apache HTTP log file and collect metrics from our EC2 instance. New unified CloudWatch can collect both logs and metrics from EC2 instances. The older CloudWatch Logs agent is on the path to deprecation. Features of AWS E
7 min read
Launching an EC2 instance using AWS CLI
In this article, we will look into the process of launching instances that is through AWS CLI(Command Line Interface). AWS CLI is a unified tool for running and managing your various AWS services. Just download and install the tool and you will be able to control multiple AWS services from the command line. For Developers, it is a great tool for ma
5 min read