AWS Identity and Access Management
User Guide

Creating Your First IAM Delegated User and Group

To support multiple users in your AWS account, you must delegate permission to allow other people to perform only the actions you want to allow. To do this, create an IAM group with the permissions those people need and then add IAM users to the necessary groups as you create them. You can use this process to set up the groups, users, and permissions for your entire AWS account.

This solution is best used by small and medium organizations where an AWS administrator can manually manage the users and groups. For large organizations, you can use custom IAM roles, federation, or single sign-on.

Creating a Delegated IAM User and Group (Console)

You can use the AWS Management Console to create an IAM group with delegated permissions, and then create an IAM user for someone else and add it to the group.

To create a delegated group and user for someone else (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. Choose Create policy.

  4. Choose the JSON tab and on the right side of the window choose Import managed policy.

  5. In the Import managed policies window, type power to reduce the list of policies. Then select the button next to the PowerUserAccess AWS managed policy.

  6. Choose Import.

    The imported policy is added to your JSON policy.

  7. Choose Review policy.

  8. On the Review page, for Name, type PowerUserExampleCorp. For Description, type Allows full access to all services except those for user management. Then choose Create policy to save your work.

  9. In the navigation pane, choose Groups and then choose Create New Group.

  10. In the Group Name box, type PowerUsers.

  11. In the list of policies, select the check box next to PowerUserExampleCorp. Then choose Next Step.

  12. Choose Create Group.

  13. In the navigation pane, choose Users and then choose Add user.

  14. For User name, type mary.major@examplecorp.com.

  15. Choose Add another user and type diego.ramirez@examplecorp.com for the second user.

  16. Select the check box next to AWS Management Console access and select Autogenerated password. By default, AWS forces the new user to create a new password when first signing in. Clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

  17. Choose Next: Permissions.

  18. On the Set permissions page, choose Add user to group and select the check box next to PowerUsers.

  19. Choose Next: Tagging.

  20. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM Entities.

  21. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create users.

  22. Download or copy the passwords for your new users and deliver them to the users securely. Separately, provide your users with a link to your IAM user console page and the user names you just created.

Reducing the Group Permissions

Members of the PowerUser group have full access to all services except a few that provide user management actions (like IAM and Organizations). After a predefined period of inactivity (such as 90 days) has passed, you can review the services that your group members have accessed. Then you can reduce the permissions of the PowerUserExampleCorp policy to include only the services that your team needs.

For more information about the service last accessed data, see Reducing Permissions Using Service Last Accessed Data.

Reviewing Service Last Accessed Data

Wait for a predefined period of inactivity (such as 90 days) to pass. Then you can review the service last accessed data for your users or groups to learn when your users last attempted to access the services that your PowerUserExampleCorp policy allows.

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups and then choose the PowerUser group name.

  3. On the group summary page, choose the Access Advisor tab.

    The table of service last accessed data shows when the group members last attempted to access each service, in chronological order from the most recent attempt. The table includes only the services that the policy allows. In this case, the PowerUserExampleCorp policy allows access to all AWS services.

  4. Review the table and make a list of the services that your group members have recently accessed.

    For example, assume that within the last month, your team has accessed only the Amazon EC2 and Amazon S3 services. But six months ago, they accessed Amazon EC2 Auto Scaling and IAM. You know that they were investigating EC2 Auto Scaling, but decided that it wasn't necessary. You also know that they used IAM to create a role to allow Amazon EC2 to access data in an S3 bucket. So you decide to scale back the user's permissions to allow access to only the Amazon EC2 and Amazon S3 services.

Editing a Policy to Reduce Permissions

After you review your service last accessed data, you can edit your policy to allow access to only the services that your users need.

To use data to allow access to only necessary services

  1. In the navigation pane, choose Policies and then choose the PowerUserExampleCorp policy name.

  2. Choose Edit policy, and then choose the JSON tab.

  3. Edit the JSON policy document to allow only the services you want.

    For example, edit the first statement that includes the Allow effect and the NotAction element to allow only Amazon EC2 and Amazon S3 actions. To do this, replace it with the statement with the FullAccessToSomeServices ID. Your new policy will look like the following example policy.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccessToSomeServices", "Effect": "Allow", "Action": [ "ec2:*", "s3:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole", "iam:ListRoles", "organizations:DescribeOrganization" ], "Resource": "*" } ] }
  4. To further reduce your policies' permissions to specific actions and resources, view your events in CloudTrail Event history. There you can view detailed information about the specific actions and resources that your user has accessed. For more information, see Viewing CloudTrail Events in the CloudTrail Console in the AWS CloudTrail User Guide.