Last Updated: 07 May 2018
By Maynard Paton


Creating IAM Users For AWS


This page describes how to create two Identity and Access Management (IAM) users for signing in to Amazon Web Services (AWS).

The first IAM user will have full AWS access while the second will have full AWS access except to the Billing and IAM functions.

The second IAM user could be useful should you wish to allow somebody else to access the full technical side of your AWS account, but not have access to your billing details or be able to create another AWS user login.

We will create IAM access permissions for both users using IAM groups. That way, further users that require the same access permissions can created easily by simply assigning them to the relevant IAM group.

The AWS  documentation contains extensive details of IAM. I would recommend reading the AWS IAM Best Practices and Creating Your First IAM Admin User before following the instructions below.

Before You Start:

You should create an Account Alias as instructed within Get Started With AWS to provide a more convenient way to sign in to AWS through the IAM facility. The Account Alias is used during step 32 below.


Here are the steps to follow

1) Log in to the AWS console at https://aws.amazon.com/ with your 'root' email and password:


2) Select IAM from the Services menu:


3) Select Groups from the left-hand menu:


4) Click Create New Group:  


5) The Set Group Name page should appear:


Enter a Group Name. Something like AdministratorAccess_Group will be fine.

Then click Next Step.

6) The Attach Policy page should appear:


Type Admin into the Filter box and the AdministratorAccess policy should appear at the top of the list.

Tick the box on the left and then click Next Step.

7) The Review page should now appear:


Click Create Group.

Your new AdministratorAccess_Group group will now be created:


8) Now select Policies from the left-hand menu:


9) Click Create policy:


10) The Create policy page should appear:


Click JSON.

You should see something like this:


(The AWS IAM Documentation contains further details of this next step)

11) Copy and paste the following text over the existing text within the JSON editor:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"aws-portal:*",
"iam:*"
],
"Resource": "*"
}
]
}


12) You should see something like this:


Click Review policy. 

13) The Review policy page should appear:


Enter a Name. Something like AdminTechAccess_Policy will be fine.

Enter a Description. Something like A policy to allow access to all AWS areas except Billing and IAM will be fine.

Then click Create policy.

A message should confirm the AdminTechAccess_Policy policy has been created and the policy should now appear within the list:


14) Now select Groups from the left-hand menu:


15) Click Create New Group:


16) The Set Group Name page should appear:


Enter a Group Name. Something like AdminTechAccess_Group will be fine.

Then click Next Step.

17) The Attach Policy page should appear:


Type Admin into the Filter box and the AdminTechAccess_Policy policy should appear near the top of the list.

Tick the box on the left and then click Next Step.

18) The Review page should now appear:


Click Create Group.

Your new AdminTechAccess_Group group will now be created:


19) Now select Users from the left-hand menu:


20) Click Add user:


21) The Set user details page should appear:


Enter a User name. Something like Administrator will be fine.

For Access Type, select AWS Management Console access

For convenience, you may wish to select Custom password for Console password and enter your own password. You may also wish to leave the Require password reset box unticked

Then click Next: Permissions.

22) The Set permissions page should appear:


Tick the AdministratorAccess_Group group. 

Then click Next: Review.

23) The Review page should appear:


Click Create user.

24) A message confirming the Administrator user having been created should appear:


Click Close.

The Administrator user should now appear within the list:


25) Click Add user:


26) The Set user details page should appear:


Enter a User name. Something like AdminTech will be fine.

For Access Type, select AWS Management Console access

For convenience, you may wish to select Custom password for Console password and enter your own password. You may also wish to leave the Require password reset box unticked

Then click Next: Permissions.

27) The Set permissions page should appear:


Tick the AdminTechAccess_Group group. 

Then click Next: Review.

28) The Review page should appear:


Click Create user.

29) A message confirming the AdminTech user having been created should appear:


Click Close.

The AdminTech user should now appear within the list:


30) Let's now check whether the AdminTech IAM user is prevented from accessing the Billing and IAM functions.

So, Sign Out of AWS:


31) The Root user sign in page should appear:


Click Sign in to a different account.

32) The Sign in  page should appear:


Enter your account ID or account alias.  (You should have already set your Account Alias during Get Started With AWS.)

Click Next.


Then enter AdminTech (or the User name chosen in step 26 above) as the IAM user name.

Enter the password chosen in step 26 above as the Password.

Click Sign In.

33) Once signed in, select My Billing Dashboard:


A You Need Permissions message should now appear:


34) Then select IAM from the Services menu:


These error messages should now appear:


35) Sign Out of AWS:


36) Sign back in using Administrator (or the User name chosen in step 21 above) as the IAM user name.

Enter the password chosen in step 21 above as the Password:


Then click Sign In.

The AWS Best Practice documentation recommends signing in using IAM credentials for everyday AWS usage. 

37) All done! 

If you have any questions or comments about this page, please let me know so I can keep this website as helpful as possible.

Happy blogging!

Maynard Paton

(Want to learn more? Click here to visit the full website index.)


profile-pic

Sendy Is Fast, Reliable And Cheap!

We found that as our subscribers grew, we were creeping up to over $100 a month for a traditional cloud-based email marketing platform. We decided to explore alternatives and ended up landing on a great self-hosted email marketing solution called Sendy.

Overall, we've found Sendy to not only be an excellent alternative to MailChimp, but to blow it away as far as speed, usability and functionality are concerned.

Sendy is fast, reliable and cheap.

Mike Johnston, cmscritic.com , Sendy customer

MailChimp 'Disruptor'. $59 One-Off Fee. Full Refund Available.

Do NOT follow this link or you will be banned from the site!