Creating your first IAM admin user and group - AWS Identity and Access Management

Creating your first IAM admin user and group


If you found this page because you are looking for information about the Product Advertising API to sell Amazon products on your website, see the Product Advertising API 5.0 Documentation.

As a best practice, do not use the AWS account root user for any task where it's not required. Instead, create a new IAM user for each person that requires administrator access. Then make those users administrators by placing the users into an "Administrators" group to which you attach the AdministratorAccess managed policy.

Thereafter, the users in the administrators group should set up the groups, users, and so on, for the AWS account. All future interaction should be through the AWS account's users and their own keys instead of the root user. However, to perform some account and service management tasks, you must log in using the root user credentials. To view the tasks that require you to sign in as the root user, see AWS Tasks that Require Account Root User.

Creating an administrator IAM user and group (console)

This procedure describes how to use the AWS Management Console to create an IAM user for yourself and add that user to a group that has administrative permissions from an attached managed policy.

To create an administrator user for yourself and add the user to an administrators group (console)

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.


    We strongly recommend that you adhere to the best practice of using the Administrator IAM user below and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

  2. Enable access to billing data for the IAM admin user that you will create as follows:

    1. On the navigation bar, choose your account name, and then choose My Account.

    2. Next to IAM User and Role Access to Billing Information, choose Edit. You must be signed in as the root user for this section to be displayed on the account page.

    3. Select the check box to Activate IAM Access and choose Update.

    4. On the navigation bar, choose Services and then IAM to return to the IAM dashboard.

  3. In the navigation pane, choose Users and then choose Add user.

  4. On the Details page, do the following:

    1. For User name, type Administrator.

    2. Select the check box for AWS Management Console access, select Custom password, and then type your new password in the text box.

    3. By default, AWS forces the new user to create a new password when first signing in. You can optionally clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

    4. Choose Next: Permissions.

  5. On the Permissions page, do the following:

    1. Choose Add user to group.

    2. Choose Create group.

    3. In the Create group dialog box, for Group name type Administrators.

    4. Select the check box for the AdministratorAccess policy.

    5. Choose Create group.

    6. Back on the page with the list of groups, select the check box for your new group. Choose Refresh if you don't see the new group in the list.

    7. Choose Next: Tags.

  6. (Optional) On the Tags page, add metadata to the user by attaching tags as key-value pairs. For more information, see Tagging IAM users and roles.

  7. Choose Next: Review. Verify the group memberships to be added to the new user. When you are ready to proceed, choose Create user.

  8. (Optional) On the Complete page, you can download a .csv file with login information for the user, or send email with login instructions to the user.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access management for AWS resources and Example IAM identity-based policies. To add additional users to the group after it's created, see Adding and removing users in an IAM group.

Creating an IAM user and group (AWS CLI)

If you followed the steps in the previous section, you used the AWS Management Console to set up an administrators group while creating the IAM user in your AWS account. This procedure shows an alternative way to create a group.

Overview: Setting up an administrators group

  1. Create a group and give it a name (for example, Admins). For more information, see Creating a group (AWS CLI).

  2. Attach a policy that gives the group administrative permissions—access to all AWS actions and resources. For more information, see Attaching a policy to the group (AWS CLI).

  3. Add at least one user to the group. For more information, see Creating an IAM user in your AWS account.

Creating a group (AWS CLI)

This section shows how to create a group in the IAM system.


Install the AWS Command Line Interface (AWS CLI). For more information, see Installing the AWS CLI in the AWS Command Line Interface User Guide.

To create an administrators group (AWS CLI)

  1. Type the aws iam create-group command with the name you've chosen for the group. Optionally, you can include a path as part of the group name. For more information about paths, see Friendly names and paths. The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be a maximum of 128 characters in length.

    In this example, you create a group named Admins.

    aws iam create-group --group-name Admins { "Group": { "Path": "/", "CreateDate": "2014-06-05T20:29:53.622Z", "GroupId":"ABCDEFGHABCDEFGHABCDE", "Arn": "arn:aws:iam::123456789012:group/Admins", "GroupName": "Admins" } }
  2. Type the aws iam list-groups command to list the groups in your AWS account and confirm the group was created.

    aws iam list-groups { "Groups": [ { "Path": "/", "CreateDate": "2014-06-05T20:29:53.622Z", "GroupId":"ABCDEFGHABCDEFGHABCDE", "Arn": "arn:aws:iam::123456789012:group/Admins", "GroupName": "Admins" } ] }

    The response includes the Amazon Resource Name (ARN) for your new group. The ARN is a standard format that AWS uses to identify resources. The 12-digit number in the ARN is your AWS account ID. The friendly name you assigned to the group (Admins) appears at the end of the group's ARN.

Attaching a policy to the group (AWS CLI)

This section shows how to attach a policy that lets any user in the group perform any action on any resource in the AWS account. You do this by attaching the AWS managed policy called AdministratorAccess to the Admins group. For more information about policies, see Access management for AWS resources.

To add a policy giving full administrator permissions (AWS CLI)

  1. Type the aws iam attach-group-policy command to attach the policy called AdministratorAccess to your Admins group. The command uses the ARN of the AWS managed policy called AdministratorAccess.

    aws iam attach-group-policy --group-name Admins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

    If the command is successful, there is no response.

  2. Type the aws iam list-attached-group-policies command to confirm the policy is attached to the Admins group.

    aws iam list-attached-group-policies --group-name Admins

    The response lists the names of the policies attached to the Admins group. A response like the following tells you that the policy named AdministratorAccess has been attached to the Admins group:

    { "AttachedPolicies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "IsTruncated": false }

You can confirm the contents of a particular policy with the aws iam get-policy command.


After you have the administrators group set up, you must add at least one user to it. For more information about adding users to a group, see Creating an IAM user in your AWS account.

Related resources

For related information found in the Amazon Web Services General Reference, see the following resources:

For related information in the IAM User Guide, see the following resources: