This content originally appeared on DEV Community and was authored by Udoh Deborah
What is AWS?
Amazon Web Services (AWS) is the world’s most widely adopted cloud platform, offering over 200 fully featured services. From compute power (EC2), to databases (RDS), networking (VPC), and storage (S3) — AWS enables you to build, scale, and manage applications without worrying about physical infrastructure.
The best part? AWS offers a Free Tier, which is perfect for students and beginners to gain hands-on experience while learning.
What is IAM (Identity & Access Management)?
IAM is the AWS service that helps you securely control access to your AWS resources. Instead of giving everyone full permissions, IAM allows you to define:
• Authentication → Who can log in to your AWS account (e.g., users).
• Authorization → What actions they can perform (e.g., start EC2, read S3 buckets).
• Groups & Policies → Organize users into groups (like DevOps, Developers, Admins) and apply rules that define permissions.
In real-world DevOps teams, IAM ensures security, collaboration, and accountability by giving everyone the right level of access.
Hands-On Tasks for Day 38
Download the Jenkins + Docker installer script
Download the sample DevOps EC2 IAM policy JSON
Prereqs (once)
1. Create AWS Account (Free Tier) and sign in as the account root (only for setup).
2. Turn on MFA for the root account (IAM > Account settings > MFA).
3. Install AWS CLI on your laptop and sign in later with your IAM user.
4. Pick a region (e.g., us-east-1) and stick to it.
Task 1 — Create IAM user, launch EC2, install Jenkins & Docker
A. Create an IAM User (least-privilege or learning-fast)
Console path: IAM > Users > Create user
• Name: e.g., devuser
• Access type: Access key – Programmatic access (for CLI)
• Permissions (choose one):
• Learning-fast: Attach AWS managed policy AmazonEC2FullAccess (ok for labs).
• Safer custom: Create a policy from iam-devops-ec2-policy.json (download above), then attach it.
Finish and download the access key CSV.
Tip: You can also put this user in a group (e.g., DevOps) and attach the policy to the group.
B. Configure AWS CLI on your laptop for this user
aws configure --profile devuser
Paste Access key ID / Secret access key from CSV
Default region: us-east-1 (or your choice)
Default output: json
C. Create a key pair (for SSH) and a security group
export AWS_PROFILE=devuser
export AWS_REGION=us-east-1
# 1) Create key pair and save locally
aws ec2 create-key-pair \
--key-name devuser-key \
--query 'KeyMaterial' \
--output text --region $AWS_REGION > devuser-key.pem
chmod 400 devuser-key.pem
# 2) Get default VPC ID
VPC_ID=$(aws ec2 describe-vpcs --filters Name=isDefault,Values=true \
--query 'Vpcs[0].VpcId' --output text --region $AWS_REGION)
# 3) Create a security group that allows SSH(22) + Jenkins(8080)
aws ec2 create-security-group \
--group-name jenkins-sg \
--description "SSH and Jenkins access" \
--vpc-id $VPC_ID --region $AWS_REGION
SG_ID=$(aws ec2 describe-security-groups \
--filters Name=group-name,Values=jenkins-sg \
--query 'SecurityGroups[0].GroupId' --output text --region $AWS_REGION)
# 4) Allow your IP on SSH (22)
MYIP=$(curl -s https://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress \
--group-id $SG_ID --protocol tcp --port 22 \
--cidr ${MYIP}/32 --region $AWS_REGION
# 5) (Lab-friendly) Open Jenkins (8080) to the world
aws ec2 authorize-security-group-ingress \
--group-id $SG_ID --protocol tcp --port 8080 \
--cidr 0.0.0.0/0 --region $AWS_REGION
D. Find a current Ubuntu AMI (easy & reliable)
# Canonical publishes latest Ubuntu AMIs via SSM Parameter Store
AMI_ID=$(aws ssm get-parameters \
--names /aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp3/ami-id \
--query 'Parameters[0].Value' --output text --region $AWS_REGION)
