Identity and Access Management
AWS Identity and Access Management (IAM) enables you to more securely manage access to your AWS accounts and resources. With IAM, you can create multiple users within your primary AWS account--known as your root account. Each of these users can have their own credentials: password, Access Key ID, and Secret Key. Note, however, that all IAM users share a single account number.
You can manage the level of resource access that each IAM user has by attaching IAM policies to the user. For example, you could attach a policy to an IAM user that gives them access to the Amazon S3 service and related resources within your account, but which doesn't provide access to any other services or resources.
For more efficient access management, your can create IAM groups which are collections of users. You can then attach a policy to the group and it will affect all users that are members of that group.
In addition to managing permissions at the user and group level, IAM also supports the concept of IAM roles. Similarly to users and groups, you can attach policies to IAM roles. You can then associate the IAM role with an Amazon EC2 instance. Applications that run on the EC2 instance are able to access AWS using the permissions provided by the IAM role. For more information about using IAM roles with the Toolkit, see Create an IAM Role.
Create and Configure an IAM User
IAM users enable you to grant others access to your AWS account. Because you are able to attach policies to IAM users, you can precisely limit what resources an IAM user can access and what operations they can perform on those resources.
A best practice is for all users that access an AWS account to access that account as IAM users—even the owner of the account. This ensures that if the credentials for one of the IAM users is compromised, just those credentials can be deactivated without needing to deactivate or change the root credentials for the account.
From the Toolkit, you can assign permissions to an IAM user either by attaching an IAM policy to the user or by assigning the user to a group. IAM users that are assigned to a group derive their permissions from the policies that are attached to the group. For more information, see Create an IAM Group and Add an IAM User to an IAM Group.
From the Toolkit, you can also generate AWS credentials (Access Key ID and Secret Key) for the IAM user. For more information, see Generate Credentials for an IAM User
The AWS Toolkit for Visual Studio supports specifying IAM user credentials for accessing services through AWS Explorer. Note that because IAM users typically do not have full access to all AWS services, some of the functionality in AWS Explorer might not be available in this scenario. If you use AWS Explorer to change resources while the active account is an IAM user and then switch the active account to the root account, the changes may not be visible until you refresh the view in AWS Explorer. To refresh the view, click
For information about how to configure IAM users from the AWS Console, go to Working with Users and Groups in the IAM User Guide.
To create an IAM User
In AWS Explorer, expand the AWS Identity and Access Management node, right-click on the Users subnode and select Create User...
The new user appears as a subnode beneath Users under the AWS Identity and Access Management node.
For information on how to create a policy and attach it to the user, see Create an IAM Policy
Create an IAM Group
Groups provide a way of applying IAM policies to a collection of users. This sections describes how to create a group using the Toolkit.
For in-depth information about how to manage IAM users and groups, go to Working with Users and Groups in the IAM User Guide.
To create an IAM group
In AWS Explorer, under Identity and Access Management, right-click on the Groups subnode and select Create Group...
Enter a name for the new IAM group and click OK.
The new IAM group appears under the Groups subnode of Identity and Access Management.
For information on how to create a policy and attach it to the IAM group, see Create an IAM Policy
Add an IAM User to an IAM Group
IAM users that are members of an IAM group derive access permissions from the policies attached to the group. The purpose of an IAM group is to make it easier to manage permissions across a collection of IAM users. Therefore, to be useful, IAM groups need to contain IAM users.
For in-depth information about how the policies attached to an IAM group interact with the policies attached to IAM users that are members of that IAM group, go to Managing IAM Policies in the IAM User Guide.
To add an IAM user to a IAM group
In AWS Explorer, under Identity and Access Management, right-click on the Users subnode and select Edit. Note that you add IAM users to IAM groups from the Users subnode in AWS Explorer rather than from the Groups subnode.
In the Groups subtab, the left-hand pane displays the available IAM groups and the right-hand pane displays the groups of which the specified IAM user is already a member.
To add the IAM user to a group, select the IAM group in the left-hand pane and click the right-single-arrow button, ">".
