Manage AWS Trainee Access with IAM User Setup
As a trainer, simplify your AWS training session and ensure a smooth start by pre-creating trainee accounts. Before following the steps in this tutorial, note the security consideration below, and ensure you have the following prerequisites:
⚠️ Caution: By following this tutorial, you'll provide your trainees access to your personal account's EC2 resources. Please create a dedicated root account just for training purposes.
Pre-requisites:
- Root AWS account.
- Basic AWS IAM knowledge.
This tutorial consist of two sections; IAM Configuration and Creating Users Using AWS CLI.
IAM Configuration
- In AWS console, navigate to IAM. Under Access Management menu, click on Policies.
- Click on Create policy and choose JSON in the policy editor.
- Paste this JSON; which defines the permissions for the trainees' accounts:1
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:RunInstances",
"ec2-instance-connect:SendSSHPublicKey",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"iam:ChangePassword",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": ["arn:aws:ec2:<region>:<account-id>:instance/*"],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:<region>::image/*",
"Condition": {
"StringNotEquals": {
"ec2:ImageId": "ami-06c4be2792f419b7b"
}
}
}
]
}
- Click Next.
- Give the policy a name (e.g. ec2-trainee-policy), then click on Create policy.
- Once created, go back to IAM dashboard and click on User groups under Access Management menu.
- Click on Create group.
- Give the group a name (e.g. ec2-trainee-group) and search for policy created earlier under Attach permissions policies - Optional menu.
- Click on Create group.
Creating Users Using AWS CLI
- Click on CLI icon on navbar.
- Run this command and wait for it to finish2:
for i in {1..10}; do
aws iam create-user --user-name trainee-user$i &&
aws iam add-user-to-group --user-name trainee-user$i --group-name ec2-trainee-group &&
aws iam create-login-profile --user-name trainee-user$i --password myPwd@123 --password-reset-required
echo "-------------------------------------------------------------------------------------------------"
done
- AWS will create new users with usernames ranging from
trainee-user1untiltrainee-user10. The default password for all users will bemyPwd@123. Make sure to record these credentials securely to distribute to your trainees later for AWS console login. - Provide a sign-in url to trainees with their designated credentials to login here:
https://<your-account-id>.signin.aws.amazon.com/console/. - AWS will prompt users to change their password after the first-time login.
Important notes:
- This tutorial assumes you want to restrict trainees to launching only instances with the Ubuntu Server 22.04 LTS (HVM) image and t2.micro instance type.
- This tutorial also does not prevent trainees from accessing instances launched by other trainees because it relies on a basic access control model. For more granular control and to isolate trainee resources, consider using Attribute-based Access Control (ABAC). You can find more information here or read the setup tutorial here.
- To avoid unintended costs and prevent further usage, terminate all instances created by trainees after each training session and consider removing their IAM user accounts.