Post

02. IAM Account

02. IAM Account

IAM


Prerequisites


1. IAM (Identity and Access Management)

"aws-iam0"

IAM is one of the most critical services in AWS. When you first create an AWS account, you get a root account.

This account:

  • Has full administrative access
  • Can control billing
  • Has no restrictions

👉 Problem:

Using root account for daily work is extremely risky

2. Account

2-1. Root Account

The root account has full access to all resources. If the account is compromised (e.g., hacked), attackers can freely use AWS services. Since AWS follows a pay-as-you-go model, this can result in significant unexpected costs.

Avoid Daily Use

Root account characteristics:

  • Created with email + password
  • Unlimited permissions
  • Cannot be restricted by IAM

Risks

  • Accidental resource deletion
  • Full account compromise if leaked
  • Uncontrolled billing

👉 Best practice:

Use root account only for initial setup and emergency cases

2-2. IAM Users

IAM User represents a specific identity Policy defines permissions using JSON.

Examples:

  • Developer
  • Admin
  • CI/CD system

Each user has:

  • Login credentials (password / access key)
  • Permissions via policies

Example: Allow listing S3 buckets

1
2
3
4
5
{
  "Effect": "Allow",
  "Action": "s3:ListBucket",
  "Resource": "*"
}

3. How to create IAM

3-1. Search IAM

"aws-iam0"

3-2. Click Navigation pane → “Users”

"aws-iam1"

3-3. Click Button → “Create User”

"aws-iam2"

3-4. Step 1. Specify user details

"aws-iam3"

Detail:
  1. User name:
    • IAM user ID
  2. Provide user access to the AWS Management Console - optional
    • Console password
      • Autogenerated password : Automatically create temporary password
      • Users must create a new password at next sign-in - Recommended : Literally

3-5. Step 2. Set permissions

"aws-iam4"

Detail:
  1. Permissions options
    • Attach policies directly
  2. Permissions policies
    • Search policy name

3-6. Step 3. Review and create

"aws-iam5"

3-7. Step 4. Retrieve password

"aws-iam6"

"aws-iam7"

Detail:
  1. Console sign-in details
    • Console sign-in URL : Address of URL
    • User name
    • Console password
  2. Account ID

3-8. Confirm New IAM

"aws-iam8"

3-9. Confirm New IAM

"aws-iam9"

  1. Fill in the blanks of required information.
    • Account ID
    • IAM username
    • Password

3-10. Change password

"aws-iam10"

3-11. Finish creating IAM

"aws-iam11"

This post is licensed under CC BY 4.0 by the author.