AWS Cloud Practitioner — Lab 05 of 08

Lab 05 — IAM Users, Groups & Policies

Create IAM users and groups, write least-privilege policies, and test permissions.

IntermediateAlways Free1–2 Hours
← All Labs ⇓ PDF Guide

Lab Overview

AWS Identity and Access Management (IAM) is the security foundation of every AWS account. This lab teaches you to create users, organize them into groups, write custom JSON policies using the principle of least privilege, configure service roles, and test permissions by logging in as a restricted user.

IAM is always free and has the highest exam weighting of any domain on the Cloud Practitioner exam.

ServicePurposeFree Tier
AWS IAMUsers, groups, roles, and policies for access controlAlways free
AWS ConsoleSign in as restricted user to verify permissionsAlways free

Step-by-Step Instructions

1
AWS IAM
Create IAM Users
  1. Search for IAM and click it
  2. Left sidebar → UsersCreate user
  3. User name: dev-user
  4. Check Provide user access to the AWS Management Console
  5. Select I want to create an IAM user
  6. Console password: Custom password → enter a password
  7. Uncheck “Users must create a new password at next sign-in”
  8. Click Next → skip permissions for now → Create user
  9. Repeat to create a second user: readonly-user
2
AWS IAM
Create IAM Groups and Assign Users
  1. Left sidebar → User groupsCreate group
  2. Group name: Developers
  3. Add user: dev-user
  4. Click Create group
  5. Create a second group: ReadOnly → add readonly-user
3
AWS IAM
Create a Custom Least-Privilege Policy

Instead of using broad managed policies, you will write a JSON policy that grants only the exact permissions needed.

  1. Left sidebar → PoliciesCreate policy
  2. Click JSON tab and paste the policy below
  3. Click Next → Policy name: S3ReadOnlyAccess-CustomCreate policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::*",
        "arn:aws:s3:::*/*"
      ]
    }
  ]
}
4
AWS IAM
Attach Policies to Groups
  1. Left sidebar → User groups → click Developers
  2. Permissions tab → Add permissionsAttach policies
  3. Search for AmazonEC2FullAccess → attach it
  4. Also attach AmazonS3FullAccess
  5. Click ReadOnly group → attach S3ReadOnlyAccess-Custom
5
AWS IAM
Create a Service Role
  1. Left sidebar → RolesCreate role
  2. Trusted entity: AWS service → Use case: EC2 → Next
  3. Attach policy: AmazonS3ReadOnlyAccess
  4. Role name: EC2-S3-ReadOnly-RoleCreate role
6
AWS Console
Test Permissions as the Restricted User
  1. Go to IAM → Users → readonly-user
  2. Copy the Console sign-in URL
  3. Open a private/incognito browser window and paste the URL
  4. Sign in with username readonly-user and the password you set
  5. Try to navigate to EC2 — you should see “You are not authorized”
  6. Try to navigate to S3 — you should be able to list buckets (read-only)
  7. Try to create an S3 bucket — should fail with an access denied error
  8. Close the incognito window and sign back in with your admin account
TIP: Always test permissions by signing in as the restricted user. Policy documents don't always behave as expected until you verify them.

Verification Checklist

What You Learned

Lab Cleanup

IMPORTANT: Delete all resources when finished.
#ResourceHow to Delete
1IAM UsersIAM → Users → select dev-user and readonly-user → Delete
2IAM GroupsIAM → User groups → Developers and ReadOnly → Delete
3IAM PolicyIAM → Policies → S3ReadOnlyAccess-Custom → Delete
4IAM RoleIAM → Roles → EC2-S3-ReadOnly-Role → Delete
← Lab 04 — Contact Form + DynamoDBLab 06 — EC2 & Auto Scaling →