IAM User Best Practices

You can use the AWS Management Console to create IAM users.
To create one or more IAM users (console)

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users and then choose Add users.
3. Type the user name for the new user. This is the sign-in name for AWS. If you want to add multiple users, choose Add another user for each additional user and type their user names. You can add up to 10 users at one time. Note The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas, name requirements, and character limits. User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser.
4. Select the type of access this set of users will have. You can select programmatic access, access to the AWS Management Console, or both. • Select Programmatic access if the users require access to the API, AWS CLI, or Tools for Windows PowerShell. This creates an access key for each new user. You can view or download the access keys when you get to the Final page. • Select AWS Management Console access if the users require access to the AWS Management Console. This creates a password for each new user. c. For Console password, choose one of the following: • Autogenerated password. Each user gets a randomly generated password that meets the account password policy. You can view or download the passwords when you get to the Final page. • Custom password. Each user is assigned the password that you type in the box. d. (Optional) We recommend that you select Require password reset to ensure that users are forced to change their password the first time they sign in. Note If an administrator has enabled the Allow users to change their own password account password policy setting, then this check box does nothing. Otherwise, it automatically attaches an AWS managed policy named IAMUserChangePassword to the new users. The policy grants them permission to change their own passwords.
5. Choose Next: Permissions.
6. On the Set permissions page, specify how you want to assign permissions to this set of new users. Choose one of the following three options: • Add user to group. Choose this option if you want to assign the users to one or more groups that already have permissions policies. IAM displays a list of the groups in your account, along with their attached policies. You can select one or more existing groups, or choose Create group to create a new group. For more information, see Changing permissions for an IAM user. • Copy permissions from existing user. Choose this option to copy all of the group memberships, attached managed policies, embedded inline policies, and any existing permissions boundaries from an existing user to the new users. IAM displays a list of the users in your account. Select the one whose permissions most closely match the needs of your new users. • Attach existing policies directly. Choose this option to see a list of the AWS managed and customer managed policies in your account. Select the policies that you want to attach to the new users or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to add the policy to the new user. Tip Whenever possible, attach your policies to a group and then make users members of the appropriate groups.
7. (Optional) Set a permissions boundary. This is an advanced feature. Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum user permissions. IAM displays a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions boundary or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary.
8. Choose Next: Tags.
9. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources.
10. Choose Next: Review to see all of the choices you made up to this point. When you are ready to proceed, choose Create user.
11. To view the users' access keys (access key IDs and secret access keys), choose Show next to each password and access key that you want to see. To save the access keys, choose Download .csv and then save the file to a safe location. Important This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.
12. Provide each user with his or her credentials. On the final page you can choose Send email next to each user. Your local mail client opens with a draft that you can customize and send. The email template includes the following details to each user: • User name • URL to the account sign-in page. Use the following example, substituting the correct account ID number or account alias: https://AWS-account-ID or alias.signin.aws.amazon.com/console
13. For more information, see How IAM users sign in to AWS. create an IAM user group and attach policies
14. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
15. In the navigation pane, choose User groups and then choose Create group.
16. For User group name, type the name of the group. Note The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas, name requirements, and character limits. Group names can be a combination of up to 128 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create groups named both ADMINS and admins.
17. In the list of users, select the check box for each user that you want to add to the group.
18. In the list of policies, select the check box for each policy that you want to apply to all members of the group.
19. Choose Create group. View identity activity Before you change the permissions for an identity (user, user group, or role), you should review their recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see Refining permissions in AWS using last accessed information. Adding IAM identity permissions (console) You can use the AWS Management Console to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a permissions boundary. You can also embed an inline policy. To use a managed policy as a permissions policy for an identity (console)
20. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
21. In the navigation pane, choose Policies.
22. In the list of policies, select the check box next to the name of the policy to attach. You can use the search box to filter the list of policies.
23. Choose Actions, and then choose Attach.
24. Select one or more identities to attach the policy to. You can use the search box to filter the list of principal entities. After selecting the identities, choose Attach policy. To use a managed policy to set a permissions boundary (console)
25. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
26. In the navigation pane, choose Policies.
27. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.
28. On the policy summary page, choose the Policy usage tab, and then, if necessary, open the Permissions boundaries section and choose Set boundary.
29. Select one or more users or roles on which to use the policy for a permissions boundary. You can use the search box to filter the list of principal entities. After selecting the principals, choose Set boundaries. To embed an inline policy for a user or role (console)
30. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
31. In the navigation pane, choose Users or Roles.
32. In the list, choose the name of the user or role to embed a policy in.
33. Choose the Permissions tab.
34. Choose Add permissions and then choose Add inline policy. Note You cannot embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or AWS CLI. To view the service-linked role documentation for a service, see AWS services that work with IAM and choose Yes in the Service-Linked Role column for your service.
35. Choose from the following methods to view the steps required to create your policy: • Importing existing managed policies – You can import a managed policy within your account and then edit the policy to customize it to your specific requirements. A managed policy can be an AWS managed policy or a customer managed policy that you created previously. • Creating policies with the visual editor – You can construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax. • Creating policies on the JSON tab – In the JSON tab, you can use JSON syntax to create a policy. You can enter a new JSON policy document or paste an example policy.
