Creating your first IAM admin user and user group - AWS Identity and Access Management

Creating your first IAM admin user and user group

Important

If you found this page because you are looking for information about the Product Advertising API to sell Amazon products on your website, see the Product Advertising API 5.0 Documentation.

As a best practice, do not use the AWS account root user for any task where it's not required. Instead, create a new IAM user for each person that requires administrator access. Then make those users administrators by placing the users into an "Administrators" user group to which you attach the AdministratorAccess managed policy.

Thereafter, the users in the administrators user group should set up the user groups, users, and so on, for the AWS account. All future interaction should be through the AWS account's users and their own keys instead of the root user. However, to perform some account and service management tasks, you must log in using the root user credentials. To view the tasks that require you to sign in as the root user, see AWS Tasks that Require Account Root User.

Creating an administrator IAM user and user group (console)

This procedure describes how to use the AWS Management Console to create an IAM user for yourself and add that user to a user group that has administrative permissions from an attached managed policy.

To create an administrator user for yourself and add the user to an administrators user group (console)

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    Note

    We strongly recommend that you adhere to the best practice of using the Administrator IAM user below and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

  2. Enable access to billing data for the IAM admin user that you will create as follows:

    1. On the navigation bar, choose your account name, and then choose My Account.

    2. Next to IAM User and Role Access to Billing Information, choose Edit. You must be signed in as the root user for this section to be displayed on the account page.

    3. Select the check box to Activate IAM Access and choose Update.

    4. On the navigation bar, choose Services and then IAM to return to the IAM console.

  3. In the navigation pane, choose Users and then choose Add users.

  4. On the Details page, do the following:

    1. For User name, type Administrator.

    2. Select the check box for AWS Management Console access, select Custom password, and then type your new password in the text box.

    3. By default, AWS forces the new user to create a new password when first signing in. You can optionally clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

    4. Choose Next: Permissions.

  5. On the Permissions page, do the following:

    1. Choose Add user to group.

    2. Choose Create group.

    3. In the Create group dialog box, for Group name type Administrators.

    4. Select the check box for the AdministratorAccess policy.

    5. Choose Create group.

    6. Back on the page with the list of user groups, select the check box for your new user group. Choose Refresh if you don't see the new user group in the list.

    7. Choose Next: Tags.

  6. (Optional) On the Tags page, add metadata to the user by attaching tags as key-value pairs. For more information, see Tagging IAM resources.

  7. Choose Next: Review. Verify the user group memberships to be added to the new user. When you are ready to proceed, choose Create user.

  8. (Optional) On the Complete page, you can download a .csv file with login information for the user, or send email with login instructions to the user.

You can use this same process to create more user groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access management for AWS resources and Example IAM identity-based policies. To add additional users to the user group after it's created, see Adding and removing users in an IAM user group.

Creating an IAM user and user group (AWS CLI)

If you followed the steps in the previous section, you used the AWS Management Console to set up an administrators user group while creating the IAM user in your AWS account. This procedure shows an alternative way to create a user group.

Overview: Setting up an administrators user group

  1. Create a user group and give it a name (for example, Admins). For more information, see Creating a user group (AWS CLI).

  2. Attach a policy that gives the user group administrative permissions—access to all AWS actions and resources. For more information, see Attaching a policy to the user group (AWS CLI).

  3. Add at least one user to the user group. For more information, see Creating an IAM user in your AWS account.

Creating a user group (AWS CLI)

This section shows how to create a user group in the IAM system.

Requirements

Install the AWS Command Line Interface (AWS CLI). For more information, see Installing the AWS CLI in the AWS Command Line Interface User Guide.

To create an administrators user group (AWS CLI)

  1. Type the aws iam create-group command with the name you've chosen for the user group. Optionally, you can include a path as part of the user group name. For more information about paths, see Friendly names and paths. The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be a maximum of 128 characters in length.

    In this example, you create a user group named Admins.

    aws iam create-group --group-name Admins { "Group": { "Path": "/", "CreateDate": "2014-06-05T20:29:53.622Z", "GroupId":"ABCDEFGHABCDEFGHABCDE", "Arn": "arn:aws:iam::123456789012:group/Admins", "GroupName": "Admins" } }
  2. Type the aws iam list-groups command to list the user groups in your AWS account and confirm the user group was created.

    aws iam list-groups { "Groups": [ { "Path": "/", "CreateDate": "2014-06-05T20:29:53.622Z", "GroupId":"ABCDEFGHABCDEFGHABCDE", "Arn": "arn:aws:iam::123456789012:group/Admins", "GroupName": "Admins" } ] }

    The response includes the Amazon Resource Name (ARN) for your new user group. The ARN is a standard format that AWS uses to identify resources. The 12-digit number in the ARN is your AWS account ID. The friendly name you assigned to the user group (Admins) appears at the end of the user group's ARN.

Attaching a policy to the user group (AWS CLI)

This section shows how to attach a policy that lets any user in the user group perform any action on any resource in the AWS account. You do this by attaching the AWS managed policy called AdministratorAccess to the Admins user group. For more information about policies, see Access management for AWS resources.

To add a policy giving full administrator permissions (AWS CLI)

  1. Type the aws iam attach-group-policy command to attach the policy called AdministratorAccess to your Admins user group. The command uses the ARN of the AWS managed policy called AdministratorAccess.

    aws iam attach-group-policy --group-name Admins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

    If the command is successful, there is no response.

  2. Type the aws iam list-attached-group-policies command to confirm the policy is attached to the Admins user group.

    aws iam list-attached-group-policies --group-name Admins

    The response lists the names of the policies attached to the Admins user group. A response like the following tells you that the policy named AdministratorAccess has been attached to the Admins user group:

    { "AttachedPolicies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "IsTruncated": false }

You can confirm the contents of a particular policy with the aws iam get-policy command.

Important

After you have the administrators user group set up, you must add at least one user to it. For more information about adding users to a user group, see Creating an IAM user in your AWS account.

Related resources

For related information found in the Amazon Web Services General Reference, see the following resources:

For related information in the IAM User Guide, see the following resources: