Creating IAM Admin Users and Adding User to Administrator’s Group

As a best practice, the AWS account requires that you you create a new IAM user with administrator access in order to set up policies, users, and groups rather than use the root user’s credentials.

Before assigning administrator access to an IAM user in the AWS console, you must attest or validate that the user is approved for administrator access in Cloudcheckr.

CloudCheckr classifies IAM users as an administrator if they have been granted one of the following permissions, either directly or indirectly through membership in a group:

  • iam:AddUserToGroup
  • iam:AttachGroupPolicy
  • iam:AttachRolePolicy
  • iam:AttachUserPolicy
  • iam:ChangePassword
  • iam:CreateAccessKey
  • iam:CreatePolicy
  • iam:CreateRole
  • iam:CreateSAMLProvider
  • iam:CreateUser
  • iam:DeactivateMFADevice
  • iam:PassRole
  • iam:PutGroupPolicy
  • iam:PutRolePolicy
  • iam:PutUserPolicy
  • iam:UpdateAssumeRolePolicy
  • iam:UpdateGroup
  • iam:UpdateUser
  • iam:UpdateSAMLProvider

This procedure will show you how to create an IAM admin user and assign that user to the Administrator’s group.


Step 1: Log in to your Amazon Web Services Management Console.

Step 2: Load the Identity and Access Management (IAM) Dashboard.

Step 3: Click Users on the left side of the console.

Step 2: Click the Add user button.

Step 3: Enter a user name.

We recommend naming the user Administrator for easy identification.

Step 4: Ensure the AWS Management Console access check box is selected.

The Console password section displays.

Step 5: Select Custom password, type your new password in the text field, and select the Require password reset checkbox.

Step 6: Click Next: Permissions.

Step 7: Click Add user to group and click Create group.

Step 8: Type the name of the new group and from the policy list, select the AdminstratorAccess checkbox.

The new group is now displayed in the list of groups.

Step 9: Click Next: Review.

Step 10: Review your selections and click Create user.

Step 11: Click the Download .csv button to save the security credentials as a CSV export, and click Send Email to provide the user with instructions on how to log in to the AWS Console.

Step 12: Click the Close button on the bottom of the console.