How to create an IAM user with least privilege
Topic: Accounts access
Summary
Create an IAM user with only the permissions needed for their role: no full admin unless required, use groups and managed policies, and enable MFA. Use this for human operators who need console or CLI access without using root.
Intent: How-to
Quick answer
- Create the IAM user in the console or with create-user; attach permissions via groups or direct managed policies, not inline policies, and grant only what the role needs.
- Enable console password and/or programmatic access as required; enforce a strong password policy and plan for MFA.
- Prefer IAM Identity Center (SSO) for human access when you have multiple users or an IdP; use IAM users when SSO is not in use.
Prerequisites
Steps
-
Create the IAM user
In IAM → Users → Create user, enter a username and select access type (console, programmatic, or both). Do not attach policies yet.
-
Attach permissions via group or managed policy
Create or select an IAM group (or attach managed policies directly) that grants only the actions and resources the user needs; avoid AdministratorAccess unless the role requires it.
-
Set password policy and MFA
In Account settings, configure a strong password policy; require MFA for the user or for console sign-in. Prefer assigning MFA in the user's Security credentials.
-
Provide credentials and verify
Send the user their sign-in URL and temporary password (or have them set it); have them sign in and run one allowed action to verify least privilege.
Summary
You will create an IAM user with least privilege by attaching only the permissions needed for their role via groups or managed policies, and by enabling MFA and a strong password policy. Use this when you need human console or CLI access and are not yet using IAM Identity Center for everyone.
Prerequisites
- Root account secured; you have root or an IAM user with IAM write permissions (e.g. IAMFullAccess or equivalent).
- A clear list of which AWS actions and resources the user needs (e.g. read-only S3, EC2 in one account).
Steps
Step 1: Create the IAM user
aws iam create-user --user-name deploy-prodConsole: IAM → Users → Create user. Enter the user name and choose Provide user access to the AWS Management Console and/or Programmatic access as needed. Do not attach policies in this step.
Step 2: Attach permissions via group or managed policy
Create a group with a least-privilege managed policy (or use an existing one), then add the user:
aws iam create-group --group-name ReadOnlyS3
aws iam attach-group-policy --group-name ReadOnlyS3 --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
aws iam add-user-to-group --user-name deploy-prod --group-name ReadOnlyS3Alternatively attach a managed policy directly to the user. Prefer AWS managed policies or custom managed policies over inline policies. Grant only the actions and resources required (e.g. specific bucket ARNs).
Step 3: Set password policy and MFA
- Password policy: IAM → Account settings → Password policy: set minimum length, complexity, and expiration if required.
- MFA: In the user’s Security credentials tab, assign a virtual or hardware MFA device. For high-privilege users, require MFA via a policy condition or account practice.
Step 4: Provide credentials and verify
- Send the user the account-specific sign-in URL (e.g.
https://123456789012.signin.aws.amazon.com/console) and a temporary password (or let them set it on first sign-in). - For programmatic access, create access keys only if needed (see How to create and rotate IAM user access keys). Have the user run one allowed operation (e.g.
aws s3 ls) to confirm least privilege.
Verification
- User can sign in (or use CLI with keys) and perform only the allowed actions; denied for actions not in their policy.
aws iam list-attached-user-policiesandaws iam list-groups-for-usershow only the intended policies and groups.- MFA is assigned and password policy is in effect.
Troubleshooting
Access denied when testing — Attach the minimal policy that allows the test action; avoid granting broader permissions “to make it work.” Use IAM policy simulator to validate.
User cannot sign in to console — Confirm the user has Console password enabled in Security credentials and the sign-in URL is for your account ID. Check that no explicit Deny in a policy blocks sign-in.
Need both console and CLI — Enable both in the user; for CLI, create access keys and enforce MFA for sensitive operations via policy conditions where possible.