Automated User Migration & AWS IAM Management: Scalable Access Control

11 min readFeb 21, 2025

This project is part of my cloud portfolio, emphasizing hands-on experience in cloud technology.

Migration solutions architecture — Illustration made possible with draw.io

🔰Getting Started

While studying for cloud certifications I started to really gain interest in diving more into cloud computing. You know, launch a few EC2 instances, accidentally leave one running overnight, and wake up to a billing statement that feels like you went out the night before with your credit card and decided to be “extra nice” to people at the bar. We’ve all been there.

I came across Jean Rodrigues and was immediately interested in his teachings and mentoring. With years of real-world experience as a Senior Principal Cloud & Infrastructure Architect, Jean brings valuable insights to the field. Inspired by his expertise, I decided to invest in his guidance and dive into a series of cloud projects. I plan to document my journey, share what I learn, and keep improving with each experience.

Come join me on this journey!⚔️🧗🏼‍♂️

✅What You’ll Learn:

Identifying tools and AWS services for IAM automation
Planning IAM user migration strategy
Preparing and formatting data for automation scripts
Creating, managing, and securing IAM groups
Implementing the automated user migration process
Enabling MFA (Multi-Factor Authentication) on the console
*Other main concepts will be linked for more information*

💭The Problem & The Idea — What Needs Solving?

A client is migrating their corporate data center to AWS and requires the IT team to have access to the AWS environment to support tasks such as database management, virtual machine (VM) migrations, and other cloud-related operations.

This project was inspired by a real-world use case, where I took on the role of a Cloud Engineer with the objective of efficiently migrating users and managing AWS IAM (Identity and Access Management).

In this context, the goal was to migrate 100 users while ensuring that MFA (Multi-Factor Authentication) was activated on their accounts, following security best practices.

To eliminate repetitive manual work in the AWS console, an automating workflow to streamline the migration process was developed.

🧩Planning — Mapping It Out

Identify your stack

As I mentioned, we will be using the AWS IAM service to manage user identities, enforce security policies, and control access to AWS resources. AWS CLI to interact with AWS IAM from the command line, and Shell Script (Bash) to automate IAM related tasks, such as processing a CSV file and applying IAM configurations in our project.

The stack used — AWS CLI, Shell Script, AWS IAM

2. Initial Architecture

Below we have a pictorial representation of our solution showcasing the migration from the corporate data center to the AWS cloud environment, the IAM groups, permissions assigned and the MFA set up.

Below is a visual representation of our initial solution, illustrating how we will set up the AWS cloud environment for our migration solution. Demonstrating the IAM groups, assigned permissions, and the setup of MFA (Multi-Factor Authentication) for enhanced security.

AWS environment architecture for IAM groups with assigned permissions and MFA security

We have n users to migrate to the AWS environment, but these users will have different responsibilities, each corresponding to their role in the company. So the next step is to think — How do we assign users only the permissions they need?

3. Users and roles

We need to identify all users involved in the migration process. Since each user has a specific role, we want to ensure that permissions are assigned correctly. For example, Database Admins should have the ability to manage databases but not create or delete users, as that responsibility should belong to a Cloud Architect (in our case).

Let’s identify our users:

Database Admin
Cloud Architect
Linux Admin
Network Admin
Trainee

To answer the previous question — How do we assign users only the permissions they need? — Let’s consider the Role-Based Access Control (RBAC) model. Using AWS IAM Groups, users will be assigned to a group that corresponds to their specific role.

Database Admin → DBA
Cloud Architect → CloudAdmin
Linux Admin → LinuxAdmin
Network Admin → NetworkAdmin
Trainee -> Trainees

🏗️Execution — Putting It All Together

1. Formatting the data

First things first, when cleaning up data, we need to know what we are cleaning it up for. In other words, where is this data being fed? We will consider the script below — responsible for automating user creation and group assignment — as we clean up our data:

wget https://tcb-bootcamps.s3.amazonaws.com/bootcamp-aws/en/aws-iam-create-user.sh

In this project we were provided an Excel sheet with all the users we need to migrate. But as useful as it may seem, we still have some cleaning up to do.

a) Preparing the Data for the Script:

To create our users’ accounts on the AWS environment and assign them to their specific roles, let’s identify what we need:

Username — or user
Password
Group

From jane.doe@abc-company.com, we need ‘jane.doe’ as their username, set up a temporary password for initial account access, and assign the necessary permissions to perform their tasks.

b) Delete ‘Name’ column

c) Using the ‘Find and Replace’ tool, remove ‘@abc-company.com’ from all users’ emails and change the ‘Email’ column name to ‘user’.

d) Change all of the users’ roles to the corresponding IAM user group they should be assigned to (Database Admin → DBA,…). Change the Team column name to group — (Keep using the ‘Find and Replace’ tool).

e) Create a password column and provide the same password for all users so they can log into their accounts — They will be able to change their passwords once logged in.

f) Save the document as a CSV file so it can be processed later by our Shell Script.

2. Create IAM Groups, Assigning Policies, and Enforcing MFA Security

Now that we have formatted the data, we’re ready to finally start poking around the AWS console.

To break up all these different concepts and value your time, I have another article walk-through to help you with this step. Go check it out: AWS IAM Best Practices: Creating User Groups, Assigning Policies, and Enforcing MFA Security. If you’re already familiar with this step, feel free to continue.

