Guided Lab: Exploring AWS Identity and Access Management (IAM)
Lab overview and objectives
In this lab, you explore users and groups and inspect the associated policies in the AWS Identity and Access Management (IAM) service. You also add users to the groups and verify the permissions that are inherited by them.

After completing this lab, you should be able to do the following:

- Explore pre-created IAM users and groups.

- Inspect IAM policies as they were applied to the pre-created groups.

- Follow a real-world scenario, while adding users to groups with specific capabilities enabled.

- Locate and use the IAM sign-in URL.

- Test the effects of policies on service access.

Task 1: Explore the users and groups, and inspect policies
In this task, you explore the users and groups that were created for you in IAM.

First, note the Region that you are in; for example, N. Virginia. The Region is displayed in the upper-right corner of the console page.

![Region](images/region.png)

You might need this information later in the lab.

Choose the Services menu, locate the Security, Identity, & Compliance services, and choose IAM.

![Service-menu-iam](images/service-menu-iam.png)

In the navigation pane on the left, choose Users.

The following IAM users were created for you:

user-1

user-2

user-3

![iam-panel-users](images/panel-users.png)

Choose the name of user-1.

This brings you to a summary page for user-1. The Permissions tab is displayed.

Notice that user-1 does not have any permissions.

![user1-summary](images/user1-summary.png)

Choose the Groups tab.

Notice that user-1 also is not a member of any groups.

![user1-groups](images/user1-groups.png)

Choose the Security credentials tab.

Notice that user-1 is assigned a Console password. This allows the user to access the AWS Management Console.

![user1-sec-credentials](images/user1-sec-cre.png)

In the navigation pane on the left, choose User groups.

The following groups were created for you:

EC2-Admin

EC2-Support

S3-Support

![user-groups](images/user-groups.png)

Choose the name of the EC2-Support group.

This brings you to the summary page for the EC2-Support group.

![ec2-summary](images/ec2-support-summary.png)

Choose the Permissions tab.

This group has a managed policy called AmazonEC2ReadOnlyAccess associated with it. Managed policies are prebuilt policies (built either by AWS or by your administrators) that can be attached to IAM users and groups. When the policy is updated, the changes to the policy are immediately applied against all users and groups that are attached to the policy.

Below Policy Name, choose the link for the AmazonEC2ReadOnlyAccess policy.

Choose the JSON tab.

A policy defines which actions are allowed or denied for specific AWS resources. This policy is granting permission to List and Describe (view) information about Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, Amazon CloudWatch, and Amazon EC2 Auto Scaling. This ability to view resources, but not modify them, is ideal for assigning to a support role.

Statements in an IAM policy have the following basic structure:

Effect says whether to Allow or Deny the permissions.

Action specifies the API calls that can be made against an AWS service (for example, cloudwatch:ListMetrics).

Resource defines the scope of entities covered by the policy rule (for example, a specific Amazon Simple Storage Service [Amazon S3] bucket or Amazon EC2 instance; an asterisk [ * ] means any resource).

![ec2-support-policy](images/ec2-support-policy.png)

In the navigation pane on the left, choose User groups.

Choose the name of the S3-Support group.

Choose the Permissions tab.

The S3-Support group has the AmazonS3ReadOnlyAccess policy attached.

![s3-support-summary](images/s3-support-summary.png)

Below Policy Name, choose the link for the AmazonS3ReadOnlyAccess policy.

Choose the JSON tab.

This policy has permissions to Get and List for all resources in Amazon S3.

![s3-support-json](images/s3-support-json.png)

In the navigation pane on the left, choose User groups.

Choose the name of the EC2-Admin group.

Choose the Permissions tab.

This group is different from the other two. Instead of a managed policy, the group has an inline policy, which is a policy assigned to just one user or group. Inline policies are typically used to apply permissions for specific situations.

![ec2-admin-summary](images/ec2-admin-summary.png)
Below Policy Name, choose the name of the EC2-Admin-Policy policy.

Choose the JSON tab.

This policy grants permission to Describe information about Amazon EC2 instances and the ability to Start and Stop instances.

![ec2-admin-json](images/ec2-admin-json.png)

At the bottom of the screen, choose Cancel to close the policy, and then choose Continue.

Business scenario
For the remainder of this lab, you work with these users and groups to enable permissions that support the following business scenario.

Your company is growing its use of AWS services and is using many Amazon EC2 instances and Amazon S3 buckets. You want to give access to new staff based on their job function, as indicated in the following table:

User	In Group	Permissions
user-1	S3-Support	Read-only access to Amazon S3
user-2	EC2-Support	Read-only access to Amazon EC2
user-3	EC2-Admin	View, Start, and Stop Amazon EC2 instances