Create IAM users - Migration Hub Strategy Recommendations

Create IAM users

When you create an AWS account, you get a single sign-in identity that has complete access to all of the AWS services and resources in the account. This identity is called the AWS account root user. Signing in to the AWS Management Console using the email address and password that you used to create the account gives you complete access to all of the AWS resources in your account.

We strongly recommend that you not use the root user for everyday tasks, even the administrative ones. Instead, follow the security best practice Create Individual IAM Users and create an AWS Identity and Access Management (IAM) administrator user. Then, securely lock away the root user credentials and use them to perform only a few account and service management tasks.

In addition to creating an administrative user, you must also create non-administrative IAM users. The following topics explain how to create both types of IAM users.

Creating an IAM Administrative User

By default, an administrator account inherits all the policies required for accessing Migration Hub Strategy Recommendations.

To create an administrator user

Creating an IAM Non-Administrative User

This section describes how to grant the necessary permissions required for using Strategy Recommendations.

When creating a non-administrative IAM user for use with Strategy Recommendations, we recommend that you create two IAM users:

  • To access the console, create a user with both the AWSMigrationHubFullAccess and the AWSMigrationHubStrategyConsoleFullAccess managed policies attached.

  • To access the Strategy Recommendations application data collector, create a user with the AWSMigrationHubStrategyCollector managed policy attached.

Alternatively, you can create one user with all three managed policies attached.

IAM managed policies define the level of access to a service by non-administrative IAM users. The AWS Migration Hub AWSMigrationHubFullAccess managed policy grants a user access to the Migration Hub console. For more information, see Migration Hub Roles and Policies. For information about the AWSMigrationHubStrategyConsoleFullAccess and AWSMigrationHubStrategyCollector managed policies, see AWS managed policies for Migration Hub Strategy Recommendations.

When creating non-administrative IAM users, follow the security best practice Grant Least Privilege and grant users minimum permissions.

To create a non-administrator IAM user to use with Strategy Recommendations

  1. In AWS Management Console, navigate to the IAM console.

  2. Create a non-administrator IAM user by following the instructions for creating a user with the console as described in Creating an IAM user in your AWS account in the IAM User Guide.

    While following the instructions in the IAM User Guide:

    • When on the step about selecting the type of access, select both Programmatic access and AWS Management Console access.

    • When on the step about the Set permission page, choose the option to Attach existing policies to user directly. Then, select the managed IAM policy AWSMigrationHubFullAccess, AWSMigrationHubStrategyConsoleFullAccess, or AWSMigrationHubStrategyCollector from the list of policies.

    • When on the step about viewing the user's access keys (access key IDs and secret access keys), follow the guidance in the Important note about saving the user's new access key ID and secret access key in a safe and secure place.