██FR█████ █INTELL███████████

Design and Implement Role-Based Access with AWS IAM


This content originally appeared on DEV Community and was authored by Emmanuel Kariithi

Introduction

When I first started exploring AWS, I quickly realized that reading docs and watching tutorials wasn’t enough for me. I wanted to get my hands dirty with real projects. The problem was that most resources either covered concepts without context or jumped straight into production level setups without explaining the “why.”

After some searching, I came across a course called AWS Mastery: 26 AWS Cloud Projects for Engineers & Architect on Udemy by Pravin Mishra. What I love about this course is that it isn’t just theory, it focuses on practical, project-based learning.

So I’ve decided to take on a personal challenge of working through each project without looking at the solutions while documenting my process here in this little world of mine. This way, I can build confidence while also creating a guide that other beginners can follow.

This article is the first in that journey.

Table of Contents

  • Project Overview
    • What is AWS IAM?
  • Step 1: Create the Admins Group
  • Step 2: Create the Developers Group
  • Step 3: Create the Test Group
  • Step 4: Add Users to Groups
  • Step 5: Enable Multi-Factor Authentication (MFA)
  • Step 6: Set Up Regular Access Reviews
  • Wrap Up
  • Key Takeaways

Project Overview

In this task, I’m stepping into the role of a Cloud Security Administrator for a fictional company called ComiCloud, a comics delivery service / store. The goal is to set up a structured IAM environment that’s both secure and easy to manage.

The main tasks are:

  • Create IAM groups (Admins, Developers, Testers) with appropriate permissions.
  • Add users to the right groups (including cross-functional users).
  • Configure security best practices like MFA.
  • Set up a process for regular access reviews.

So, what is AWS IAM (Identity and Access Management)?

According to the official AWS documentation, AWS IAM is a web service that helps you securely control access to AWS resources. IAM manages the permissions that determine which AWS resources users can access.

Since it’s risky to use the AWS root account for daily operations and most organizations have multiple users who need different levels of access, AWS Identity and Access Management (IAM) is essential for securely managing who can access what.

Example: Imagine a small startup (like ComiCloud) building a web application on AWS. The admin team needs full control to set up services, developers need access to services like EC2 and S3 (Don’t worry, we’ll cover these in future projects) to run and store code, while testers only need read-only permissions to validate features. With IAM, you can create groups for admins, developers and testers and assign the right permissions to each, so everyone has just enough access to do their job and nothing more. This is known as the principle of least privilige.

Phew! That felt like a long introduction. Let’s get our hands dirty, shall we?

Oh, before I forget, you’ll need to create an AWS account first. AWS usually gives new accounts free credits (around $100), which is more than enough for experimenting (Used to be 12 months free for a number of services).

Step 1: Create the Admins Group

The first step is to create an Admins group and give it full administrator access.

  1. Log in to the AWS Management Console and open IAM. AWS Management Console IAM
  2. Navigate to User Groups then Create group User Groups
  3. Enter Admins as the group name.
  4. Attach the AdministratorAccess policy you can search it in the search bar if it doesn’t appear on top. attach policy
  5. Click Create group Create group

Now we have a dedicated Admins group with full privileges.

Step 2: Create the Developers Group

Next, set up the Developers group with policies granting access to EC2, S3 and RDS.

  • AmazonEC2FullAccess
  • AmazonS3FullAccess
  • AmazonRDSFullAccess

The process is identical to creating the Admins group, just enter Developers as the name and attach the three policies.
AmazonEC2FullAccess
Our Developers group is now ready.

Step 3: Create the Test Group

For the Testers, create a group named Test and attach ReadOnlyAccess policy.

Repeat the same steps as before (create group → name → attach policy → create).
ReadOnlyAccess

You should now see all three groups (Admins, Developers and Test) in your console.
All three groups

Step 4: Add Users to Groups

With groups ready, it’s time to create and add users.
Our fictional organization has the following users:

  • Admins: John_Admin, Lisa_Admin, Raj_Admin
  • Developers: Alice_Dev, Mark_Dev, Priya_Dev
  • Testers: Sam_Test, Nina_Test, Carlos_Test
  • Cross-functional: Alex_DevOps (belongs to both Developers and Test groups).

I will show you how to create a user and you will create the others since the steps are similar for each user.

