Automated user migration and management of AWS Identity and Access Management (IAM) resources

Bolaji A. Adetoye
5 min readMay 8, 2023

In this project, I created IAM user groups, IAM users and a custom policy. I ensured that multi-factor authentication (MFA) is enforced for all the users to login to the AWS console and also enforced password change at first logon for all the IAM users with the required policies.

To begin with, what is actually an IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. For further information, see the official documentation here https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Services and technologies used with the chosen cloud provider (AWS) on the project are Gitbash, AWS CLI, shell script and AWS Identity and Access management.

In this project based on a real-world scenario, I acted as Cloud Specialist with the mission to migrate users in an automated way and manage AWS IAM (Identity and Access Management) resources.

There were 100 users that needed to be migrated and have MFA (Multi-factor authentication) enabled on their accounts, as this is a security best practice.

To avoid repetitive and manual tasks in the AWS console, I decided to automate the processes. Below are the steps taken to complete the project using GitBash with AWS CLI and Shell Script, and a sample excel document containing the details of users to be migrated to the AWS console.

Solution Architecture: On-Premises Migration to AWS

Step 1: spreadsheet modification to suit the automation script inputs.

Spreadsheet: Raw & Modified

There are five groups in this excel sheet and 100 users but only few users were captured here. The next exercise was to create the IAM groups on AWS console which would later be populated with respective IAM users accordingly.

Step 2: IAM groups creation.

Here, I manually created the IAM groups on the AWS console and ran the automation script to create users, login profiles and add users to groups as shown below.

User Groups
Groups and Users created

I also added the required permission policies to each group created such as (IAMUserChangePassword — provides the ability for an IAM user to change their own password. AmazonRDSFullAccess — Provides full access to Amazon RDS via the AWS Management Console. AmazonVPCFullAcess — Provides full access to Amazon VPC via the AWS Management Console. AmazonEC2FullAccess — Provides full access to Amazon EC2 via the AWS Management Console. ReadOnlyAccess — Provides read-only access to AWS services and resources for non-administrative users. And a custom MFA policy to enforce multi-factor authentication, adding an additional layer for security best practice.

Sample group permission policies

Let’s now pick a user from the CloudAdmin group and use the user details to sign in to the AWS console using the sign-in URL. You may sign in using new incognito window.

Password change prompt

After a successful authentication, I opened RDS service and tried to create a database. I immediately got an error that “ user/sonia.adigun is not authorized to perform: rds:DescribeDBInstances on resource…” Why? This was because of the MFA policy enforced on the groups which the users had inherited. To correct this, at the top right-hand-corner of the console click on “logged-on username” , from the dropped-down menu, select “security credentials”. Then click “Assign MFA” button.

To assign MFA device to a user account, an authenticator app or Hardware TOTP token or Security key is required to achieve this. You may choose to use authenticator app like Google Authenticator or Microsoft Authenticator or Authy on a mobile device or computer. Choose an appropriate name for the device.

Follow the steps below to complete the device assignment. signout from the console and signin back to confirm the error is cleared.

After a successful assigment exercise, I was prompted with MFA login to complete the sign-in after the authentication.

Subsequently, I was able to launch and create a database using the RDS service.

Database Engine options

I hope this has been informative and I thank you for your time. If this was useful please give me a clap. See you soon!

--

--

Bolaji A. Adetoye

IT Tech. Support | Aspiring MultiCloud & DevOps Engineer | AWS | Microsoft Azure | Google Cloud | Oracle Cloud