Automating user creation with AWS Identity and Access Management (IAM) resources

Automatically Provisioning AWS User Accounts

Sonya Stauffer-Acevedo, MSE
5 min readApr 27, 2023

Introduction

In this article, I will demonstrate a simple automated user group and user account creation process to help you avoid the repetitive manual tasks in provisioning AWS accounts.

AWS Cloud Technologies
AWS Cloud Services & Technologies

Note: AWS-specific account information will be redacted in all images and sample outputs. If you follow the steps in this article and change any object or file names, please ensure you modify the commands given herein with the names you used.

Use Case

Let’s assume you need to migrate 100+ users, each user must have Multi-factor Authentication (MFA) enabled, and each user must be assigned a specific user group to maintain the best practice of minimal privileged user access required for their role. Since we are not federating user accounts, we must also provide the ability for the users to change their passwords.

Solution Architecture

Solution Architecture for AWS user creation process
AWS Solution Architecture

MFA Policy

Our MFA policy must allow the logged-in user to:

  • Allow the user to see their user profile.
  • Allow the user to view MFA devices.
  • Manage their own MFA device.
  • Deny access to all other services if MFA still needs to be set up.

Download the policy JSON file here.

Important note: By defining the resource in the policy, the user can only create an MFA device named as their username. Example:

"Resource": "arn:aws:iam::*:mfa/${aws:username}"

To implement the MFA policy in your AWS environment:

  1. Log in to your AWS console.
  2. Open the CloudShell.
  3. Upload the MFA policy JSON file.
  4. Execute the following command:
aws iam create-policy --policy-document file://enforce_mfapolicy.json  --policy-name EnforceMFAPolicy

The output from the command will look something like this:

{
"Policy": {
"PolicyName": "EnforceMFAPolicy",
"PolicyId": "XXXXXXXXXXXXX",
"Arn": "arn:aws:iam::0000000000:policy/EnforceMFAPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-04-26T03:29:09+00:00",
"UpdateDate": "2023-04-26T03:29:09+00:00"
}
}

Script Execution Prerequisite

Before moving on to the group and account creation processes, we need to install the following package.

  1. Log in to your AWS console.
  2. Open the CloudShell.
  3. Execute the following command:
sudo yum install dos2unix -y

Automating User Group Creation

The script to create the predefined user groups automatically will take the group name and default policy from an input CSV file. The script will also apply the standard AWS IAM User Change Password and the MFA enforcement policies we created to the user group.

The input file is a simple CSV file with group and policy attributes. Example:

group,policy
CloudAdmin,AdministratorAccess
DBA,AmazonRDSFullAccess
LinuxAdmin,AmazonEC2FullAccess
NetworkAdmin,AmazonVPCFullAccess
Trainees,ReadOnlyAccess

Download the script file here.

Edit the aws-iam-create-group.sh file and replace the <policy arn> for the MFA Policy ARN, for example:

aws iam attach-group-policy --group-name $group --policy-arn arn:aws:iam::0000000000:policy/EnforceMFAPolicy

Note: If you don’t like the AWS CloudShell vim editor, you can use the instructions here to install the nano editor.

Steps to create groups:

  1. Log in to your AWS Console.
  2. Open the CloudShell.
  3. Upload the aws-iam-create-group.sh script and your groups.csv file.
  4. Execute the following command to set up permission to execute the script:
chmod +x aws-iam-create-group.sh

5. Execute the following command to create the groups:

./aws-iam-create-group.sh groups.csv

Sample output for the “CloudAdmin” group given in the sample input file data:

{
"Group": {
"Path": "/",
"GroupName": "CloudAdmin",
"GroupId": "XXXXXXXXXXX",
"Arn": "arn:aws:iam::0000000000:group/CloudAdmin",
"CreateDate": "2023-04-26T01:19:13+00:00"
}
}
AWS User Group Listing Showing Permissions
AWS User Group Listing Showing Permissions
Permissions for AWS user group “CloudAdmin”
Permissions for AWS user group “CloudAdmin”

Automatically Create Users and Assign them to Designated Groups

The script to create the predefined list of users automatically will take the username, group name, and password from an input CSV file. The script will also implement the requirement to reset the user’s password on the first login.

The input file is a simple CSV file with user, group, and password attributes. Example:

user,group,password
jane.doe,DBA,ChangeMe123456!
john.doe,NetworkAdmin,ChangeMe123456!
billy.joe,CloudAdmin,ChangeMe123456!
jim.bob,LinuxAdmin,ChangeMe123456!
mary.sunshine,Trainees,ChangeMe123456!

Download the script file here.

Steps to create the user accounts:

  1. Log in to your AWS console.
  2. Open the CloudShell.
  3. Upload the aws-iam-create-user.sh script and your users.csv file.
  4. Execute the following command to set up permission to execute the script.
chmod +x aws-iam-create-user.sh

5. Execute the following command to create the user accounts.

./aws-iam-create-user.sh users.csv

Sample output for the billy.joe user given in the sample input file data:

{
"User": {
"Path": "/",
"UserName": "jane.doe",
"UserId": "XXXXXXXXXXXXXXX",
"Arn": "arn:aws:iam::0000000000:user/billy.joe",
"CreateDate": "2023-04-26T02:54:20+00:00"
}
}
{
"LoginProfile": {
"UserName": "billy.joe",
"CreateDate": "2023-04-26T02:54:22+00:00",
"PasswordResetRequired": true
}
}
AWS User Group Listing with indication users have been added.
AWS User Group Listing with Indication the Users have been Added
AWS “CloudAdmin” User Group with Added “billy.joe” User
AWS “CloudAdmin” User Group with Added “billy.joe” User

Finally, after the users have logged in, changed their passwords, and added an MFA device, we can see the results:

AWS User Listing
AWS User Listing

Summary

We walked through creating an MFA policy in the AWS CloudShell and then executed the automated assignment of that policy and others during the User Group creation process. Then we walked through an automated user account creation process, including assigning the appropriate user groups.

If you face any issues while implementing these scripts, please get in touch with me on LinkedIn. If you enjoyed reading this article or found it helpful, don’t forget to click the like button or follow me.

--

--