EXPERIMENT - 4

AIM OF THE EXPERIMENT:

• Create a custom managed policy.

• Create IAM user groups with permission policies.
• Create IAM users and assign users to groups.
• Use user groups to add users to a group.
• Explore policy permissions that users inherit from groups.
• Log in as users to test the user’s permissions.
• Modify a user’s permission to provide additional access.

Simulation scenario
For this simulation, you create users and groups to enable permissions that
support the following business scenario.

Your company is growing its use of AWS services, and is using many Amazon
Elastic Compute Cloud (Amazon EC2) instances and Amazon Simple Storage
Service (Amazon S3) buckets. You hire three new employees and want to give
access to new staff, based on their job function, as indicated in the following table.

User In Group Permissions

user-1 S3-Support Read-only access to Amazon S3

user-2 EC2-Support Read-only access to Amazon EC2

user-3 EC2-Admin View, start, and stop Amazon EC2 instances

Task 1: Creating a custom IAM policy

In this task, you create a custom IAM policy for limited administrative Amazon EC2
access. The permissions will give any user attached to the policy access to view,
start, and stop EC2 instances. You will create the policy now, so that you can use it
later.

1. In the AWS Management Console, enter in the search field.

o Note: To record your entry, press Enter on your keyboard or choose any
place outside of the entry field.
2. Then, choose IAM from search results.
3. In the left navigation pane, choose Policies.
4. Choose Create policy.
5. For the Policy editor, choose JSON.
6. Copy and paste the following code into the policy editor field.

7. Choose the scroll bar to scroll down, then choose Next.

8. In the Policy name field, enter EC2-Admin-Policy
.
9. Choose the scroll bar to scroll down, then choose Create policy.

You have just created a custom managed policy that provides a user with the
ability to start, stop, and view instances. This policy will be used for the EC2-
Admin group.
Task 2: Creating user groups with
permissions
In this task, you create a user group for each of the three roles and attach the
appropriate permission to the group. Users will inherit the permissions of the
group or groups that they are added to. You can attach permissions directly to a
user. However, it is generally a best practice to manage permission by adding
users to user groups, especially when there are multiple users with the same set of
permissions.

Create the EC2-Admin user group

10. In the left navigation pane, choose User groups.
11. Choose Create group.
12. In the User group name field, enter EC2-Admin.

13. Choose the scroll bar to scroll down.

14. In the Attach permissions policies search field, enter EC2-Admin-Policy.

15. Select the EC2-Admin-Policy check box.

16. Choose Create user group.

Create the EC2-Support group

17. Use what you learned from the previous steps to create the EC2-Support
group. For the name of the group, use EC2-SupportFor
. the policy, use
AmazonEC2ReadOnlyAccess. If you need assistance, use the following steps:
o Choose Create group.
o In the User group name field, enter EC2-Support.
 o Choose the scroll bar to scroll down.
o In the Attach permissions policies search field, enter
AmazonEC2ReadOnlyAccess.
o Select the AmazonEC2ReadOnlyAccess check box.
o Choose Create user group.

Create the S3-Support group

18. Use what you learned from the previous steps to create the S3-Support group.
For the name of the group use S3-Support
and for the policy use
AmazonS3ReadOnlyAccess. If you need assistance, use the following steps:
o Choose Create group.
o In the User group name field, enter S3-Support.
 o Choose the scroll bar to scroll down.
o In the Attach permissions policies search field, enter
AmazonS3ReadOnlyAccess.
o Select the AmazonS3ReadOnlyAccess check box.
o Choose Create user group.

Task 3: Creating users and adding them to

groups
In this task, you will create three users based on the Simulation business scenario.
As you create each user, you add the user to a group that aligns with their job role.
The user will inherit the permissions that are attached to the group. If you need to
re-familiarize yourself with the group that each user belongs in, review the
Business scenario.
Create user-1 and add to the S3-Support user group
19. In the left navigation pane, choose Users.
20. Choose Create user.

21. In the User name field, enter user-1.

22. Select the Provide user access to the AWS Management Console check box.
23. For User type, choose I want to create an IAM user.
24. Choose the scroll bar and scroll down. Then, for Console password, choose
Custom password.
25. Select the Show password check box.
26. In the Custom password field, enter Sim-Password1.
27. Clear the User must create a new password at next sign-in check box.
28. Choose Next.

29. Keep the Permissions options default setting Add user to group selected. In
the User groups list, select the S3-Support check box.
30. Choose Next.

31. Choose Create User.

On the Console sign-in details panel, choose Show to review the Console password.
32. Choose Return to users list.
Create user-2 and add to the S3-Support user group
33. Choose Create user.
34. In the User name field, enter user-2.
35. In the Custom password field, enter Sim-Password2.
36. In the User groups list, select the EC2-Support check box.
37. Choose Next.
38. Choose Create User.
39. Choose Return to users list.

40. On the Continue without viewing or downloading console password pop-up

box, choose Continue.

Create user-3 without adding the user to a group

41. Choose Create user.
42. In the User name field, enter user-3.
43. In the Custom password field, enter Sim-Password3.
o Note: To record your entry, press Enter on your keyboard or choose any
place outside of the entry field.
44. Choose Next.

In task 4, you will explore another way to add users to a group. Therefore, you will
not select a group to add user-3 to at this point.

45. Choose Next.

Notice that the user has no permissions. This user will not be able to do anything
in the AWS Management Console at this point.

46. Choose Create User.

47. Choose Return to users list.
Task 4: Using the user group to add users
An alternative way to add users to groups is to go into the group and add users.
You will do this with our user-3 user.

48. In the left navigation pane, choose User groups.

49. Choose the EC2-Admin group name.
50. Choose Add users.
51. From the list of users, select the user-3 check box.

52. Choose Add users.

53. In the left navigation pane, choose Users.

Task 5: Reviewing polices attached to a user

If you need to confirm access that any user has, you can review the policies
attached to a user. Next, you will review the permission for user-2.

54. On the Users page, choose user-2 from the User name column.

55. In the Policy name section, choose AmazonEC2ReadOnlyAccess.

A new tab opens displaying the AmazonEC2ReadOnlyAccess information page.

56. On the Permissions defined in this policy pane, choose JSON.

57. Choose the scroll bar to scroll down.

58. Close the AmazonEC2ReadOnlyAccess browser tab.

59. In the navigation pane on the left, choose Users.
Task 6: Testing the access of user-1
Get the console sign-in URL
60. In the left navigation pane, choose Dashboard.
61. On the AWS Account pane, choose the copy icon for Sign-in URL for IAM
users in this account to copy the link.

Open an incognito window

62. Open a private or incognito window in your browser. To do this, follow these
specific instructions:
o In the top right corner of your browser, choose the vertical ellipsis.
o Choose New Incognito window.
63. Simulate pasting the sign in browser URL in the incognito window’s search bar.
To do this, follow these specific instructions:
o Choose the browser’s URL search bar.
o Press Ctrl + v on your keyboard.
o Choose the highlighted URL to load the page.

Next, you will duplicate the Sign in as IAM user page so that you have three
duplicate tabs open. You will use the tabs to sign in as each of your three users.

64. Open the context (right-click) menu for your browser tab.
65. Choose Duplicate.
66. Open the context (right-click) menu for your second browser tab.
67. Choose Duplicate.
You now have three duplicate tabs open. You will now sign in as user-1, who has
been hired as your Amazon S3 storage support staff.

Test user-1 permissions

68. Sign in with the following credentials:
o IAM user name: user-1
o Password: Sim-Password1

Note: To record each entry, press Enter on your keyboard or choose any place
outside of the entry field.

69. In the Recently visited section, choose S3.

70. Choose the sim-website bucket.
71. Choose Upload.
72. Choose Add files.
73. Select the [Link] file.
74. Choose Open.
75. Choose the scroll bar to scroll down. Then, choose Upload.

76. Close the browser tab.

Task 7: Testing the access of user-2

In this task, you will log into the AWS Management Console as user-2 and test the
permissions. User-2 has been hired as an Amazon EC2 support person and is
therefore in the EC2-Support group.

77. Sign in with the following credentials:

o IAM user name: user-2
o Password: Sim-Password2

Note: To record each entry, press Enter on your keyboard or choose any place
outside of the entry field.

78. In the Recently visited section, choose EC2.

79. In the left navigation pane, choose Instances.
80. Select the Application server instance check box.
81. Choose the Instance state menu. Then, choose Stop instance.
82. To confirm you want to stop the instance, choose Stop.

An error message appears that says, You are not authorized to perform this
operation. This demonstrates that the policy only allows you to view information
without making changes.
83. Close the Instances browser tab.

Task 8: Testing the access of user-3

In this task, you will log into the AWS Management Console as user-3 and test the
permissions. User-3 has been hired as an Amazon EC2 admin person and is
therefore in the EC2-Admin group.

The EC2-Admin group has the EC2-Admin-Policy policy attached to it. This is the
custom policy that you created in task 1. Therefore, user-3 should be able to go to
the EC2 dashboard and view instances. However, unlike user-2, user-3 should be
able to stop and start instance.
Sign in with the following credentials:
o IAM user name: user-3
o Password Sim-Password3
84. In the Recently visited section, choose EC2.
85. In the Resources pane, choose Instances (running).
86. Select the Application server instance check box.
87. Choose the Instance state menu. Then choose Stop instance.
88. To confirm that you want to stop the instance, choose Stop.

This time, the action is successful because user-3 has permissions to stop EC2
instances. The Instance state changes to Stopping and begins to shut down.

Modifying access to grant user-3 read only access to

Amazon S3
Next, you will test whether the EC2-Admin-Policy that user-3 inherits from the
EC2-Admin group provides any access to view buckets in Amazon S3.
89. To return to the AWS Management Console Home page, choose the AWS icon
in the top left corner. In the Recently visited section, choose S3.
90. In the left navigation pane, choose Buckets.

An error message appears that says, You don’t have permissions to list buckets.
This demonstrates that the policy does not grant any access for S3.

If you wanted to give your EC2 administrator access to view buckets and bucket
objects, you could add the user to the S3-Support group. Next, you will update the
user-3 permissions so that the user can view buckets, in addition to having
administrative access to EC2.
91. Return to your normal browser window, where you are logged into the IAM
console. To do this, do the following:
o Hover near the bottom of the browser to bring up the task bar, then
choose the Google Chrome icon.
92. Choose User groups.
93. In the list of user groups, choose S3-Support.

The group provides a list of users that are in the group already.
94. Choose Add users.

Notice that user-1 is not among the list of users on the Add users to S3-Support
page. That is because this page does not show users that are already in the group.

95. On the Other users in this account pane, select the user-3 check box.
96. Choose Add users.

97. Return to the incognito window, by closing the current window.

98. On the top left of your browser, choose Refresh.

The new access is available immediately. There is no requirement for the user to
log out and log back in for the changes to take effect. User-3 now has the same
access to S3 that user-1 has. However, user-1 cannot access EC2.
 Simulation: Getting Started with
Amazon S3
Objectives
After completing this simulation, you will know how to do the following:

• Create a bucket in Amazon S3.

• Configure a bucket to host a static website.
• Upload content to a bucket.
• Turn on public access to bucket objects.
• Securely share a bucket object by using a presigned URL.
• Secure a bucket by using a bucket policy.
• Update the website.
• View object versions in the Amazon S3 console.

Task 1: Creating a bucket in Amazon S3

In this task, you create an S3 bucket that you will use for static website hosting.

1. In the AWS Management Console, choose the search bar and enter S3.
2. Then choose S3 from the search results.

3. Choose Create bucket.

An S3 bucket name is globally unique, and all AWS accounts share the namespace.
After you create a bucket, no other AWS accounts in any AWS Regions can use the
name of that bucket unless you delete the bucket.

4. For Bucket name, enter sim-website.

5. Choose the scroll bar to scroll down to Object Ownership.

6. For Object Ownership, choose ACLs enabled. Keep the default Bucket owner
preferred selected.
7. Choose the scroll bar to scroll down to Block Public Access settings for this bucket.

Public access to buckets is blocked by default. Because the files in your static website
must be accessible through the internet, you must permit public access.

8. For Block Public Access settings for this bucket, clear the checkbox for Block all
public access. Then, select the box that states I acknowledge that the current
settings might result in this bucket and the objects within becoming public.

9. Choose the scroll bar to scroll down to Bucket Versioning.

10. For Bucket Versioning, choose Enable.

11. For Tags, choose Add tag, and enter the following:

o Key: Department
o Value: Marketing

12. Choose the scroll bar to scroll down.

13. Choose Create bucket.
 Task 2: Configuring a static website on Amazon
S3
You will now configure the bucket for static website hosting.

17. In the list of your buckets, choose the name of the bucket that you just created, sim-
website.
18. Choose the Properties tab.
19. Choose the scroll bar to scroll to the Static website hosting panel.
20. Choose Edit to the Static website hosting panel.

21. Choose Enable.

22. For Hosting type, keep the default setting Host a static website.
23. Configure the following settings:
o Index document: Enter [Link]
o Error document: Enter [Link]
24. Choose the scroll bar to scroll down.
25. Choose Save changes.
26. Choose the scroll bar to scroll to the Static website hosting panel.
27. In the Static website hosting panel under Bucket website endpoint, choose the link.

