Create IAM users - AWS Migration Hub Refactor Spaces

Create IAM users

When you create an AWS account, you get a single sign-in identity that has complete access to all of the AWS services and resources in the account. This identity is called the AWS account root user. Signing in to the AWS Management Console using the email address and password that you used to create the account gives you complete access to all of the AWS resources in your account.

We strongly recommend that you not use the root user for everyday tasks, even the administrative ones. Instead, follow the security best practice Create Individual IAM Users and create an AWS Identity and Access Management (IAM) administrator user. Then, securely lock away the root user credentials and use them to perform only a few account and service management tasks.

In addition to creating an administrative user, you must also create non-administrative IAM users. The following topics explain how to create both types of IAM users.

Creating an IAM administrative user

By default, an administrator account inherits the AWSMigrationHubRefactorSpacesFullAccess managed policy required for accessing AWS Migration Hub Refactor Spaces.

To create an administrator user

Creating an IAM non-administrative user

This section describes how to grant the necessary permissions required for using Refactor Spaces for a non-administrative user.

Before using Refactor Spaces, create a user with the AWSMigrationHubRefactorSpacesFullAccess managed policy and then attach the policy that grants the extra required permissions necessary to use Refactor Spaces to the user. This extra required permissions policy is described in Extra required permissions for Refactor Spaces.

When creating non-administrative IAM users, follow the security best practice Grant Least Privilege and grant users minimum permissions.

To create a non-administrator IAM user to use with Refactor Spaces

  1. In AWS Management Console, navigate to the IAM console.

  2. Create a non-administrator IAM user by following the instructions for creating a user with the console as described in Creating an IAM user in your AWS account in the IAM User Guide.

    While following the instructions in the IAM User Guide:

    • When on the step about selecting the type of access, select both Programmatic access and AWS Management Console access.

    • When on the step about the Set permission page, choose the option to Attach existing policies to user directly. Then, select the managed IAM policy AWSMigrationHubRefactorSpacesFullAccess.

    • When on the step about viewing the user's access keys (access key IDs and secret access keys), follow the guidance in the Important note about saving the user's new access key ID and secret access key in a safe and secure place.

  3. After creating the user, add the extra required permissions policy to the user following the directions to embed an inline policy for a user described in Adding IAM identity permissions in the IAM User Guide. This extra required permissions policy is described in Extra required permissions for Refactor Spaces.