# User Management with IAM

### Introduction

In this lesson, we'll work with the **Identity and Access Management** service from AWS, *IAM*.  IAM is important for organizations as it allows organizations to determine who has access to what.  There may be certain departments that we want to give the ability to view certain software, but not alter.  And there may be other systems -- like a database perhaps -- that we want to restrict access ability to as well.  IAM is how we'll manage this.

In this lesson, we'll start with our our root user, and use it to create and grant access to new users on our account.  Let's get started.

### Our Strategy

Now our strategy for creating users on the same account will be the same strategy we saw with services like postgres.  That is, we have a **root user**, and this user will grant permissions to other users called IAM users.  


* **Root user**: In charge of permissions.  The root user creates and manages the access of other users.  The root user does not carry out any other changes our cloud resources.

* **IAM users**: Granted various levels of access and ability to the change the our AWS cloud resources. Take direct action to deploy and alter our cloud resources.

We automatically created our root user when we signed up for our AWS account.  So we'll still need to create an IAM user, so we can get to managing the IAM users.

We manage our IAM users by going to IAM services.  


1. Go to IAM by [clicking here](https://console.aws.amazon.com/iam/).  Or by searching for IAM from the AWS management console.

<img src="./iam-clipped.png" width="80%">


2. Then on the right hand panel users, followed by Add User

<img src="./users-add-user.png" width="60%">

3. On the *Add user* form, enter the user name and enable both programmatic access to enable access from the AWS CLI (which we'll learn about next) and the AWS console access, by logging into the AWS website.

<img src="./add-user.png" width="70%">

3. Then go to the Set Permissions page.

Now that we've created our new user, it's time to give him some new access.

1. In **Set Permissions** click on Attach Existing Policies Directly, and then **Administrator Access**

<img src="./administrator-access.png">



Click on Tags, then click next.  And at this point, we've used our root user to create a new user, and we've given this new user Administrator Access.  Your review page may look something like the following:

<img src="./iam-review.png" width="60%">

Ok, if we go to the next page, we'll see the following.  

> **Do not proceed beyond this page before reading the rest of the lesson**.

<img src="./iam-success.png" width="70%">

This page is quite informative.  It shows us the two ways that the account can be accessed.  The first is through the link in the green box, where users can sign in to the AWS management console.

The second in the through AWS CLI with the Access Key ID and the Screet Access Key Id.  We're going to be using that second way, so **be sure to click on the gray `Download .csv` button on the left**.  If you don't do that, the access key id and secret access key id will not be available.

Then, just for good measure click on the link in the green box that will allow for signins through the AWS management console.  Sign in with the user and password you specified in the previous section.  When you login, notice in the top right that you are logged in as that user.

<img src="./signin-aws.png" width="90%">

### Summary

In this lesson, we learned about using the Identity and Access Management service (IAM) on AWS. We did so by using our root user to create a new IAM user, and giving that user administrator access.  We also specified that we can access AWS as this new user through both console access and programatic access.  We already signed in via console access.  We'll cover programatic access through the AWS CLI.

### Resources

[AWS Security Credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html)

[AWS Reactivate Suspended Account](https://aws.amazon.com/premiumsupport/knowledge-center/reactivate-suspended-account/)