One of the many tasks that a cloud consultant may have to do is access a client's cloud environment. Whether you're having someone create some resources in your AWS network, or hiring an auditor to review your security posture, you need to grant them temporary access in order to allow them to do their job, while restricting what they can do based on the type of work they were hired to do. This means you shouldn't trust them with the root account. Instead, let's see how you can do this securely within just a few minutes.
Creating an IAM user
In order to login to the AWS console, they will need a username and password. To create one, log into your administrator account, click on Services at the top, and use the search function to go to the IAM page:
In most cases, if you're handing this access to an actual person who will be doing work through the console, then they will need a user name and password. If however this user will be for a service or API, then they will likely need programmatic access.
If you are giving them console access, type in a password that you can send to your consultant, making sure to leave the User must create a new password at next sign-in checkbox checked:
On the next page, you need to give permissions to your user. Here, you should always use the principle of least privilege. This means you give them only access to what they need. Instead of trying to craft a policy by yourself, I suggest you use one of the many policies Amazon provides. So click on the third option, and then find a policy that works for your needs.
In most cases, your temporary user will typically need one of two types of access. Either they need to view data and shouldn't be able to modify anything, in which case Amazon provides a number of handy policies for each of their services. Just do a search for "readonly" and select the services they need access to, or pick "ReadOnlyAccess" to give them read access to everything:
If your user only needs console access, you can click Next a few times and the user will be created. You can give the user name, password, and your account number (found in your account settings page) to your consultant. If you selected programmatic access however, then the last page of the user creation process will show you the access key and secret. It's important that you write down that information:
Don't forget to remove the user
If and when your consultant is done with their work, don't forget to remove their access! All you have to do is go to that same IAM page, select the user, and click on Delete.
That's all there is to it!