AWS Access Management: IAM Users, Groups, and Least Privilege Lab — AWS Certified Cloud Practitioner (CLF-C02) Study Notes

Prerequisites

Before starting this lab, ensure you have the following ready:

An active AWS Account.
Administrative access to the account (It is highly recommended to use an IAM Admin user, not the AWS root user, to follow best practices).
AWS CLI installed and configured on your local machine (aws configure) with your administrative credentials.
Basic familiarity with using a command-line interface (CLI) or terminal.

Learning Objectives

By completing this 30-minute lab, you will be able to:

Create and manage IAM Groups and Users within an AWS account.
Apply the Principle of Least Privilege by attaching specific, restricted managed policies to an IAM Group.
Generate and configure programmatic access credentials (access keys) for an IAM User.
Verify access controls by attempting authorized and unauthorized actions via the AWS CLI.

Architecture Overview

The following diagram illustrates the relationship between the IAM entities and the AWS resources you will configure in this lab.

Loading Diagram...

Step-by-Step Instructions

Step 1: Create a Test S3 Bucket

We need a resource for our new IAM user to interact with. We will create an Amazon S3 bucket.

bash

aws s3 mb s3://brainybee-lab-bucket-12345

(Note: S3 bucket names must be globally unique. Replace 12345 with random numbers if the bucket name is taken).

▶Console alternative

Navigate to

S3 > Create bucket

. Enter a unique bucket name like brainybee-lab-bucket-12345, leave all defaults, and click

Create bucket

[!TIP] Always use lowercase letters and hyphens for S3 bucket names to avoid DNS-compliance errors.

Step 2: Create an IAM Group

Following best practices, we assign permissions to groups rather than individual users. We will create a group for users who only need read access to S3.

bash

aws iam create-group --group-name brainybee-s3-readers

▶Console alternative

Navigate to

IAM > User Groups > Create group

. Name the group brainybee-s3-readers and click

Create group

[!IMPORTANT] IAM Group names are case-sensitive in some contexts, so stick to a consistent naming convention.

Step 3: Attach a Least-Privilege Policy to the Group

We will attach an AWS Managed Policy that explicitly grants Read-Only access to S3, embodying the principle of least privilege.

bash

aws iam attach-group-policy --group-name brainybee-s3-readers --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

▶Console alternative

Navigate to

IAM > User Groups

, click on brainybee-s3-readers, go to the

Permissions

tab, click

Add permissions > Attach policies

. Search for AmazonS3ReadOnlyAccess, check the box, and click

Add permissions

[!NOTE] The ARN (Amazon Resource Name) arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess points to an AWS-managed policy maintained by AWS. You do not need to write the JSON for this policy yourself.

Step 4: Create an IAM User and Access Keys

Now, create a user who will act as our test subject, and generate programmatic credentials so they can use the CLI.

bash

aws iam create-user --user-name brainybee-test-user
aws iam create-access-key --user-name brainybee-test-user

▶Console alternative

Navigate to

IAM > Users > Add users

. Name the user brainybee-test-user. Do not give them console access. Once created, click on the user, go to

Security credentials

, and click

Create access key

for CLI use. Save the resulting keys.

[!WARNING] The CLI will output an AccessKeyId and a SecretAccessKey. Copy these immediately! The secret key is only displayed once. If you lose it, you must delete the key and generate a new one.

Step 5: Add the User to the Group

Currently, the user has no permissions. By adding them to the group, they will inherit the S3 Read-Only policy.

bash

aws iam add-user-to-group --user-name brainybee-test-user --group-name brainybee-s3-readers

▶Console alternative

Navigate to

IAM > Users

, click brainybee-test-user, go to the

Groups

tab, click

Add user to groups

, select brainybee-s3-readers, and save.

[!TIP] In a real-world scenario, if a user changes roles within a company, you simply remove them from their old group and add them to a new one, rather than auditing dozens of individual user-level policies.

Step 6: Configure the Test User Profile locally

Set up a secondary AWS CLI profile on your machine to test the new user's access.

bash

aws configure --profile testuser

Paste the AccessKeyId and SecretAccessKey you generated in Step 4. You can leave the default region and output format blank.

Checkpoints

Verify that the configuration works and that the principle of least privilege is actively protecting your environment.

Checkpoint 1: Test Authorized Access (Read)

Attempt to list S3 buckets using the test user's profile. Because they are in the brainybee-s3-readers group, this should succeed.

bash

aws s3 ls --profile testuser

Expected Result: You should see a list of your S3 buckets, including the brainybee-lab-bucket-12345 you created in Step 1.

Checkpoint 2: Test Unauthorized Access (Write)

Attempt to create a new S3 bucket using the test user's profile. This should fail because the policy explicitly grants only read access.

bash

aws s3 mb s3://brainybee-forbidden-bucket-12345 --profile testuser

Expected Result: An AccessDenied error. This proves your least privilege boundaries are functioning correctly.

Clean-Up / Teardown

[!WARNING] Remember to run the teardown commands to avoid ongoing clutter and potential security vulnerabilities from stray access keys.

Run the following CLI commands using your default (Admin) profile to remove all created resources.

bash

# 1. Delete the user's access key (Replace <ACCESS_KEY_ID> with the ID from Step 4)
aws iam delete-access-key --user-name brainybee-test-user --access-key-id <ACCESS_KEY_ID>

# 2. Remove the user from the group
aws iam remove-user-from-group --user-name brainybee-test-user --group-name brainybee-s3-readers

# 3. Delete the user
aws iam delete-user --user-name brainybee-test-user

# 4. Detach the policy from the group
aws iam detach-group-policy --group-name brainybee-s3-readers --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# 5. Delete the group
aws iam delete-group --group-name brainybee-s3-readers

# 6. Delete the S3 bucket (Replace the number with your unique bucket suffix)
aws s3 rb s3://brainybee-lab-bucket-12345 --force

Troubleshooting

Common Error	Cause	Fix
`An error occurred (AccessDenied) when calling the CreateBucket operation` (During Step 1)	Your default CLI profile doesn't have Admin permissions.	Reconfigure `aws configure` using an IAM Admin user access key.
`An error occurred (NoSuchEntity) when calling the AttachGroupPolicy operation`	A typo in the policy ARN or the group name.	Verify the ARN is exactly `arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess` and the group name matches Step 2.
`An error occurred (BucketAlreadyExists)`	S3 bucket names must be globally unique across all of AWS.	Append random numbers to your bucket name in Step 1.
`DeleteConflict` during Teardown	Trying to delete a group before removing users, or deleting a user before deleting their access keys.	Follow the Teardown list in the exact numbered order. Dependencies must be removed first.

Cost Estimate

This lab strictly utilizes AWS IAM (which is always free) and standard Amazon S3 bucket creation without uploading heavy objects.

Total Estimated Cost: $0.00 (Covered entirely by the AWS Free Tier and IAM zero-cost structure).