Managing User Access with IAM
When you first dive into AWS, it might feel like you’ve just stepped into a high-tech control room—with buttons, switches, and dials for just about everything. But before you start launching servers or storing files, there's one super important thing to take care of: deciding who’s allowed to do what.
This is where IAM, or Identity and Access Management, comes in. Think of IAM as your security system. It’s how you invite people into your project and decide what they’re allowed to touch. In this guide, we’ll look at how to use IAM to safely manage user access—step by step.
Let’s get started.
Setting up IAM
Imagine your AWS account as your own digital workspace. Without IAM, it’s like giving everyone the master key to the entire building. That’s not great for security—or peace of mind.
Even if it’s just you at the beginning, using IAM helps keep things organized and secure. If you ever team up with others later, you’ll already have a structure in place.
Step 1: Open the IAM dashboard
First things first, log in to your AWS Management Console. If this is your first time, you’re probably still using the root user—that’s the original login for your account.
Go ahead and open the IAM dashboard:
- From the AWS homepage, click on the search bar at the top.
- Type IAM and select it from the dropdown list.
This is where you’ll set the rules for access—who gets in, what they can see, and what they can change.
Step 2: Create a new IAM user and group
Instead of always logging in with the root user (which has access to everything), you’ll create individual users—like yourself or future teammates—who each have their own credentials and roles.
Here’s how:
1. In the IAM sidebar, click Users, then hit Add users.
2. Decide and type a username (like alex-dev or project-helper) and click the next button.
3. Create a User Group.
Rather than assigning permissions manually to each user, AWS lets you organize them into groups. Think of groups like job roles. For example, you might have:
- A Developer group with access to servers
- A Viewer group that can only see resources but not make changes
To create a group:
Press the Create group button.
Give the group a name, like Developers or ViewOnlyTeam.
Pick one or more permissions policies to go with the group. For example:
- ○
AmazonEC2FullAccess(for managing servers) - ○
AmazonS3ReadOnlyAccess(to just view files in storage)
managing-user-access-with-iam-screenshot-6-id401010020210-img06
Click Create user group.
managing-user-access-with-iam-screenshot-7-id401010020210-img07
4. Assign the User to the Group.
Select the user group and press the Next button. Your new user now belongs to the group and inherits all of its permissions. Easy and organized.
Click Create user to create the new user.
Understand policies
At the heart of IAM is something called a policy. It’s basically a set of rules that say what a user, group, or role is allowed to do.
There are three types:
- AWS Managed Policies – ready-to-go, built by AWS.
- Customer Managed Policies – created by you, tailored to your needs.
- Inline Policies – attached directly to a single user or group.
To see or attach a policy:
- Go to Users, Groups, or Roles.
- Click the name you want to see or update.
- Choose the Permissions tab > Add permissions.
managing-user-access-with-iam-screenshot-9-id401010020210-img09
Once you get more familiarized with AWS, you can explore to customize the permissions policies.
Turn On Multi-Factor Authentication (MFA) for the Root Account
To strengthen security, you can set up MFA. It’s a second layer of security—usually a code from your phone—that makes your account a lot harder to break into.
Here’s how to set it up for a user:
1. Go to the security credentials in the top right pull-down menu.
2. Under Multi-factor authentication (MFA), click Assign MFA device.
3. Choose Authenticator app that you are using (like Google Authenticator or Authy). If you don’t have one, install one first.
4. Give the device a name and click Next.
5. Scan the QR code using your app, then enter the two codes it shows.
6. Click Add MFA.
That’s it! The root user now requires both a password and a one-time code from your phone to log in.
Security tips
Before you move on, take a moment to secure your new AWS account. Here’s what we recommend:
- Don’t use your root account every day. Later, you’ll create a new user with limited permissions (we’ll cover this in the next topic).
- Turn on MFA (Multi-Factor Authentication) for your root account. It adds a second layer of security using your phone.
These small steps help make sure your cloud environment is safe as you start building.
What’s next?
Now that you’ve set up IAM, your AWS environment has a solid foundation for secure access. Whether you're working alone or preparing for a team project, you’ve taken an important step toward keeping things organized, safe, and scalable.
Before we start launching servers or connecting cloud services, it’s important to understand how AWS charges for what you use. In the next section, we’ll look at how to manage AWS costs from the beginning—so you can build with confidence and avoid unexpected surprises.