Securing the Root Account

  • Create users and grant permissions for users.
  • Create groups and roles.
  • Control access to AWS resources.

The root account

The email address you use for AWS. It has full administration access. It is important to secure this account.

To secure the account on the dashboard, you want to go into IAM and secure the root account.

Always turn on multi-factor authentication.

Controlling Users' Actions With IAM Policy Documents

To control permissions using IAM we assign policy documents (which are written in JSON). Full admin access example:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }

You can assign IAM policy documents to:

  1. Groups
  2. Users
  3. Roles

IAM does not require a region as it is global.

When heading to Policies within IAM, you'll find AWS managed policy or you can create your own.

Permanent IAM Credentials

The Building Blocks of IAM

  • Users: One user should always be one physical person.
  • Groups: Functions, such as admin, developer, etc.
  • Roles: Internal usage within AWS (allows one part of AWS to perform actions on another part of AWS e.g. EC2 instance can access S3 buckets).

It is best practice for users to inherit permissions from groups.

The principle of least priviledge: assign a user the minimum amount of privileges they need to do their job.

Amazon also have prepopulated policies for job roles.

Within the IAM Account Settings, we can enforce our password policies. We can enable things such as expiration, have users change their password, reuse etc.

You can also manage the provider to log in with ie SAML or OpenID Connect. You can need to configure that trust - it's beyond the scope of the exam but active directory federation is possible.

IAM Tips

  • Enable multi-factor auth for root account.
  • Create an admin group for admins and assign appropriate permissions.
  • Create accounts for admins.
  • Add users to admin group.

Afterwards, you should no longer have to log into AWS with the root account again.


  • IAM is universal.
  • The root account: the account used to create your AWS account.
  • New users: no permissions when first created.
  • Access Key ID and secret access keys are not the same as usernames and passwords. You only get to view those once.
  • Always set up password rotations.
  • IAM federation: can combine existing user account with AWS.
  • Identify federation: Uses the SAML standard, which is Active Directory.