Setting Up User Accounts
We have successfully created accounts for production and staging. However, what if multiple users need access to the production and staging accounts with different permission? Let's go through the steps to grant other user accounts access to production and staging.
1. Create a Group and User
- In the AWS Management Console, go to IAM Identity Center (formerly AWS Single Sign-On).
- Enable IAM Identity Center:
- If it's not already enabled, click on "Enable" and choose the Enable with AWS Organizations (Recommended) option.
- Create a Group:
- Navigate to "Groups".
- Click "Create group".
- Group Name: Enter a name
AdminAccess
. - Create Group: Click "Create group".
Groups simplify permission management by allowing you to assign permissions to multiple users at once.
- Add a User:
- Go to "Users".
- Click "Add user".
- User Details:
- Username: Use the first and last name or a preferred alias.
- Email Address: Enter the email of the authorized person.
- Password Setup: Choose "Send an email to this user with password setup instructions".
- Additional Fields: Fill in as desired.
- Next: Click "Next".
- Assign User to Group:
- Select Groups: Choose the
AdminAccess
. - Next: Proceed to the next step.
- Review and Add User: Confirm the details and click "Add user".
- Select Groups: Choose the
2. Set Up Permission Sets
Permission sets define the level of access users have within your AWS accounts.
-
Create Permission Sets:
- On the left sidebar under Multi-account permissions, select "Permission sets".
- Click "Create permission set".
-
AdministratorAccess Permission Set:
- Choose Permission Type: Select "Predefined permission set".
- Select Policy: Choose "AdministratorAccess".
- Session Duration: Set how long a user can be signed in before re-authenticating. 1 hour is recommended.
- Create: click "Next" then click "Create".
3. Assign Permissions to Accounts
Now, we'll assign our group to both the production and staging accounts with the appropriate permission sets.
- Click on "AWS accounts" under Multi-account permissions.
- Select Accounts:
- Check the boxes next to both
prod
andstaging
accounts. - Click "Assign users or groups".
- Check the boxes next to both
- Assign Group:
- Select Users or Groups: Choose the
AdminAccess
. - Next: Click to proceed.
- Select Users or Groups: Choose the
-
Select Permission Set:
- Choose "AdministratorAccess".
-
Next: Review and confirm the assignments.
-
Submit: Click "Submit" to finalize.
🎉 Great Job!
You've successfully:
- Created separate AWS accounts for production and staging.
- Created a group and user for efficient permission management.
- Established permission set to control access levels.
- Assigned permission to your account.
We've only created AdministratorAccess permission set, but in the real world, you can create permissions like ReadOnlyAccess or even customize them for each user account or group.
Sticking to best practices can be time-consuming, but it's crucial for security and scalability. Kudos for making it through this essential setup!