Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Exploring Managed and Inline Policies for Cloud Security: Hands-On Demo

IAM managed policy example

AWS Identity and Access Management (IAM) is a powerful tool that helps control access to AWS resources. By managing who can access what, IAM ensures the security and flexibility of your AWS environment. In this blog, we will be exploring Managed and Inline Policies for Cloud Security and provide a hands-on lab to demonstrate how to create an IAM user and attach an inline policy to the user.

We will start by creating an IAM user through the AWS Management Console and attaching a managed policy that allows the user to change only their password. After creating the user, we will log in with their credentials and attempt to describe EC2 instances, which will result in access being denied due to insufficient permissions.

Next, we will create an inline policy specifically for the user, permitting them to describe EC2 instances. This will provide the user with the necessary access to view instance details while maintaining fine-grained control over their permissions.

To begin, log into the AWS Management Console using an IAM user with administrative privileges. In the AWS Console, navigate to the search bar, type IAM, and select IAM from the list of services. This will take you to the IAM dashboard, where we can manage users, roles, and policies.

IAM managed policy example

In the left side UI of the I AM console, select users then click Create User.

IAM managed policy example

Fill in the user’s details, including a preferred name. Afterward, check the box labeled Provide user access to the AWS Management Console to allow the user to log in. Next, select the radio button that says I want to create an IAM user.

IAM managed policy example

Under the Console password section, select Autogenerate password, and then check the box labeled Users must create a new password at the next sign-in (this is recommended for security purposes). Once done, click Next to proceed.

cloud security policy configuration

In the Set Permissions section, select Attach policies directly. In the managed policy search bar, type IamUserChangePasswordand select the policy that appears. This will be the only policy assigned to the user, allowing them to change their password. After selecting the policy, click Next to continue.  

cloud security policy configuration

Review the permissions summary then click Create user.

cloud security policy configuration

Retrieve the newly created user’s details, including their login credentials. Use these credentials to log in to the AWS Management Console as the new user.

cloud security policy configuration

Once logged into the console, navigate to the EC2 dashboard. You’ll notice that the user receives API errors, indicating they lack the necessary permissions to access or view EC2 resources. This is because no permissions have been granted to the user for EC2-related actions.

cloud security policy configuration

When attempting to view EC2 instances, you will see a red flag stating, you are not authorized. This means the user does not have the required permissions to access or view EC2 instances, confirming that the necessary permissions have not yet been assigned. To resolve this, we’ll need to attach a policy granting EC2 permissions.

cloud security policy configuration

Log back in as the admin user and navigate to the IAM dashboard. From there, locate and select the user you created earlier. Once on the user’s detail page, click on the Permissions tab to review and manage the permissions assigned to that user.

cloud security policy configuration

Select the Add permissions drop-down button, then choose Create inline policy from the options. This will allow you to create a new inline policy specifically for the user.

cloud security policy configuration

In the Services section, click the drop-down button and select EC2 from the list. This specifies that the policy will apply to actions related to EC2.

cloud security policy configuration

Under Actions allowed, type instances in the search bar, then select Describe Instances from the list of available actions. After making your selection, make sure under effect, allow is checked then scroll down and click Next to proceed.

cloud security policy configuration
cloud security policy configuration

In the Policy Details section, enter your preferred name for the policy. Make sure the name is descriptive enough to reflect the policy’s purpose. After entering the name, click Create Policy to complete the creation process.

cloud security policy configuration

The policy has been successfully created. Under the Policy Name section, you can see the names of the policies, and under the Type column, you can distinguish between AWS Managed and Customer Inline policies. Additionally, in the Attached Viasection, you’ll see whether the policies are Attached Directly or in line, indicating how they are associated with the user.

cloud security policy configuration
cloud security policy configuration

Log in as the newly created user, and attempt to describe EC2 instances. At this point, you should notice that the user can successfully describe the instances. This access was granted by attaching an inline policy to the user, specifically allowing them to perform this action.

This process demonstrates the flexibility of AWS in managing user permissions, helping you maintain security and efficiency in your cloud environment. Additionally, inline policies provide a way to grant access to individual users based on their needs.

Thanks for reading and stay tuned for more. Make sure you clean up.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].


Thank you!

Written By :

Victor Onyango, AWS Certified Solutions Architect – Associate, AWS Certified Security

0 0 votes
Article Rating
Subscribe
Notify of
guest

2 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
trackback

[…] Control Lists) allow or deny specific inbound or outbound traffic at the subnet level while the security group controls the qualified traffic to reach and leave the […]

trackback

[…] core of securing your AWS resources by providing fine-grained control over access permissions. IAM policies are essential in defining what actions are allowed or denied on AWS resources. There are two main […]