Create IAM Admin Users and Adding User to Administrator's Group

As a best practice, the AWS account requires that you you create a new IAM user with administrator access in order to set up policies, users, and groups rather than use the root user's credentials.

Before assigning administrator access to an IAM user in the AWS console, you must attest or validate that the user is approved for administrator access in Cloudcheckr.

CloudCheckr classifies IAM users as an administrator if they have been granted one of the following permissions, either directly or indirectly through membership in a group:

iam:AddUserToGroup
iam:AttachGroupPolicy
iam:AttachRolePolicy
iam:AttachUserPolicy
iam:ChangePassword
iam:CreateAccessKey
iam:CreatePolicy
iam:CreateRole
iam:CreateSAMLProvider
iam:CreateUser
iam:DeactivateMFADevice
iam:PassRole
iam:PutGroupPolicy
iam:PutRolePolicy
iam:PutUserPolicy
iam:UpdateAssumeRolePolicy
iam:UpdateGroup
iam:UpdateUser
iam:UpdateSAMLProvider

This procedure will show you how to create an IAM admin user and assign that user to the Administrator's group.


Create An IAM Admin User and Add User to Administrator's Group

  1. Log in to the AWS Management Console.

    The AWS services page opens.
  2. Scroll down to the Security, Identity & Compliance section and select IAM.

    The Welcome to Identity and Access Management screen displays.

  3. Click Users on the left side of the console.

    A list of users displays.
  4. Click the Add user button.

  5. Type a user name.

    We recommend naming the user Administrator for easy identification.

  6. Ensure the AWS Management Console access check box is selected.

    The Console password section displays.

  7. Select Custom password, type your new password in the text field, and select the Require password reset checkbox.

  8. Click Next: Permissions.
  9. Click Add user to group and click Create group.

    The Create group dialog box opens.
  10. Type the name of the new group and select the Administrator Access checkbox from the policy list, and click Create group.


    The new group is now displayed in the groups list.
  11. Click Next: Tags.

    The Add tags (optional) page displays. This is an optional step. For the purposes of this procedure, we will not add tags.
  12. Click Next: Review.

    The Review page opens.
  13. Review your selections and click Create user.
  14. Click the Download .csv button to save the security credentials as a CSV export, and click Send Email to provide the user with instructions on how to log in to the AWS Console.

  15. Click the Close button on the bottom of the console.
  16. Perform the following actions in CloudCheckr:
    1. Launch CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.

      The Credentials page opens. The Use a Role for Cross-Account Access tab will be displayed by default.

    4. Click the User an IAM Access Key tab.

      The instructions on how to add the access key and secret key IDs display.

    5. Scroll down to the step that refers to accounts from India.
    6. Select the This account is managed by AISPL checkbox if this is an account from India managed by Amazon Internet Services Pvt. Ltd (AISPL).
    7. Click Update.


How did we do?