上QQ阅读APP看书，第一时间看更新

Creating an Administrators group

With an administrative role in place, the next step is to assign your role to a user or group. Instead of assigning privileges directly to a user, it is strongly recommended to instead assign them to groups, as this provides a much more scalable way of managing permissions. Given we have created a role with administrative privileges, it now makes sense to create a group called Administrators, which will be granted permission to assume the admin role you just created. Note that I refer to assuming a role, which is analogous to Linux and Unix systems, where you log in as a regular user and then use the sudo command to temporarily assume root privileges.

You will learn how to assume a role later on in this chapter, but for now you need to create the Administrators group by selecting Groups from the left hand menu in the IAM console and clicking the Create New Group button:

Creating an IAM group

You first need to specify a Group Name of Administrators and then click Next Step twice to skip the Attach Policy screen and finally click Create Group to complete creation of the group:

The Administrators group

This has created a group with no attached permissions, however if you click on the group and select Permissions, you now have the option to create an inline policy:

Creating an inline policy

After selecting the click here link in the preceding screenshot, choose the Custom Policy option and click Select, which allows you to configure an IAM policy document that grants the ability to assume the admin role you created earlier:

Administrators group inline policy

The policy includes a single statement that allows the action sts:AssumeRole – sts here refers to the Security Token Service, which is the service you interact with whenever you assume a role (the action of assuming a role grants you temporary session credentials linked to the role you have assumed). Notice that the resource is the ARN of the IAM role you created, so this policy grants anybody that is a member of the Administrators group to assume the admin role. After clicking the Apply Policy button, you will have successfully created and configured the Administrators group.