Root account is the account tied to the email address that you used to sign up for the AWS account. This account has the full administrative access for all the users and roles created under this account.
Enable multi-factor authentication for your root account
So, as soon as you set up your root account, enable multi-factor authentication for your root account. This is done using third party applications like
Google Authenticator on your account.
Do not use root account for day to day access of the AWS console
For security reasons, you should not use the root account for day to day access of the AWS console.
This is used to provide permissions to resources. Policy document will have a bunch of statements, where each statement will have
action , and
When a user is attached to a policy like this, the user will have the effect as detailed under
effect on the actions specified in
action against the resource specified in
Similarly, when a group is attached to the policy, all users assigned to the group would have the permissions as described above.
The policy document can also be assigned to a
role . When a user “assumes” a particular
role , the user gets the permissions as defined in the policies attached to the role.
IAM is universal
Users, groups, policies are all global. They are not specific to a region.
Access management -> Policies
This section would list all the policies. You can search for resource specific policies here. For instance, S3 policies. Amazon has an exhaustive set of policies. In addition to this, if required, you can create your own custom policies — but this should typically not be needed.
User represents a physical person.
Group represents a job function — programmers, administrators etc.
Role is for internal usage within AWS. Used to allow one part of AWS to access another part of AWS.
Best practice as far as associating a policy to a user is to associate the policy first to a group, and then assign the user to the particular group. Individually assigning a policy to a user can be hard to manage/maintain.
Principle of Least Privilege
This means that any user should be assigned only the minimal privilege required to perform his duties.
Types of access when creating a user
When creating a user, there are two types of access that can be given to the user. These are programatic access, and console access. Programatic access means that the user would be given
access key id and
secret access key idto enable the user to make API calls to AWS.
No access by default for new user
When a new user is created, by default, the user has no access.
When you create a group, you are prompted to select or create
policy . If you are creating
administrators group, then you can give
administrators policy to the group . This would effectively give complete permission to all the resources.
IAM federation — Enabling a windows user to use the system login to login to AWS
AWS has the mechanism to allow a windows user to use the machine login to be able to login to AWS. You need to secure a trust between AWS and Active Federation Services to enable single sign-on login.