Creating IAM Users
Creating an IAM user is straightforward. Go to the IAM console, click "Users," then "Add users." Give them a username, choose how they'll access AWS (console access, programmatic access, or both), and set permissions.
For console access, you'll set a password that the user can change on first login. For programmatic access, AWS generates an access key ID and secret access key — treat these like passwords.
Access Credentials
When you create a user with programmatic access, AWS gives you two keys: an Access Key ID (like a username) and a Secret Access Key (like a password). You can only see the secret key once — download it or copy it immediately.
These keys are used with the AWS CLI and SDKs. Configure them like this:
aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]: us-east-1
# Default output format [None]: json
Never commit these keys to version control. Use environment variables or AWS credentials files instead.
Multi-Factor Authentication (MFA)
MFA adds an extra layer of security. After entering their password, users must provide a code from an authenticator app on their phone. Even if someone steals a password, they can't log in without the phone.
Enable MFA for every user, especially admin accounts. It's like adding a second lock to your door — a minor inconvenience that provides massive protection. AWS supports virtual MFA apps like Google Authenticator and Authy.
Managing User Permissions
Don't assign permissions directly to users. Instead, create groups with specific permissions and add users to those groups. This makes managing permissions much easier as your team grows.
For example, create a "Developers" group with EC2 and S3 access, an "Admins" group with full access, and a "ReadOnly" group with viewing permissions only. Users inherit permissions from their group, making it easy to manage at scale.
Deleting Users
When someone leaves your organization, delete their IAM user immediately. Before deleting, check if they have any access keys or resources that need to be transferred to someone else.
Deleting a user removes all their access instantly. Any sessions are terminated, and their access keys stop working. It's a clean break — no lingering access to worry about.