Creating your first Identity and Access Management User, Group, Role

Last Updated: September 2020

Author: Ben Potter, Security Lead, Well-Architected


This hands-on lab will guide you through the introductory steps to configure AWS Identity and Access Management (IAM). You will use the AWS Management Console to guide you through how to configure your first IAM user, group and role for administrative access. The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework .

It is strongly recommended you centralize your identities instead of using IAM Users and Groups as outlined in this lab. If you have more than a single test account for personal use, use AWS Single Sign-On or an identity provider configured in IAM, instead of IAM users. IAM users should not have access keys, for Command Line Interface (CLI) you should instead assume a role, or use integration with AWS Single Sign-on making it easy to get short term credentials for CLI use without needing to store long lived credentials. Use separate accounts for development/test and production, If you don’t have an existing organizational structure with AWS Organizations , AWS Control Tower is the easiest way to get started. For more information see Security Foundations and Identity and Access Management in the AWS Well-Architected security whitepaper.


  • An AWS account that you are able to use for testing.
  • Permissions to create resources in IAM, or the root user if you are just getting started.



References & Useful Resources