CloudWiki
Resource

IAM User

Amazon Web Services
Permissions
An IAM user is an entity that represents a single person or an application associated with permissions and credentials to interact with AWS resources according to permissions policies they are associated with.
Terraform Name
terraform
aws_iam_user
IAM User
attributes:
  • name - (Required) The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser".
  • path - (Optional, default "/") Path in which to create the user.
  • permissions_boundary - (Optional) The ARN of the policy that is used to set the permissions boundary for the user.
  • force_destroy - (Optional, default false) When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.
  • tags - Key-value map of tags for the IAM user. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
IAM User
Resources do not "belong" to a
IAM User
Rather, one or more Security Groups are associated to a resource.
Create
IAM User
via Terraform:
The following HCL creates an IAM user
Syntax:

resource "aws_iam_user" "lb" {
 name = "loadbalancer"
 path = "/system/"

 tags = {
   tag-key = "tag-value"
 }
}

resource "aws_iam_access_key" "lb" {
 user = aws_iam_user.lb.name
}

resource "aws_iam_user_policy" "lb_ro" {
 name = "test"
 user = aws_iam_user.lb.name

 policy = <<EOF
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": [
       "ec2:Describe*"
     ],
     "Effect": "Allow",
     "Resource": "*"
   }
 ]
}
EOF
}

Create
IAM User
via CLI:
Parametres:

create-user
[--path <value>]
--user-name <value>
[--permissions-boundary <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam create-user --user-name Bob

aws cost
Costs
The cost of using Identity and Access Management (IAM) features is free, as it is included in the overall cost of using Amazon Web Services (AWS). There are no charges for creating or using IAM users, groups, roles, or policies. However, some AWS services, such as Amazon S3 or Amazon EC2, may incur charges for using IAM features, such as creating an IAM role to access an Amazon S3 bucket or an Amazon EC2 instance.
Direct Cost

--

Indirect Cost
No items found.
Best Practices for
IAM User

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services