AWS Well-Architected Tool
User Guide

Provisioning an IAM User

In this step, you grant an IAM user permission to use AWS WA Tool.

To provision an IAM user

  1. Create an IAM user or use an existing one associated with your AWS account. For more information, see Creating an IAM User in the IAM User Guide.

  2. Grant the IAM user access to AWS Well-Architected Tool.

Full access

Full access allows the user to perform all actions in AWS WA Tool. This access is required to define workloads, delete workloads, view workloads, and update workloads.

Apply the WellArchitectedConsoleFullAccess managed policy to the user.

If you prefer to apply a custom inline policy, here is an example:

{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "wellarchitected:*" ], "Resource": "*" } ] }
Read-only access

Read-only access allows the user to view workloads.

Apply the WellArchitectedConsoleReadOnlyAccess managed policy to the user.

If you prefer to apply a custom inline policy, here is an example:

{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "wellarchitected:Get*", "wellarchitected:List*" ], "Resource": "*" } ] }

The managed policies can be attached to an IAM user, group, or role.

To learn how to attach a policy to an IAM user, see Working with Policies. For more information on setting AWS WA Tool permissions, see Security.