A common question I get from folks is “how do I create a temporary AWS IAM user” or “how do I grant access to x service” for only a period of time. Typically, you’d want to use the IAM “Condition” element, which I’ll demonstrate how to do this in the remainder of this blog post. I’ll be using the example of creating an IAM “Power Users” policy that expires on January 31st of 2016 in this example.
Understanding IAM “Power Users” Policy:
The reason I like the IAM “Power Users” policy is that many organizations are moving to the model of fully empowered Engineering staff (meaning organizations where all Engineering staff have Administrator access). This model works well for many organizations, with one exception – allowing all Engineering staff to reset passwords means that when an employee leaves an organization you can’t be certain you have removed their access completely. Consider the case where an ex-employee has just created a new user or provided a password reset – they may know that accounts’s username password even after their own account has been disabled or removed. The other reason I like “Power Users” – despite the “deny” of actions on IAM resources – IAM users can still reset their own passwords despite the deny on IAM user actions (see: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_user-change-own.html#ManagingUserPwdSelf-Console).
Creating the Expiring IAM Power User Policy:
To create an “Power User” IAM policy, do the following:
- Login to the IAM Console within the AWS Console.
- Select “Policies” from the left-hand navigation and click “Create Policy”
- Click “Create Policy”
The magic here is that the Statement within the IAM Policy will only be allowed when the condition is true.
Attach the Policy to a User or Group:
- Login to IAM Console within the AWS Console.
- Select “Policies” from the left-hand navigation and select the “Power User” policy you had created previously. See image below:
- Scroll down to the “Attached Entities” section, click “Attend Entity” and add the Users (or Groups) to which you wish to attach this policy. See image below:
- After “Policy Expiration” the IAM user will still be able to login to the AWS Console. They won’t have permissions to issue any API commands, however.
- IAM “Conditions” Reference is available here: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition.