Create and Test User Role
3.1 Create User Role
While you are still assuming the developer-restricted-iam role you created in the previous step, create a new user role with the boundary policy attached and name it with the prefix. We will use AWS managed policies for this user role, however the createrole-restrict-region-boundary policy will allow us to create and attach our own policies, only if they have a prefix of app1.
- Verify that you are Using the developer role previously created by checking the top bar it should look like and open the IAM console at https://console.aws.amazon.com/iam/
. You will notice a number of permission denied messages as this developer role is restricted. Least privilege is a best practice!
- In the navigation pane, click Roles and then click Create role.
- Click Another AWS account, then enter your account ID that you have been using for this lab and tick Require MFA, then click Next: Permissions.
- In the search field start typing ec2full then check the box next to the AmazonEC2FullAccess policy.
- Erase your previous search and start typing lambda then check the box next to the AWSLambdaFullAccess policy.
- Expand the bottom section Set permissions boundary and click Use a permissions boundary to control the maximum role permissions. In the search field start typing boundary then click the radio button for restrict-region-boundary and then click Next: Tags.
- For this lab we will not use IAM tags, click Next: Review.
- Enter the Role name of app1-user-region-restricted-services for the role and click Create role.
- The role should create successfully if you followed all the steps. Record both the Role ARN and the link to the console.
If you receive an error message a common mistake is not changing the account number in the policies in the previous steps.
3.2 Test User Role
Now you will use an existing IAM user to assume the new app1-user-region-restricted-services role, as if you were a user who only needs to administer EC2 and Lambda in your allowed regions.
- In the console, click your role’s Display Name on the right side of the navigation bar. Click Back to your previous username. You are now back to using your original IAM user.
- In the console, click your user name on the navigation bar in the upper right. Alternatively you can paste the link in your browser that you recorded earlier for the app1-user-region-restricted-services role.
- On the Switch Role page, type the account ID number or the account alias and the name of the role app1-user-region-restricted-services that you created in the previous step.
- Select a different color to before, otherwise it will overwrite that profile in your browser.
- Click Switch Role. The display name and color replace your user name on the navigation bar, and you can start using the permissions that the role grants you.
- You are now using the user role with the only actions allowed of EC2 and Lambda in us-east-1 (North Virginia) and us-west-1 (North California) regions!
- Navigate to the EC2 Management Console in the us-east-1 region https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1
. The EC2 Dashboard should display a summary list of resources with the only error being Error retrieving resource count from Elastic Load Balancing as that requires additional permissions.
- Navigate to the EC2 Management Console in a region that is not allowed, such as ap-southeast-2 (Sydney) https://ap-southeast-2.console.aws.amazon.com/ec2/v2/home?region=ap-southeast-2
. The EC2 Dashboard should display a number of unauthorized error messages.
- Congratulations! You have now learnt about IAM permission boundaries and have one working!