Understanding AWS Root and IAM Users

Amazon Web Services (AWS) is the most widely used cloud platform today. Before diving into hosting websites, storing data, or automating deployment pipelines, it's important to understand how access and permissions work in AWS.

What Is the AWS Root Account?

When you first sign up for AWS, you create the Root user. This is the account created using your email address and password. The Root account has unrestricted access to everything in AWS: billing, security, services, and account settings.

Think of the Root user like the owner of a company who has keys to every department. But just like in a real company, it’s not safe or practical for the owner to do everything themselves or share their master key with everyone.

That’s why AWS recommends you use the Root account only for essential tasks, such as:

• Creating your first IAM admin user

• Setting up billing alerts

• Changing account-level settings

• Managing support plans

• Enabling multi-factor authentication (MFA)

After setting up the Root account, you should lock it down and avoid using it for day-to-day operations.

What Is an IAM User?

IAM (Identity and Access Management) lets you create separate users within your AWS account. These users can each have their own login credentials and access permissions.

For example, if you're working on a team or hiring freelancers, you don’t want to give them your Root login. Instead, you create an IAM user and assign them access only to the services they need.

IAM users:

• Have their own username and password

• Can access the AWS Console (web dashboard) or use access keys for CLI/SDK

• Get permissions through IAM policies (more on that later)

This structure allows you to manage users securely, track their activity, and avoid giving unnecessary access.

Why Use IAM Instead of Root?

• Security: IAM users only get the permissions you give them. The Root user has full access.

• Control: You can create, suspend, or delete IAM users easily.

• Best Practices: AWS recommends never using the Root account for daily tasks.

Creating an IAM User (Step-by-Step)

1. Login to AWS Console using your Root credentials.

2. Go to the "IAM" service.

3. Click on "Users" from the sidebar.

4. Click "Add users".

5. Enter a username (e.g., dev_user).

6. Choose "Provide user access to the AWS Management Console".

7. Set a password for the user (you can require a password reset).

8. Assign permissions:

   • You can add the user to a group

   • Or copy permissions from another user

   • Or attach policies directly

9. Review and create the user.

Your IAM user is now ready to use. You’ll also receive a custom login URL for them to sign in.

IAM Groups: What Are They and Why Use Them?

IAM Groups help manage permissions for multiple users more easily. Instead of assigning policies to each user, you assign policies to a group and add users to it.

Example Use Case

You have five developers. They all need access to EC2 and S3 but nothing else.

• Create a group called DevTeam

• Attach AmazonEC2FullAccess and AmazonS3ReadOnlyAccess policies to the group

• Add all five developers to the DevTeam group

Now, if you update the permissions for DevTeam, all five users are updated automatically.

Creating a Group (Step-by-Step)

1. Go to the IAM service.

2. Click on "User groups" from the sidebar.

3. Click "Create group".

4. Enter a group name (e.g., DevOpsTeam).

5. Attach policies you want (e.g., EC2FullAccess, S3ReadOnlyAccess).

6. Add existing users to the group (or do this later).

7. Create the group.

IAM Policies: The Rules of Access

An IAM policy is a document that defines what actions are allowed or denied. These are written in JSON, but you don’t need to write them manually. AWS provides many pre-built (managed) policies.

There are two types of policies:

• AWS Managed Policies: Predefined by AWS (e.g., AmazonS3FullAccess)

• Customer Managed Policies: You write your own custom rules

Example Policy (Simple View)

A policy can say:

• Allow this user to read from S3

• Allow this group to manage EC2 instances

• Deny this user from deleting files

You attach policies to:

• Individual IAM users

• IAM groups

• IAM roles

IAM Roles: For Services and External Access

IAM roles are identities you create and assign to AWS services (like EC2 or Lambda) or external apps (like Jenkins or GitHub).

Roles are not for human users. Instead, they’re assumed by services that need temporary access to AWS resources.

Example Use Case

You have a script running on an EC2 instance that needs to upload files to an S3 bucket. Instead of storing access keys in the code (which is risky), you:

• Create a role with S3 upload permission

• Attach the role to the EC2 instance

• Now the instance can upload files securely

Billing Access for IAM Users

By default, only the Root user can view and manage billing. If you want an IAM user (e.g., your accountant) to access billing info:

1. Login as Root user

2. Go to "My Account" → "IAM User and Role Access to Billing Info"

3. Turn it ON

4. Create or update an IAM user

5. Attach the policy Billing to the user

Best Practices

• Enable Multi-Factor Authentication (MFA) for Root and IAM users

• Never share your Root login with anyone

• Use groups to manage permissions

• Follow the principle of least privilege: give users only the permissions they need

• Regularly audit your IAM users, groups, and roles

Real-Life Team Setup Example

Let’s say you’re managing a small team.

This structure keeps your AWS environment organized, secure, and scalable.

Common Questions

Q: Can a user belong to multiple groups?
Yes. Permissions from all groups will be combined.

Q: Can I delete the Root user?
No. The Root user is permanent.

Q: What happens if I lose Root access?
You’ll need to reset your password through your email. Always set up MFA.

Q: How many IAM users can I create?
By default, you can create up to 5,000 users.