Amazon has released many features in the last two years, but likely no feature more important to my personal peace of mind than Identity & Access Management (IAM). Before IAM, we had two types of access to our AWS infrastructure: none and administrator. It's amazing I was able to sleep in those pre-IAM days, with an entire team walking around with global credentials. It's sort of like the President of the United States granting access to the nuclear weapons codes to his cabinet, the congressional leadership, the First Family, and... hey, why not... the First Dog.
Below is the 10 steps to creating a read-only user that can view all infrastructure, including monthly bills.
Step 1: Login to AWS Console
Login to the Amazon AWS Console and go to the IAM service for your account.
Step 2: Create Group
Click on Create a New Group of Users.
Enter a name for your new group (e.g. ReadOnlyUser) and click Continue.
Step 3: Set Group Policy
Select Custom Policy and click Select. Unfortunately the default read-only policy of the wizard does not allow read-only access to usage and activity reports, so we'll create our own policy.
Step 4: Set Custom Policy
Give the policy a name (e.g. ReadOnlyUserPolicy), and cut and paste the below policy into the Policy Document.
{ "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "aws-portal:ViewUsage", "autoscaling:Describe*", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudfront:Get*", "cloudfront:List*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:Describe*", "elasticache:Describe*", "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticloadbalancing:Describe*", "iam:List*", "iam:Get*", "route53:Get*", "route53:List*", "rds:Describe*", "s3:Get*", "s3:List*", "sdb:GetAttributes", "sdb:List*", "sdb:Select*", "ses:Get*", "ses:List*", "sns:Get*", "sns:List*", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ReceiveMessage", "storagegateway:List*", "storagegateway:Describe*" ], "Resource": "*" } ] }
Click Continue when ready.
Step 5: Add Users To Group
Click on the Create New Users tab, enter a user name (e.g. readonlyuser) and click Continue.
Review the final information on your new group and click Finish to complete the process.
Step 6: Download Credentials
Click on Download Credentials to download the keys for your read only user. Store these in a save location on your computer.
Step 7: Enable Console Access
Click on Users from the navigation menu and select the newly created user.
In the bottom pane, click Manage Password and assign a custom password of your choosing for this user.
Step 8: Enable CSV Reports
From the Account page, click on Billing Preferences.
Click on Sign Up Now to turn on the generation of CSV reports for your account.
Step 9: Enable Console Access For User
From the Account page, click on Manage Your Account.
Click on the check boxes to enable the account activity and usage pages, and click Activate Now.
Step 10: Create Console Alias (Optional)
We suggest you setup an alias for your account that will be easy for you to remember. To do this, click on the IAM Dashboard and choose to set an alias web address for your account.
If you'd like an easier way to do steps 1-6, feel free to use my CloudFormation template. CloudFormation is a great concept, but its implementation is still very limited. Call me when I can automate steps 7-10. ;)