Skip to main content

Granting temporary access on an AWS account

One of the many tasks that a cloud consultant may have to do is access a client's cloud environment. Whether you're having someone create some resources in your AWS network, or hiring an auditor to review your security posture, you need to grant them temporary access in order to allow them to do their job, while restricting what they can do based on the type of work they were hired to do. This means you shouldn't trust them with the root account. Instead, let's see how you can do this securely within just a few minutes.

Creating an IAM user

In order to login to the AWS console, they will need a username and password. To create one, log into your administrator account, click on Services at the top, and use the search function to go to the IAM page:

There, click on Users on the left side, and then the Add user button:

On the first page, you will have to give your new user a name. Make sure to select something that will be obvious who this user is. Then, you have to select whether you're giving them access to the AWS console, programmatic access, or both.

In most cases, if you're handing this access to an actual person who will be doing work through the console, then they will need a user name and password. If however this user will be for a service or API, then they will likely need programmatic access.

If you are giving them console access, type in a password that you can send to your consultant, making sure to leave the User must create a new password at next sign-in checkbox checked:

Granting permissions

On the next page, you need to give permissions to your user. Here, you should always use the principle of least privilege. This means you give them only access to what they need. Instead of trying to craft a policy by yourself, I suggest you use one of the many policies Amazon provides. So click on the third option, and then find a policy that works for your needs.

In most cases, your temporary user will typically need one of two types of access. Either they need to view data and shouldn't be able to modify anything, in which case Amazon provides a number of handy policies for each of their services. Just do a search for "readonly" and select the services they need access to, or pick "ReadOnlyAccess" to give them read access to everything:

Another popular option is the policy called PowerUserAccess. This grants them broad read/write access to your account, but without allowing them to do really dangerous things like modify other users, access billing sections, and so on.

If your user only needs console access, you can click Next a few times and the user will be created. You can give the user name, password, and your account number (found in your account settings page) to your consultant. If you selected programmatic access however, then the last page of the user creation process will show you the access key and secret. It's important that you write down that information:

You can view a video of the steps above here:

Don't forget to remove the user

If and when your consultant is done with their work, don't forget to remove their access! All you have to do is go to that same IAM page, select the user, and click on Delete.

That's all there is to it!