Creating IAM Users For AWS

This page describes how to create two Identity and Access Management (IAM) users for signing in to Amazon Web Services (AWS).

The first IAM user will have full AWS access while the second will have full AWS access except to the Billing and IAM functions.

The second IAM user could be useful should you wish to allow somebody else to access the full technical side of your AWS account, but not have access to your billing details or be able to create another AWS user login.

We will create IAM access permissions for both users using IAM groups. That way, further users that require the same access permissions can created easily by simply assigning them to the relevant IAM group.

The AWS  documentation contains extensive details of IAM. I would recommend reading the AWS IAM Best Practices and Creating Your First IAM Admin User before following the instructions below.

Here are the steps to follow

1) Log in to the AWS console at https://aws.amazon.com/ with your 'root' email and password:

2) Select IAM from the Services menu:

3) Select Groups from the left-hand menu:

4) Click Create New Group:  

5) The Set Group Name page should appear:

Enter a Group Name. Something like AdministratorAccess_Group will be fine.

Then click Next Step.

6) The Attach Policy page should appear:

Type Admin into the Filter box and the AdministratorAccess policy should appear at the top of the list.

Tick the box on the left and then click Next Step.

7) The Review page should now appear:

Click Create Group.

Your new AdministratorAccess_Group group will now be created:

8) Now select Policies from the left-hand menu:

9) Click Create policy:

10) The Create policy page should appear:

Click JSON.

You should see something like this:

(The AWS IAM Documentation contains further details of this next step)

11) Copy and paste the following text over the existing text within the JSON editor:

12) You should see something like this:

Click Review policy. 

13) The Review policy page should appear:

Enter a Name. Something like AdminTechAccess_Policy will be fine.

Enter a Description. Something like A policy to allow access to all AWS areas except Billing and IAM will be fine.

Then click Create policy.

A message should confirm the AdminTechAccess_Policy policy has been created and the policy should now appear within the list:

14) Now select Groups from the left-hand menu:

15) Click Create New Group:

16) The Set Group Name page should appear:

Enter a Group Name. Something like AdminTechAccess_Group will be fine.

Then click Next Step.

17) The Attach Policy page should appear:

Type Admin into the Filter box and the AdminTechAccess_Policy policy should appear near the top of the list.

Tick the box on the left and then click Next Step.

18) The Review page should now appear:​

Click Create Group.

Your new AdminTechAccess_Group group will now be created:

19) Now select Users from the left-hand menu:

20) Click Add user:

21) The Set user details page should appear:

Enter a User name. Something like Administrator will be fine.

For Access Type, select AWS Management Console access

For convenience, you may wish to select Custom password for Console password and enter your own password. You may also wish to leave the Require password reset box unticked. 

Then click Next: Permissions.

22) The Set permissions page should appear:

Tick the AdministratorAccess_Group group. 

Then click Next: Review.

23) The Review page should appear:

Click Create user.

24) A message confirming the Administrator user having been created should appear:

Click Close.

The Administrator user should now appear within the list:

25) Click Add user:

26) The Set user details page should appear:

Enter a User name. Something like AdminTech will be fine.

For Access Type, select AWS Management Console access

For convenience, you may wish to select Custom password for Console password and enter your own password. You may also wish to leave the Require password reset box unticked. 

Then click Next: Permissions.

27) The Set permissions page should appear:

Tick the AdminTechAccess_Group group. 

Then click Next: Review.

28) The Review page should appear:

Click Create user.

29) A message confirming the AdminTech user having been created should appear:

Click Close.

The AdminTech user should now appear within the list:

30) Let's now check whether the AdminTech IAM user is prevented from accessing the Billing and IAM functions.

So, Sign Out of AWS:

31) The Root user sign in page should appear:

Click Sign in to a different account.

32) The Sign in  page should appear:

Enter your account ID or account alias.  (You should have already set your Account Alias during Get Started With AWS.)

Click Next.

Then enter AdminTech (or the User name chosen in step 26 above) as the IAM user name.

Enter the password chosen in step 26 above as the Password.

Click Sign In.

33) Once signed in, select My Billing Dashboard:

​A You Need Permissions message should now appear:

34) Then select IAM from the Services menu:

These error messages should now appear:

35) Sign Out of AWS:

36) Sign back in using Administrator (or the User name chosen in step 21 above) as the IAM user name.

Enter the password chosen in step 21 above as the Password:

Then click Sign In.

The AWS Best Practice documentation recommends signing in using IAM credentials for everyday AWS usage. 

37) All done! 

If you have any questions or comments about this page, please let me know so I can keep this website as helpful as possible.

Happy blogging!

Maynard Paton​

(Want to learn more? Click here to visit the full website index.)