AWS IAM Practical Lab | Create Users, Groups, Policies & Roles | Step-by-Step Hands-On Tutorial

AWS IAM Hands-On Lab Walkthrough

In this comprehensive video, you'll gain practical experience with AWS Identity and Access Management (IAM), the foundation of cloud security. We cover both theory and real-world use cases, including testing access via the Console.

Timestamps (Video Chapters)

Hands-On: Creating the First IAM User & Setting up Console Access

Hands-On: Creating an IAM Group and Attaching a Managed Policy (Admin Access)

Deep Dive: IAM Policies - Managed vs. Custom Policies

Hands-On: Creating a Custom IAM Policy (S3 Read-Only Access)

Hands-On: Creating an IAM Role and Attaching a Trust Policy

Understanding Trust Relationships and the STS AssumeRole Action

Live Test: Testing User Permissions via the AWS Management Console

IAM Best Practices: Security Tips for Users, Roles, and Policies (Real-Time Use Cases)

🚀 Who is this tutorial for?
AWS Beginners: Get a solid, practical foundation in AWS security.

Cloud & DevOps Engineers: Learn best practices for role and policy management.

Certification Candidates: Essential for AWS Solutions Architect, Developer, and Security exams.

1️⃣ Policy — Only Create EC2 Instances

👉 This policy allows a user to create and manage EC2 instances, key pairs, and security groups.
Use this when you want someone to launch EC2 instances but not touch other AWS services.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2InstanceFullAccess",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Sid": "AllowKeyPairAndSecurityGroupCreation",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "*"
}
]
}


📌 Use Case: Attach this policy to a user or role who needs to launch EC2s (developers, testers, or automation roles).

🧩 2️⃣ Policy — Can Only List EC2 and S3 Resources

👉 This version is more restrictive — it allows only listing EC2 and S3 resources (no start, stop, or create actions).

Here’s a combined read-only policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListEC2Resources",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Sid": "ListAllBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "ReadObjectsFromBuckets",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*/*"
}
]
}


📌 Use Case:
This is ideal for auditors, viewers, or monitoring roles who should see EC2 and S3 resources but cannot modify anything.

🪄 How to Use These in AWS

Go to IAM → Policies → Create Policy → JSON tab.

Paste one of the above JSON policies.

Name it (e.g., EC2CreateOnlyPolicy or EC2S3ReadOnlyPolicy).

Attach to your IAM user, group, or role.

🔔 Subscribe for more step-by-step AWS and DevOps tutorials!

#aws #iam #awstutorial #cloudsecurity