How to Create an Admin User in AWS from the Root Account

 Creating an admin user in AWS from the root account involves several steps. The root account has unrestricted access, so it's a best practice to create an IAM user with administrative privileges and use that account for everyday tasks, reserving the root account for account and service management.

Here’s a step-by-step guide to creating an admin user:

Step 1: Sign in to the AWS Management Console as the Root User

1. Go to the AWS Management Console.
2. Sign in with your root account credentials (email and password).

Step 2: Navigate to the IAM Service

1. In the AWS Management Console, on the top right, click on your account name.
2. In the dropdown menu, select “Security credentials.”
3. In the left sidebar, click on “Users” under the “Access management” section.

Step 3: Create a New User

1. Click the "Add user" button.
2. Enter a user name for the new user. For example, "AdminUser."
3. Select the checkbox for “AWS Management Console access” to enable console access for the user.
4. Choose the “Custom password” option and enter a strong password. Optionally, select “Require password reset” for the user to reset their password upon first sign-in.

Step 4: Set Permissions for the New User

1. On the “Set permissions” page, select “Attach existing policies directly.”
2. In the search box, type “AdministratorAccess.”
3. Check the box next to “AdministratorAccess” to assign full administrative permissions to the new user.
4. Click the "Next: Tags" button.

Step 5: Add Tags (Optional)

1. You can add tags to organize and manage your AWS resources. For example, you can add a tag with the key "Department" and the value "IT."
2. Click the "Next: Review" button.

Step 6: Review and Create the User

1. Review the details of the new user to ensure everything is correct.
2. Click the "Create user" button.

Step 7: Provide Sign-In Information to the New User

1. After the user is created, you will see a confirmation page with a link to the AWS Management Console for the new user, along with the username and password.
2. Copy or download the credentials for the new user and share them securely with the user.

Step 8: Sign in as the New Admin User

1. Use the sign-in URL provided (typically in the format https://Your-AWS-Account-ID.signin.aws.amazon.com/console).
2. Enter the new user credentials to sign in as the AdminUser.
3. If you required a password reset, the user will be prompted to set a new password.

Step 9: Enable Multi-Factor Authentication (MFA) for the New Admin User (Optional but Recommended)

1. While signed in as the new AdminUser, navigate to the IAM dashboard.
2. In the left sidebar, select “Users.”
3. Click on the new admin user’s name to open their details.
4. Select the “Security credentials” tab.
5. In the “Multi-factor authentication (MFA)” section, click “Assign MFA device.”
6. Follow the steps to enable MFA using a virtual MFA device (e.g., an authenticator app like Google Authenticator or Authy).

Summary

By following these steps, you have created a new IAM user with administrative privileges. This practice enhances security by minimizing the use of the root account for daily operations. Always enable MFA for additional security.