Professional Documents
Culture Documents
First, here is a glossary of terms that will be used throughout this guide:
The best practice is to only use your parent account for the initial IAM user setup, then configure it
with a secure password, store it in a safe place, and ideally never use the parent account again. Daily
operations should be done with IAM accounts, as they have the following benefits:
No need to maintain multiple credentials - single IAM account can be used to access all AWS
resources of the organization.
Each IAM account can be made user-specific, so it is easy to remove access when employees or
contractors leave the project.
IAM accounts can be assigned to groups, so fine-grained access control is possible - e.g.
providing certain employees with access to the development environment, but not to production.
1. Assign the new user to the groups for which access is needed.
It is recommended to have separate subaccounts for each project/environment, as this makes billing
and access control easier. Ideally, the parent account should only contain IAM users and nothing
else.
1. Log in with your IAM user that has full administrator's access to the AWS parent account.
2. Before creating a new subaccount ensure that "Enable Tax Settings Inheritance" checkbox is
enabled in Tax settings of your parent account. Otherwise, AWS will send some invalid invoices
to you at the end of the month.
3. Go to "My Organization" in the AWS Console.
4. Click the "Add account" button
5. Click "Create account"
. A form like this will open:
1. Log in with your IAM user that has full administrator's access to the AWS parent account.
2. In order to give access to a subaccount, first, you need to know its ID. While still in your parent
account, go to "My Organization" page and note the "Account ID" that has been assigned to the
subaccount to which you would like to give access.
3. Now follow steps described here to gain access to the new AWS subaccount via IAM user
account (see section "To grant permissions to members of an IAM group in the master account
to access the role (console))".
1. This step requires the user to be a member of an IAM group that has access to the subaccount,
so steps described in the previous section must be performed first.
2. When you log in with your IAM credentials, you will be managing your parent AWS account by
default, since the IAM users are set up in it.
3. In order to gain access to a subaccount, first, you need to know its ID. While still in your parent
account, go to "My Organization" page and note the "Account ID" that has been assigned to the
subaccount that you would like to access.
4. Now follow steps described here to gain access to the new AWS subaccount via IAM user
account (see section "To switch to the role for the member account (console))".