What’s the Best Way to Manage Users and Roles in AWS?

Instead of making a separate user for every service, it’s better to create groups or roles that can be assigned to different users. Start off with a root account for setup and from there, manage other users via groups based on their permissions. This simplifies user management.

Use the root account sparingly, only when absolutely necessary. For day-to-day operations, set up application-specific roles rather than individual users. It's also good practice to have an admin role and a read-only role for quick access across services without relying on direct user access.

The first step is to set up an admin role, then keep your root user locked up tight. Create IAM roles tailored to what users need, ideally using Terraform to automate this. For internal users, give them access through federated roles with Okta and enable MFA. Occasionally, you might need a vendor's IAM user, but overall, this method is secure and works well.

Absolutely avoid the root user for anything other than critical tasks. Create an admin IAM policy but make sure your new user has 2FA enabled and uses short-lived tokens. Each service should really get its own IAM roles with limited access based on need. With CI/CD and tools like Terraform, you'll need structured workflows and permissions.

Based on my experience, here’s a simple approach: 1) Use the root user only to set up your main account and enable AWS Identity Center for access management. 2) Go ahead and create a user in the Identity Center, assign a permission set, and enforce MFA. 3) From that user, run Terraform to spin up your resources and roles. 4) This way, you never have to deal with static IAM users and manage permissions much more efficiently. In the long run, follow the principle of least privilege for all your roles.