This post explains the best practice that highly recommended to be followed in AWS account and the Identity Access Management (IAM) policies in login process.
First the user account that is used to create the AWS account is the Root Account. (the composite credential of email address and password). For example if I go to AWS portal and submit email address email@example.com and the password along with credit card payment details, this account or the credential holder becomes the Root Account.
It is not recommended to use the Root Account for any purposes even to login to AWS portal. (unless required in very specific scenarios like changing core account details and payment methods)
The best practice is to create an IAM user with administrator privileges. IAM administrator has all the privileges except the core account privileges mentioned above. You can use the built it IAM administrator template for this.
Follow these steps.
- First login to the portal as AWS Root User (as in the beginning Root User is the only one who has privileges to create Administrators). Root user will go to https://console.aws.amazon.com/console/home and enter email and password to login to the portal. You can note that this is a global URL for all AWS users all over the world.
- In the portal go to under Administration & Security section click on IAM
- Go to users and click create users. Name the user (ex – admin) and you can generate key for the user in order to access AWS services via APIs. It’s not recomended to use admin account for development purposes so better not to generate keys for admin. Click create to create the user.
- By default the users do not get any permissions. In order to assign permission, click on admin (the user created in the above step will appear in the users grid). Under the permission tab click on attach policy.
- First option is Administrator Access policy. Click on that to assign it and click Attach Policy button.
- Then back in the page under Security Credentials section click on Manage Password to create a password for the admin.
- There you can auto assign a password or can assign a custom password. You also get the option to make the user to change the password in the first login.
- You also have the option to specify MFA (will post a separate blog on this topic)
- Now go back to the IAM Dashboard and you will see a section like this.
- This is the IAM user sign-in link. You can click customize and replace the number in the URL to some alias (your organization name). And this URL should be used by IAM users including the admin in order to access AWS web console.
Root user account and the global sign-in URL should be untouched unless a specific requirement.