36. After you create an inline policy, it is automatically embedded in your user or role. To embed an inline policy for a user group (console)
37. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
38. In the navigation pane, choose User groups.
39. In the list, choose the name of the user group to embed a policy in.
40. Choose the Permissions tab, choose Add permissions, and then choose Create inline policy.
41. Do one of the following: • Choose the Visual editor tab to create the policy. For more information, see Creating policies with the visual editor. • Choose the JSON tab to create the policy. For more information, see Creating policies on the JSON tab.
42. When you are satisfied with the policy, choose Create policy. To change the permissions boundary for one or more entities (console)
43. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
44. In the navigation pane, choose Policies.
45. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.
46. On the policy summary page, choose the Policy usage tab, and then, if necessary, open the Permissions boundaries section. Select the check box next to the users or roles whose boundaries you want to change and then choose Change boundary.
47. Select a new policy to use for a permissions boundary. You can use the search box to filter the list of policies. After selecting the policy, choose Change boundary. Removing IAM identity permissions You can use the AWS Management Console to remove permissions from an identity (user, user group, or role). To do this, detach managed policies that control permissions, or remove a policy that serves as a permissions boundary. You can also delete an inline policy. To detach a managed policy used as a permissions policy (console)
48. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
49. In the navigation pane, choose Policies.
50. In the list of policies, select the check box next to the name of the policy to detach. You can use the search box to filter the list of policies.
51. Choose Actions, and then choose Detach.
52. Select the identities to detach the policy from. You can use the search box to filter the list of identities. After selecting the identities, choose Detach policy. To remove a permissions boundary (console)
53. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
54. In the navigation pane, choose Policies.
55. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.
56. On the policy summary page, choose the Policy usage tab, and then, if necessary, open the Permissions boundaries section and choose Remove boundary.
57. Confirm that you want to remove the boundary and choose Remove. To delete an inline policy
58. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
59. In the navigation pane, choose User groups, Users, or Roles.
60. In the list, choose the name of the user group, user, or role that has the policy you want to remove.
61. Choose the Permissions tab.
62. Do one of the following: • In User groups or Roles, select the check box next to the policy and choose Remove. • In Users, choose X.
63. Do one of the following: • In User groups or Roles, choose Delete in the confirmation box. • In Users, choose Detach in the confirmation box for a policy that is attached directly, or choose Remove from group for a policy that is attached from a group. Adding IAM policies (AWS CLI) You can use the AWS CLI to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a permissions boundary. You can also embed an inline policy. To use a managed policy as a permissions policy for an entity (AWS CLI)
64. (Optional) To view information about a managed policy, run the following commands: • To list managed policies: aws iam list-policies • To retrieve detailed information about a managed policy: get-policy
65. To attach a managed policy to an identity (user, user group, or role), use one of the following commands: • aws iam attach-user-policy • aws iam attach-group-policy • aws iam attach-role-policy To use a managed policy to set a permissions boundary (AWS CLI)
66. (Optional) To view information about a managed policy, run the following commands: • To list managed policies: aws iam list-policies • To retrieve detailed information about a managed policy: aws iam get-policy
67. To use a managed policy to set the permissions boundary for an entity (user or role), use one of the following commands: • aws iam put-user-permissions-boundary • aws iam put-role-permissions-boundary MFA To enable a virtual MFA device for an IAM user (console)
68. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
69. In the navigation pane, choose Users.
70. In the Users list, choose the name of the IAM user.
71. Choose the Security Credentials tab. Under Multi-factor authentication (MFA), choose Assign MFA device.
72. In the Select MFA device wizard, type a Device name, choose Authenticator app, and then choose Next. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the "secret configuration key" that is available for manual entry on devices that do not support QR codes.
73. Open your virtual MFA app. For a list of apps that you can use for hosting virtual MFA devices, see Multi-Factor Authentication. If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.
74. Determine whether the MFA app supports QR codes, and then do one of the following: • From the wizard, choose Show QR code, and then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code. • From the wizard, choose Show secret key, and then type the secret key into your MFA app. When you are finished, the virtual MFA device starts generating one-time passwords.
75. In the wizard, in the MFA code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the MFA code 2 box. Choose Add MFA. Important Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device. The virtual MFA device is now ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA devices with your IAM sign-in page. To change the password for an IAM user (console)
76. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
77. In the navigation pane, choose Users.
78. Choose the name of the user whose password you want to change.
79. Choose the Security credentials tab, and then under Sign-in credentials, choose Manage next to Console password.
80. In Manage console access, for Console access choose Enable if not already selected. If console access is disabled, then no password is needed.
81. For Set password, choose whether to have IAM generate a password or create a custom password: • To have IAM generate a password, choose Autogenerated password. • To create a custom password, choose Custom password, and type the password. Note The password that you create must meet the account's password policy, if one is currently set.
82. To require the user to create a new password when signing in, choose Require password reset. Then choose Apply. Important If you select the Require password reset option, make sure that the user has permission to change his or her password. For more information, see Permitting IAM users to change their own passwords.
83. If you choose the option to generate a password, choose Show in the New password dialog box. This lets you view the password so you can share it with the user. Important For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.