The account that we create in AWS is the root account. It has unrestricted privileges access. It is written in stone, that root account, shouldn't be used to carry out day-to-day activities. But you can use the root account to create Admin user account, which could then create further accounts, as per the use case.
Here are some of the key points in relation to AWS IAM, or best practices:
+ AWS root account - unrestricted access to AWS services and resources. Secure AWS root account
+ Define (Ex: admin, developer, sales, etc.) and Create Groups. The users in the group can inherit the permissions assigned to the group
+ Manage IAM permissions (Policy): IAM policies grants least privilege permissions to perform a task. Let say you create a policy for a services (Ex: EC2). Now you may choose what actions you want to add
and choose the resources, as applicable.
Basically, IAM Policy have multiple use cases. Policy(ies) can be applied to user, group or roles, as per the use case.
+ Create IAM Roles. Roles can be created per service like compute (EC2). Then you can define the policies, which actually grant access (i.e. permissions) to the role. This role can then be assigned to the group and user could be added to the group.
As can be defined in the above, there are two policies, i.e.
a) Admin policy
Admin policy has been assigned to Admin role and can be assigned directly to the user
b) Compute policy
Compute policy is assigned to the group, which contains the users
By this, I want to show that IAM policies is flexible and could be a great weapon to manage your kingdom efficiently, & securely.
+ Add users to the groups, further user to group could have one to many relationship. There are two types of user account i.e.
a) Programmatic access: used for AWS CLI, API, SDK and other development activties
b) AWS Management Console access: use to manage AWS console