echo $AMI_ID
E. Launch an EC2 instance (t2.micro Free Tier) and auto-install Jenkins & Docker
1. Save the script you downloaded as install_jenkins_docker.sh in your current folder.
2. Run:
chmod +x install_jenkins_docker.sh
aws ec2 run-instances \
--image-id "$AMI_ID" \
--instance-type t2.micro \
--key-name devuser-key \
--security-group-ids "$SG_ID" \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=jenkins-docker}]' \
--user-data file://install_jenkins_docker.sh \
--region $AWS_REGION \
--count 1
What this does: Cloud-init runs the script at first boot. It installs Docker + Jenkins, enables services, and prints the Jenkins initial admin password to /var/log/cloud-init-output.log and /var/lib/jenkins/secrets/initialAdminPassword.
F. Get the instance public DNS, SSH in (optional), and confirm
# Get instance ID + public DNS
INSTANCE_ID=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=jenkins-docker" \
--query 'Reservations[0].Instances[0].InstanceId' --output text --region $AWS_REGION)
PUBLIC_DNS=$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID" \
--query 'Reservations[0].Instances[0].PublicDnsName' --output text --region $AWS_REGION)
echo $PUBLIC_DNS
# SSH (Ubuntu default user is 'ubuntu')
ssh -i devuser-key.pem ubuntu@$PUBLIC_DNS
# On the server (optional): check services
sudo systemctl status docker
sudo systemctl status jenkins
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
G. Open Jenkins in your browser
• Visit: http://:8080
• Paste the Initial Admin Password
• Finish the Jenkins setup wizard (install suggested plugins, create admin user)
Task 2 — Create “DevOps Avengers” IAM users & group
A. Create a DevOps group and attach a policy
Option 1 (simple for labs): Attach AWS managed AmazonEC2FullAccess.
Option 2 (custom): Use the provided iam-devops-ec2-policy.json for a tighter EC2 scope.
# Create the group
aws iam create-group --group-name DevOps --profile devuser
# If using the custom policy:
POLICY_ARN=$(aws iam create-policy \
--policy-name DevOpsEC2Policy \
--policy-document file://iam-devops-ec2-policy.json \
--query 'Policy.Arn' --output text --profile devuser)
# Attach the policy
aws iam attach-group-policy \
--group-name DevOps \
--policy-arn ${POLICY_ARN} \
--profile devuser
# (If you prefer the AWS managed policy instead)
# aws iam attach-group-policy --group-name DevOps \
# --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --profile devuser
B. Create 3 “Avengers” users and add them to the group
for u in ironman captain thor; do
aws iam create-user --user-name "$u" --profile devuser
aws iam add-user-to-group --user-name "$u" --group-name DevOps --profile devuser
# OPTIONAL: give each user programmatic access (CLI)
ACCESS_JSON=$(aws iam create-access-key --user-name "$u" --profile devuser)
echo "$u access keys:"
echo "$ACCESS_JSON"
done
Best practices:
• Enforce MFA on each user.
• Prefer groups + policies over attaching policies directly to users.
• Rotate keys regularly; avoid long-lived keys where possible.
Clean up (avoid charges)
# Terminate the instance
aws ec2 terminate-instances --instance-ids "$INSTANCE_ID" --region $AWS_REGION
# Delete security group (after instance is gone)
aws ec2 delete-security-group --group-id "$SG_ID" --region $AWS_REGION
# Delete key pair (and remove local .pem if desired)
aws ec2 delete-key-pair --key-name devuser-key --region $AWS_REGION
rm -f devuser-key.pem
This reflects real-life team management in AWS, where you don’t manage permissions user by user, but instead assign them to groups for consistency and scalability.
Key Takeaways from Day 38
• AWS provides the infrastructure backbone for most modern companies.
• IAM is crucial for security and access management in the cloud.
• Automating server setup with scripts saves time and reduces human error.
• Organizing teams using IAM Groups and Policies mirrors how actual DevOps teams collaborate in production.
Pro tip: Sign up for AWS Free Tier and practice hands-on. Theory only makes sense when paired with real deployments.
This content originally appeared on DEV Community and was authored by Udoh Deborah