A hands-on companion to Chapter 4 β IAM: The Gatekeeper of AWS. Today, we create Aarav's login so he can finally get to work.
Quick Recap
In Chapter 4, we talked about why Pixel & Spoon can't hand out the root password to every team member.
Aarav, our backend developer, needs his own identity inside AWS β his own login, his own permissions, his own activity trail.
That's an IAM user.
Let's create his.
β οΈ Before You Start
Log in to AWS using your root account for this one time only. Creating users is exactly the kind of task root should still handle, until you've created an admin IAM user for yourself later in this series.
π οΈ Step-by-Step: Creating Aarav's IAM User
Step 1 β Open IAM
In the AWS Console search bar at the top, type IAM and click on it. This opens the IAM Dashboard.
Step 2 β Go to Users
On the left-hand sidebar, click IAM Users.

Click the orange Create user button in the top right.
Step 3 β Enter User Details
For the username, use something clear and consistent. For Aarav, we'll use:
aarav-dev
A good convention is firstname-role or firstname.lastname β pick one and stick with it across your whole team, it'll make managing users much easier later.
Check the box for "Provide user access to the AWS Management Console" β Aarav needs to log in and use the console himself.
You'll then be asked how he should sign in. Choose "I want to create an IAM user", then select "Custom password" and set a temporary one. Tick "User must create a new password at next sign-in" β this way, Aarav sets his own password the first time he logs in, and you never actually know his real one.
Click Next.
Step 4 β Set Permissions
This is the important part.
You'll see three options:
β Add user to group β Recommended (we'll set this up in Ch 4.2)
β Copy permissions β Copies from an existing user
β Attach policies directly β Manual, one-off permissions
Since we haven't created the Developers group yet (that's the very next post in this series), for now select "Attach policies directly" and search for:
AmazonEC2FullAccess
This gives Aarav exactly what he needs right now β the ability to launch and manage EC2 instances. Nothing more.
π‘ In Chapter 4.2, we'll create a proper "Developers" group and move Aarav into it instead β so you're not managing his permissions individually forever. This step is just to get him working today.
Click Next.
Step 5 β Review and Create
You'll see a summary: username, console access enabled, and the policy attached.
Double check everything looks right, then click Create user.
Step 6 β Save His Sign-In Details
AWS will now show you a success screen with:
- The console sign-in URL
- Aarav's username
- His temporary password
This password is shown only once. Download the .csv file or copy these details immediately and share them with Aarav through a secure channel β never over email or chat in plain text.
π Sign-in URL: https://[your-account-id].signin.aws.amazon.com/console
π€ Username: aarav-dev
π Temp Password: [shown once β save it now]
β What Just Happened
Aarav now has his own identity inside Pixel & Spoon's AWS account.
He can log in independently, using his own credentials. He has exactly the permission he needs β EC2 access β and nothing else. His actions inside AWS are now tracked under his own name, not the root account.
Repeat this exact process for Meera and Rohit β just give them appropriate temporary policies for now (we'll clean this up properly with groups next):
-
Meera β username
meera-designβ attachAmazonS3FullAccess
-
Rohit β username
rohit-devopsβ attachAdministratorAccess(he's DevOps, he needs broad access)
π One More Thing β Enable MFA for Every User
Just like we did for the root account in Chapter 4, every IAM user with real access should have MFA enabled too.
Click on the user β Security credentials tab β Assign MFA device, and follow the same authenticator app process from Chapter 4.
Do this for Aarav, Meera, and Rohit now. Five minutes per person, and it closes one of the biggest security gaps a growing team can have.
πΊοΈ Continue the Hands-On Series
This is the first of four hands-on companion posts for Chapter 4:
4.1 β β Creating IAM Users (you are here)
4.2 β Creating and Managing IAM Groups
4.3 β Writing and Attaching IAM Policies
4.4 β Creating IAM Roles (Human & Service)
Next up β we fix that "attach policies directly" workaround properly by creating real Groups for Pixel & Spoon's team.
π Chapter 4.2: Creating and Managing IAM Groups β (Read it here)
Resources I'm learning from:
- roadmap.sh/aws β my learning roadmap
- AWS Official Overview Whitepaper β straight from the source







Top comments (0)