AWS: How to Set Up Users in AWS for Your Organization

Setting up users for your organization’s employees who need access to AWS is an important initial step when using AWS in your organization, as it controls the tasks each employee is allowed to take as well as the AWS services they are allowed to use.

In order to accomplish this, we will primarily rely on IAM Identity Center, which grants users access to applications and accounts, and AWS Organizations, which helps you centrally manage accounts and allocate resources appropriately as your company scales.

If you haven’t created an AWS root user account for your company yet, navigate to https://aws.amazon.com/console/ and click “Create account”. You can follow the AWS tutorial to do so in the following link, under the “AWS Management Console” tab: https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html. The root user account should be a unique email that can be generally accessed by all employees.

Once you have created an AWS root user, use that root user for the following steps.

Steps:

1. Create an AWS Organization + AWS accounts as members of organization — AWS Organizations allows you to better manage multiple users over creating individual IAM users, and is designed exactly for meeting the needs of large organizations and companies.

2. Navigate to AWS organizations in AWS Management Console by typing in “aws organizations” in the search bar, and click “create an organization” if you haven't already created an organization in the past. Then click “add an AWS account”:

• Keep “Create an AWS account” selected, and enter in “dev” under account name as well as the desired email address — you can use this AWS account for now to manage all your applications and users. In the future, you should create a separate “prod” AWS account for production but this will suffice. The email can be your root user email used plus dev (+ dev), eg if you had “admin@yourcompany.com” as root user, simply use “admin+dev@yourcompany.com”.
• IAM role name should stay as “OrganizationAccountAccessRole”

Select “Create AWS Account” when done.

2. Choose a region closest to your users — Navigate back to home page of AWS Management Console and in the upper right corner choose the region closest to your users. Eg, if your company is largely located in Oregon, choose us-west-2.

3. Create a permission set — A permission set contains policies your users or groups are bound to, defining what job functions they can perform (eg billing) or specific level of access to AWS services and resources. We will be creating a policy for an admin user/group, but feel free to create any policy you need (eg you may select “Billing” policy instead for your accountant(s), etc). While still in the region you selected, follow the steps below

• Navigate to “IAM Identity Center” by typing it in to the search bar in the management console
• Click “enable” (if you haven't already enabled IAM Identity Center)
• Click “Permission sets” in left menu -> “Create permission set”

• Keep “predefined permission set” selected, and select “AdministratorAccess” to create a permission set for admin users. Select next.

• On the following page, you can keep the permission set name as is, or customize the name if youd like. “Session duration” is also up to you, but I typically set it for 8 hours. Everything else you can leave as-is/blank.
• Select “next”, then “create” on following page.

4. Create an admin group and add user(s) to it — We will use these users to actually access the AWS account and management console (ie access portal) as admins. If in the previous step you selected a different predefined permission set, simply name the group what you want, the name is completely customizable and up to you.

• Navigate back to IAM Identity Center, click “Groups” in the left menu, then “Create group”.

• Name the group “AdminGroup” (or whatever name thats appropriate for your implementation, eg perhaps “AccountantGroup” if you selected “billing” predefined permission set in previous step, etc) and click “Create group” (dont click on “add a new user” yet).

• Click “Users” in the left menu, then “Add user”

• Fill in the user details, where necessary, for the employee, including email address. Keep “send an email to this user” selected under “Password” so that you receive an email to sign up with, and click next when done.
• Choose “AdminGroup” on following page, then next, and finally select “add user” in review page.

Accept the email invitation sent from AWS to proceed. Now we just need to add this user to the AWS account we created in previous steps.

5. Add user to the dev account —

• Navigate to IAM Identity Center -> Click “AWS accounts”

• Select the dev account -> Click “Assign users or groups”

• Choose the “AdminGroup” created, and click next.
• Choose the permission set created, click next -> click submit.

Weve finished the setup at this point! To verify, navigate back to IAM Identity Center -> Dashboard, and on the right hand side go to the “AWS Access Portal” link.

You'll now be able to sign in via that address and access the AWS services the dev account has allowed via the permissions set defined.

Conclusion

Thats it! From now on, you and all employees should use the users created and the access portal URL in these steps to log in and access AWS (you should no longer, or rarely if ever, use the root account).