It’s hard to scale or control multiple users’ permissions using IAM users. Amazon AWS recommends the use of IAM Identity Center to manage your organization’s user profiles. You can also integrate IAM Identity Center tools with an SSO provider, like Microsoft Active Directory (Microsoft AD).
To keep this article simple, we will just use IAM Identity Center as our primary source of users.
Step 1: First, let’s create a sandbox account unless you are preparing something for a production environment.
Click on ‘Add an AWS account’
Fill in the fields with your sandbox, staging, production, or any name you prefer.
Okay, now you see the new account.
Step 2: Search for IAM and click on IAM Identity Center.
To keep it simple, we will just create one group with 2 users.
Let’s create a group first and call it “developers”, for example.
Now, we will add the users. Create a user for yourself and a developer.
Select the group that you just created for the user being created.
Click on Next, Next.
Step 3: Creating a group permission set.
In our example, we won’t be using the principle of least privilege, which involves giving the group/user access only to what they need. I strongly recommend using this principle, but it’s a different subject that I won’t cover here. In the next steps, we will simply assign all S3 permissions to the group.
We are selecting a ‘Custom permission set’ to have more freedom to select what we want to be allowed for that group. After that, select ‘Inline policy’.
In the actions, let’s look for ‘S3’:
Select S3, “All actions.” Please remember, if you are using a production/staging environment, I would recommend applying the principle of least privilege instead of adding all actions to the group.
We are almost there now.
Go back to the AWS Account menu option. Select the account to which you want to assign the new permission set and group. Click on “Assign users or groups” and select the group that you created. Do the same with the permission set, selecting the permission set that you previously created.
That’s it, you and the group users should now sign-in with the IAM Identity Center url, create and manage a S3 bucket.