This community is for professionals and enthusiasts of our products and services.
Share and discuss the best content and new marketing ideas, build your professional profile and become a better marketer together.


1 Answer
Jesse Wiener United States
5/27/20, 5:44 PM

Hi Stan,

I'm glad to hear that you don't want to use your root account! You are correct, it does have to do with Identity and Access Management (IAM).

There are 3 concepts in IAM that are relevant to your question: Users, Groups and Policies.

Users are what they sound like - a person or entity that is going to use AWS. Policies define permissions for access to AWS resources. While it is possible to attach policies directly to users, best practices dictate that policies should be attached to groups and then users should be added to those groups.

So in this case, this is what we'll do: We'll create an "administrator" user, we'll create an "administrators" group and we'll make a policy that grants that group administrator access.

First, to give the administrator user full access to billing, along with everything else, you'll need to change your settings to allow it.
* Log into AWS with your root account email and password.
* On the navigation bar (top), click your account name, and then click My Account.
* Next to "IAM User and Role Access to Billing Information", click Edit.
* Select the check box to "Activate IAM Access" and click Update.

Now we'll go to the IAM Dashboard:
* On the top nav bar, click Services > IAM.
* In the left nav pane, choose Users and then choose Add user.

* On the Details page, do the following:
* For User name, type a username (like "Administrator").
* Select the check box for AWS Management Console access, select Custom password, and then type your new password in the text box.
* Uncheck "User must create a new password at next sign-in" since this account is for you.
* Click Next: Permissions.

On the Permissions page:
* Click "Add user to group."
* Click "Create group."
* In the Create group dialog box, for Group name, type something meaningful like "Administrators".
* Click the check box for the "AdministratorAccess" policy.
* Click "Create group".

Now you'll be on the page with the list of groups.
* Click the check box for your new group. (Click Refresh if you don't see the new group in the list.)
* Click "Next: Tags". (tags are optional. More info here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html )
* Click "Next: Review". Look through and make sure it looks right.
* Click "Create user."

For more information, here's the relevant AWS documentation:

Hope that helps!

Ask a Question
Keep Informed
2 follower(s)
About This Community
This community is for users of the AWS cloud platform. We answer questions about how to use both AWS in general and the tools we provide to our customers. Read Guidelines