To recap, we’re trying to honor the Role-Based Access Control (RBAC) model and how it supports the Principle of Least Privilege (PoLP). Below is a brief description of each of the IAM Groups and its specific responsibilities:

CloudAdmin → Requires full AWS control for managing all resources.
DBA → Needs full control over database services.
LinuxAdmin → Access to manage EC2 instances.
NetworkAdmin → Focused on VPC and networking configurations.
Trainees → Should view AWS resources but cannot modify anything.

Follow the IAM Groups Architecture Solution below to properly set up your environment for the automation process.

AWS IAM Group Structure for Role-Based Access Control (RBAC)

Permissions used in the IAM groups:

The specific permissions assigned to each group
IAMUserChangePassword — Allows users to change their password
EnforceMFAPolicy — Custom policy that requires users to enable MFA (Check out my other article with more details)

3. Configuring AWS CloudShell for IAM Automation

In this step, we will configure AWS CloudShell and automate the process of creating IAM users and assigning them to their respective IAM groups. Below is a representation of this architecture:

In the following steps we will set up our environment on AWS to receive our data and execute the automation script.

a) Accessing AWS CloudShell — At the top of the AWS console, find the CloudShell icon:

The AWS CloudShell will open:

b) Installing required tools — Run the following command on the shell:

sudo yum install dos2unix -y

The dos2unix ensures the file is properly formatted for execution in Linux-based systems like AWS CloudShell. The tool converts text files from Windows (DOS) format to Unix/Linux format by removing carriage return characters (\r) used in Windows.

c) Downloading the automation script

wget https://tcb-bootcamps.s3.amazonaws.com/bootcamp-aws/en/aws-iam-create-user.sh

the wget command will help retrieve the aws-iam-create-user.sh script that is hosted in an Amazon S3 bucket. The script will be saved in the current directory of AWS CloudShell.

d) Setting script execution permissions

chmod +x aws-iam-create-user.sh

This command will make the script executable. Running chmod chmod +x ensures the script can be executed as a program in the terminal.

e) Uploading the CSV file — Upload the CSV file to CloudShell:

List all files to check if CSV file was uploaded:

4. Running the Automation Script

a) Check content of CSV file:

cat formatted_data.csv

b) Run script:

./aws-iam-create-user.sh formatted_data.csv

You should be able to see the following output:

The output will show the login profile and IAM user details from each user in the CSV file.

5. Validating Users

Finally, we will bring everything together by validating the users created in our console. We will log in as one of the users to ensure that all assigned policies to our IAM groups are functioning as expected.

a) Sign-in using URL for IAM users — Return to the IAM dashboard, copy and paste the the following URL on another browser in incognito:

URL sign in for IAM users of your account

The link will open this login form on the incognito tab with the Account ID displayed:

a) Verify that the users were created by clicking on ‘Users’ in the left sidebar or selecting the number displayed under ‘Users’ in the IAM resources section:

Choose one of the users to be tested. You can choose any of the users created. I will use ‘jane.doe’:

Choose a user from the list — e.g.: jane.doe

Check which group she’s assigned to so we know what permissions she will have — she’s assigned to the DBA IAM group:

Confirm group — jane.doe assigned DBA group

b) Sign in using the IAM user URL — Return to the IAM dashboard, copy the following URL, and paste it into an incognito browser window.

The link will open the IAM login form in the incognito tab with the Account ID displayed. Enter ‘jane.doe’ — or the username you selected — along with the default password we set for all users: Change@123:

As expected from our automation script, the ‘password-reset-required’ flag enforces a password reset upon first login.

Choose a new, strong password — note that the one shown here is just an example.

You will be redirected to the AWS console as jane.doe:

c) Check if ‘jane.doe’ has the proper permissions to execute her job function — Search for RDS service on the console:

On the RDS dashboard, click on Create database.

⚠️Notice the warning that you’re not authorized to perform certain tasks.

Warning message from *Databases options*

If you try to create databases, you won’t be able to load the options and if any other databases already exist you won’t be able to view them:

That’s because we need to enable MFA on our console as ‘jane.doe’.

d) Create MFA (Multi-Factor Authentication) for jane.doe — As expected, our EnforceMFAPolicy from our other article will make sure that before you perform any task as this or any user, you will have to create your MFA.

Return to IAM Dashboard and click on Add MFA

⚠️Notice more warnings that you’re not authorized to view certain information on your account.

Choose the name for your device (I chose jane.doe for this one)

Choose the MFA device you’d like to use (I like to have the authenticator app on my phone):

I chose the Authenticator app for my MFA

Scan the QR code on your phone using the app — Add MFA code 1 and MFA code 2. You will have to wait for the code associated to your authenticator to refresh:

🥳Performing User Actions — You’re all set!

You MUST log out and log back in with your user jane.doe, using your MFA to be able to perform the tasks intended to your user.

Once you do, return to the RDS Dashboard and the warning message that was displaying there before is now gone:

When you try to Create database this time, you will also see all of the options available for your user to perform the tasks they need:

Options for creating database are now available

Remember that all of your users will have to go through the same process to be able to perform their respective job functions.

📝Closing Notes

In this project, we went through the entire process of identifying the necessary tools and services, planning our strategy, preparing our data with proper formatting, creating and managing IAM groups, securing access, implementing an automated user migration strategy, and enabling MFA on the console to ensure users can perform their assigned job functions securely. 🚀

Below is a review of the final architecture with all the pieces put together: