AWS best practices dictate that you should not use root user credentials for everyday admin tasks. Proper data security requires the use of special administrator account.
Covering everything from single sign-on to virtual machines, Amazon Web Services (AWS) provides cloud-based applications, services, and IT support for organizations of all sizes. Whether your business needs a web host, IoT, or a sophisticated database system, AWS is likely to have a solution that is both effective and economical. AWS is the provider of choice for many business enterprises.
However, all that available AWS cloud-based computational power requires a careful and responsible approach to data security. For example, best practices recommend that you do not use the AWS root user credentials for everyday tasks. Instead, for security purposes, it is recommended that you create an administrator-level IAM user and group.
This how-to tutorial shows you how to create and assign an administrator-level IAM user and group using the AWS console.
SEE: Amazon Web Services: An insider’s guide (free PDF) (TechRepublic)
Create an administrator IAM user in AWS
When you first create an AWS account you establish credentials for what is referred to as the root user. The root user, by definition, can access everything AWS has to offer, including the AWS Identity and Access Management (IAM), system which controls user settings and permissions. Amazon best practices recommend that you create an administrative group and user and not use the root credentials for everyday administrative tasks.
In fact, after creating your AWS account, it is recommended that you follow this procedure immediately and then store the root user credentials away for safekeeping. First, log into AWS using your root user credentials and then navigate to the IAM console, which can be found in the list of services. Figure A shows the IAM dashboard.
Using the left-hand navigation pane, click on the User item and then click the Add User button. On the next screen, Figure B, fill in the name box with “Administrator” and select the AWS Management Console access checkbox.
Select the Custom password radio button and provide an initial password. By default, AWS will require the new Administrator to enter a new password the first time they log in; however, if you want to keep the initial password, uncheck the appropriate checkbox.
Click the Next: Permissions button to move to the next screen, shown in Figure C.
Select the Add user to group item and then click the Create group button to access Figure D. Give the new group the name “Administrators” and select the AdministratorAccess item from the list of policies. Click the Create group button to move to the next phase of the procedure.
Back in Figure C, make sure the Administrators group is selected and then press the Next: Tags button. Adding tags is optional and can be useful for larger organizations, but for this example, we will skip tags and press the Next: Review button, as shown in Figure E.
Review your configuration settings and if everything is correct, press the Create user button to complete the process. You can download the credential information you just created and/or send login information to your new user (Figure F). This is your only opportunity to access this information, so consider your options carefully. Click Close to return to the Dashboard.
From this point on, you will be able to conduct normal admin functions in AWS using the Administrator account with the Administrators group access policy credentials. The root user information should remain safely secured and seldom used.