Login to the AWS console as root user or as an IAM user with IAMFullAccess policy. Choose IAM service under Security, Identity & Compliance on the Services page. If you have previously accessed IAM service, it can also be found under the History pane.
As you can see from the below image, I currently have 0 users and 0 groups in my AWS account. In the navigation pane on Identity and Access Management page, choose Users
To create a new user, select Add user on the Users page.
Provide user name for the new user. A few things to remember while creating IAM users:
- usernames are not case sensitive
- can have up-to 64 characters
- can contain letters, digits and +=,.@_-
- username must be unique within an AWS account
Access type is a required field for an IAM user. You can choose Programmatic access which creates access key ID and secret access key or AWS Management Console access which creates a password for the user or both.
Leave Console password as Autogenerated password and enable the Require password reset to force users to change password when they first login. Choose Next:Permissions to add permissions to the user.
Permissions can be granted to users in one of the below 3 ways
- By adding users to groups
- By Copying permissions from an existing user
- By attaching policies
Here, we will create a new group and add user to the group. Choose Create group
On the Create group window, provide a value for the Group name and select policies to apply to this group and choose Create group
As you can see from the below image, I now have an IAM group named admingroup with AdministratorAccess policy attached to it.
The advanced feature Set permissions boundary allows you to control the maximum permissions a user can have. By default a user is created without a permissions boundary. Choose Next:Tags to add tags.
Adding tags is an optional feature that allows you to organize users and manage them efficiently. Choose Next:Review to review the provided inputs and create user.
In the Review screen you can see IAMUserChangePassword policy is attached directly to the user. How did this policy get attached to the user ? Remember we enabled the Require password reset option to force user to change password when they first login ? IAMUserChangePassword policy is required for users to be able to change passwords and AWS automatically added this policy to the user although we did not explicitly add it.
After reviewing the details, choose Create user to create the user.
Success !!! The IAM user has been created with both Management console access and Programmatic access. Choose Download.csv to download the security credentials and email it to the user. This is your only chance to save the password and secret access key. If you do not save them now, you will not be able to retrieve these later. The only alternative is to can change password and create new pair of access keys.
Now I have 1 IAM user in my AWS account. If a user is no longer with your company or you’d like to remove the user account for any other reason, select the user and choose Delete user on the Users page.