  1. In the IAM dashboard, select Users create users
  2. Select Create user
  3. Enter John_Admin as the username and check the ‘Provide user access to the AWS Management Console’ checkbox. John_Admin
  4. Select ‘I want to create an IAM user’ and you can choose whether to autogenerate a password or use a custom password and click Next.
  5. Select Add user to group and select the Admins group then click Next. Add user to group
  6. Create User and the next page will prompt you to download the user’s login credentials. Ensure that you download the .csv file and store it safely. Download .csv

Repeat the same process for the other user and remember to add each user in their respective group. For Alex_DevOps select both Developers and Test.
Alex_DevOps

At this point, your IAM environment should have all groups and users properly configured.
All users

Step 5: Enable Multi-Factor Authentication (MFA)

Security best practices recommend enabling MFA for all users and it’s mandatory for Admins. MFA adds an extra layer of security by requiring not just a password, but also a temporary code from an authenticator app or device.

Here’s how to enable MFA for a user (we’ll start with John_Admin):

  1. Go to IAMUsers All users
  2. Select the user John_Admin
  3. Open the Security credentials tab security tab
  4. Under Multi-factor authentication (MFA), click Assign MFA device
  5. Enter a name for the MFA device and choose Authenticator app Click Next Device Name
  6. Follow the instructions on that page, enter the two codes and click Add MFA Add MFA

MFA is now enabled for John_Admin.

Repeat the same process for the other two Admins (Lisa_Admin and Raj_Admin).

Step 6: Set Up Regular Access Reviews

Creating groups and assigning users is just the beginning. To keep your AWS environment secure, you need to perform regular access reviews most probably once per quarter.

Here’s what to check during a review:

  1. Group Memberships

    • Go to IAM → Groups → Users tab and verify each user is still in the right group.
    • Remove users who no longer need access.

  2. Policies

    • For each group, open the Permissions tab.
    • Confirm only the necessary policies are attached.
    • Remove or adjust any that seem too broad.

  3. MFA Status

    • In IAM → Users, check the MFA column.
    • Make sure all Admins have MFA enabled.

  4. Credential Rotation

    • Remind users to rotate passwords and access keys every 90 days.

  5. Document Changes

    • Keep a simple log of any modifications (e.g., add/remove user, updated policy).
    • You could store this securely in an internal wiki or even an encrypted S3 bucket.

This process helps maintain the principle of least privilege and ensures your IAM setup stays secure over time.

Step 6: Set Up Regular Access Reviews

Creating groups and assigning users is just the beginning. To keep your AWS environment secure, you need to perform regular access reviews most probably once per quarter.

Here’s what to check during a review:

  1. Group Memberships

    • Go to IAM → Groups → Users tab and verify each user is still in the right group.
    • Remove users who no longer need access.

  2. Policies

    • For each group, open the Permissions tab.
    • Confirm only the necessary policies are attached.
    • Remove or adjust any that seem too broad.

  3. MFA Status

    • In IAM → Users, check the MFA column.
    • Make sure all Admins have MFA enabled.

  4. Credential Rotation

    • Remind users to rotate passwords and access keys every 90 days.

  5. Document Changes

    • Keep a simple log of any modifications (e.g., add/remove user, updated policy).
    • You could store this securely in an internal wiki or even an encrypted S3 bucket.

This process helps maintain the principle of least privilege and ensures your IAM setup stays secure over time.

Wrap Up

That’s a wrap! We’ve just built a complete role-based access management system in AWS using IAM. Yaaay!

Key Takeaways

  • Never use the root account for daily operations.
  • IAM groups make it easy to manage permissions at scale.
  • Always follow the principle of least privilege (users get only the access they need).
  • MFA is non-negotiable for Admins.
  • Regular access reviews help keep your environment secure over time.

This is just the first step in my AWS project journey. Next up, I’ll be tackling more hands-on projects, from setting up EC2 and S3, to building entire cloud-native applications.

If you’re learning AWS too, I encourage you to try this out in your own account. Don’t worry if you get stuck, that’s part of the process. The important thing is to keep experimenting and building.

Stay tuned for the next article where we’ll dive into more AWS services and put them into action.

Until then, happy cloud building! Turus!


This content originally appeared on DEV Community and was authored by Emmanuel Kariithi