DEV Community

Cover image for Creating your first IAM admin user and User group in your AWS account
Wendy Wong for AWS Community Builders

Posted on • Updated on

Creating your first IAM admin user and User group in your AWS account

What is IAM ?

AWS Identity and access management (IAM) was introduced to AWS accounts in September 1 2020. IAM provides controlled access to AWS resources for IAM users, groups of users and roles to AWS services.

IAM is a free service provided by AWS and it can be created from the IAM console.

How would you use IAM?

IAM provides permission access using the principle of 'least privilege'via IAM Access Analyzer to allow users to have access to only the required AWS services to perform their job role in an organization or function.

IAM policies is used to grant access to AWS services to specify what type of access may be granted in the action table which include the following access levels:

  • Read
  • Write
  • List
  • Permission Management

Reference Architecture

The AWS reference architecture diagram below provides an overview of AWS Identity and Access Management for an IAM user which grants access to AWS services with policy permissions that specify 'Allow'.

architecture

For example, under Identity and Access Management (IAM) and the navigation pane Policies, the level of access provided under the AdministratorAccess policy is full access for all AWS services.

admin policy

The AWS reference architecture diagram below provides an overview of AWS Identity and Access Management with AWS Single Sign-On (SSO):

For example, a startup can use AWS Single Sign-On (SSO) via identity access provider Okta to grant permission via AWS Organization for a group of users (i.e. 3 data analysts). The permissions of the data analysts can be managed for AWS applications such as such as Amazon S3, Amazon Glue DataBrew, Amazon QuickSight and Amazon Redshift. These group of users will have single click access to their AWS account.

SSO

Important: AWS Root User account - use sparingly

It is best practice not to use your AWS Root User account for a task that is not required but you may use this account to create administrator access.

The alternative is to create admin access for each new user who have the same level of permissions under an administrator group.

Root

You may need to create admin user access using AWS management console or with programmatic access if you which to test and build production workloads for tasks which may include the following:

  • Databases
  • Data warehousing
  • ETL
  • Machine learning
  • AI

Tutorial: How to create your first IAM user and user group

Step 1: Login to the AWS management console using your AWS Root credentials

https://aws.amazon.com/console/

login

Step 2: Navigate to your AWS Account details and select Account.

Scroll down to 'IAM User and Role Access to Billing Information' and click edit.

billing

Check the box 'IAM access' and click Update.

Activate IAM

Step 4: Navigate to AWS Services and search for IAM to access the IAM console.

IAM console

Step 5: From the IAM console select Users on the left-handside and click Add Users

Add User

Step 6: Under User name type 'Administrator'

Check the box: Password - AWS Management Console access

In Console password, create a custom password

Uncheck the box 'Require password reset'

Click: permissions

custom password

Step 7: Navigate to Users and click 'Add permissions'

add permissions

Select 'Add User to Group' and click Create Group

Add user to group

Step 8: Select 'Administrator Access' and then click 'Create group'.

admin access

Step 9: Refresh your web browser so you can see the newly created Administrator group that was created under Users group.

user group created

Under the Administrator group full access is provided to AWS services

full access

Step 10: Optional: Create a tag to help manage AWS resources

Tag optional

key value

Step 11: Confirmation that new Administrator user has been successfully created

new user creation

Details are shown of the Administrator user IAM credentials that can be sent to an email address and also downloaded as a csv file
for your record keeping to login as an IAM User.

download csv

An email displays your new login URL to help you login with your IAM User account credentials.

email

Step 12: Login to your AWS account using your IAM credentials and password with the dedicated URL link provided from your email

IAM user

Reference

Happy Learning! 😁

Next Tutorial: Creating a S3 bucket with audio files - Conversational AI part 2

Discussion (2)

Collapse
rasharm_ profile image
Raman Sharma
Collapse
abc_wendsss profile image
Wendy Wong Author

Thanks Raman for sharing your article on Multi-Cloud, I love it! Provides great insight into the pragmatic adoption for startups for both GCP and AWS to look after the needs of different clients. I can relate I used to work for a startup :)