To remove the IAM user from a group, select the IAM group in the right-hand pane and click the left-single-arrow button, "<".
The lists of groups in the two panes support multiple selection. You can select multiple groups by clicking on them in sequence; you do not need to hold down the control key. To unselect a group, click on it a second time.
To add the IAM user to all the IAM groups, click the right-double-arrow button, ">>". Similarly, to remove the IAM user from all the groups, click the left-double-arrow button, "<<".
When you have finished assigning the IAM user to IAM groups, click Save.
Generate Credentials for an IAM User
With the Toolkit, you can generate certain types of AWS credentials, specifically, the Access Key ID and Secret Key. These can be used to make API calls to AWS. These keys can also be specified in order to access AWS services through the Toolkit. For more information about how to specify credentials for use with the Toolkit, see Specifying Credentials. For more information about how to safely handle credentials, see Best Practices for Managing AWS Access Keys.
The Toolkit cannot be used to generate a password for an IAM user.
To generate credentials for an IAM user
In AWS Explorer, right-click on an IAM user and select Edit. A tab for that IAM user appears in the AWS Explorer working pane. Select the subtab labeled Access Keys.
To generate credentials, click Create.
Note that you can generate only two sets of credentials per IAM user. If you already have two sets of credentials and you need to create an additional set, select one of the existing sets and click Delete.
If you want the Toolkit to save an encrypted copy of your Secret Access Key to your local drive, select Save the secret access key locally. AWS only returns the secret access key when created. You can also copy the Secret Access Key from the dialog box and save it in a secure location.
After generating the credentials, you can view them by selecting them in the Access Keys subtab. If you chose to have the Toolkit save the Secret Key locally, then it will be displayed here.
If you saved the Secret Key yourself and would also like the Toolkit to save it, you can enter it here and select Save the secret access key locally.
You can also deactivate the credentials by clicking the Make Inactive button. You might do this if you suspect the credentials have been compromised. You can subsequently re-activate the credentials, which you might do if you receive an assurance that the credentials are secure.
Create an IAM Role
The AWS Toolkit supports the creation and configuration of IAM roles. Similarly to users and groups, you can attach policies to IAM roles. You can then associate the IAM role with an Amazon EC2 instance. The association with the EC2 instance is handled through an instance profile, which is a logical container for the role. Applications that run on the EC2 instance are automatically granted the level of access specified by the policy associated with the IAM role. This is true even when the application hasn't specified other AWS credentials.
For example, you could create a role and attach a policy to that role that limits access only to Amazon S3. After associating this role with an EC2 instance, you could then run an application on that instance and that application would automatically have access to Amazon S3, but not any other services or resources. The advantage of this approach is that you don't need to be concerned with securely transferring and storing AWS credentials on the EC2 instance.
For in-depth information on IAM roles, go to the topic Working with IAM Roles in the IAM User Guide.
To create an IAM role
In AWS Explorer, under Identity and Access Management, right-click on the Roles subnode and select Create Roles...
Enter a name for the IAM role and click OK.
The new IAM role appears under the Roles subnode of Identity and Access Management.
For information on how to create a policy and attach it to the role, see Create an IAM Policy
Create an IAM Policy
Policies are fundamental to using IAM. Policies can be associated with IAM entities such users, groups, or roles; and policies specify precisely what level of access is enabled for that user, group, or role.
To create an IAM policy
In AWS Explorer, expand the AWS Identity and Access Management node, then expand the node for the type of entity to which you will attach the policy: Groups, Roles, or Users. For this discussion, we'll work with an IAM role. Right-click on the specific group, role, or user (in this case an IAM role) and select Edit.
A tab associated with the role appears in the AWS Explorer working pane. In this tab, click the Add Policy link.
Enter a name for the new policy.
In the policy editor, add policy statements to specify the level of access to provide the role (in this example "winapp-instance-role-2") associated with the policy. In the example, we show a policy which provides full access to Amazon S3, but no access to any other resources.
For greater precision, you can expand the subnodes associated with services in the policy editor to allow or disallow particular actions associated with that service.
When you are finished editing the policy, click the Save link.