28. Choose the AWS Management Console tab on your browser.

You have configured your bucket to host a static website.

Task 3: Uploading content to your bucket

In this task, you upload the static files to your bucket.

22. Choose the scroll bar to scroll to the top of the page, and choose the Objects tab.
23. Choose Upload.
24. Choose Add files.
25. Choose the Website files folder, and choose Open to open the folder.
26. Use your mouse to choose each of the following files: [Link], [Link], and
[Link] (order does not matter). Then choose Open.

27. Choose the scroll bar to scroll down.

28. Choose Upload.
29. Choose Close.
 Task 4: Turning on public access to the objects
27. Return to the browser tab that showed the 403 Forbidden message.
28. Choose the Refresh button for the webpage.
29. Keep the website tab open, and return to the web browser tab with the Amazon S3
console.
30. Choose the Name checkbox to select all three objects.
31. In the Actions menu, choose Make public using ACL.

A list of the three objects is displayed.

32. Choose Make public.

33. Choose Close.

34. Return to the web browser tab that has the 403 Forbidden message.
35. Refresh the webpage.

36. On your browser, choose the x on the My Static Website tab.

Task 5: Securely sharing an object by using a

presigned URL
37. Choose Upload.
38. Choose Add files.
39. Choose the file new-report file and choose Open.
40. Choose the scroll bar to scroll down.
41. Choose Upload.
42. Choose Close.

43. In the Objects tab, choose [Link].

44. From the Actions menu, select Share with a presigned URL.
45. In the pop-up window, keep the default Minutes selected for the Time interval until
the presigned URL expires.
46. For Number of minutes, enter 2.
47. Choose Create presigned URL.
48. From the banner at the top of the page, choose Copy presigned URL.

49. Open a new browser tab.

50. Paste the URL that you copied into the address bar. Use these specific steps to paste
and launch the URL:

51. Choose the Refresh icon on the browser.

52. Choose x to close the Access denied tab.

 Task 6: Using a bucket policy to secure your
bucket
50. Choose the Permissions tab.
51. Choose the scroll bar to scroll down to the Bucket policy panel.
52. In the Bucket policy panel, choose Edit.
53. Copy the following policy text and paste it in the Policy text editor field. To do so,
follow these specific steps:
o Open the context (right-click) menu for the Policy text editor field.
o Choose Paste.

{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "BucketPutDelete",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": [
"arn:aws:s[Link]sim-website/[Link]",
"arn:aws:s[Link]sim-website/[Link]",
"arn:aws:s[Link]sim-website/[Link]"
]
}
]
}
54. Choose the scroll bar to scroll down.
55. Choose Save changes.
56. Return to the Objects tab.
57. Select [Link].
58. Choose Delete.
59. In the Delete objects panel, enter
delete to confirm that you want to remove this file.
60. Choose Delete objects.
61. Notice that the [Link] file is listed in the Failed to delete pane.

62. Choose Close to return to the Objects tab.

Task 7: Updating the website

63. On your computer, load the [Link] file into a text editor (in this simulation, you
use Notepad). Follow these specific steps:
o Open the context (right-click) menu for the [Link] file.
o Choose Open with.
o Choose Notepad.

64. Find the text Served from Amazon S3, and replace it with Created by Jane. Follow
these specific steps:
o Choose the text Served from Amazon S3.
o Enter Created by Jane.
65. Save the file. Follow these specific steps:
o Choose File from the Notepad menu.
o Choose Save.
66. Return to the Amazon S3 console by selecting the Amazon S3 console window in the
background.
67. Choose the [Link] file name (choose the link, not the checkbox).
68. Choose the Object URL link.

69. Choose the Back arrow on your browser to return to the Amazon S3 console.
70. Choose the sim-website link from the navigation at the top of the page.
71. Upload the [Link] file that you just edited. Follow these specific steps:
o Choose Upload.
o Choose Add files.
o Choose the Website files folder, and choose Open.
o Choose the index file and choose Open.
o Choose the scroll bar to scroll down.
o Choose Upload.
o Choose Close.

72. Select the [Link] checkbox, and in the Actions menu, choose the Make public using
ACL option again.
73. Choose Make public, and choose Close.

74. Choose the [Link] file name (choose the link, not the checkbox).
75. Choose the Object URL link.
76. Choose the Back arrow on your browser to return to the Amazon S3 console.
77. Choose the sim-website link from the navigation at the top of the page.

Task 8: Exploring file versions

78. Choose Show versions to see which files have multiple versions.
79. Choose the scroll bar to scroll down.
80. Review the list of objects in the bucket.