I'm referring to the Admin user created here.
Does it make sense to create Access Keys for the Admin user? In theory, nobody should be using the Admin user account, but have their accounts added to the Admin group instead? Or is this Admin account like a sudo account?
CodePudding user response:
Your AWS administrator(s) will need access to the account and many experienced admins prefer to use the CLI over the console; they’ll need access keys in order to programmatically access the account's resources. It’s not technically a necessity, but may be a preference of your administrator(s).
An administrator is different from root
account access though. Root access is the first account you set up and, considering the unique privileges the account has (for example, you cannot restrict actions on the root account) you should only really use the root account for creating your first IAM user, and then almost all actions on the account should be done through IAM users. This is to say the root
account should not have access keys and should not be used for day-to-day account activities, which should be executed by IAM users.
You should be cautious with granting administrator
access to any IAM user. Administrators can perform almost all actions on an account. The best practice is to follow the least access policy and only grant permissions that are absolutely required. For example, if the user is a marketing email administrator you may consider that you only want to grant that user full access to SES, PinPoint, and maybe Quicksight, but not to DynamoDB or S3 or any other resource they do not need access to in order to carry out their function.
IAM is a broad topic, and AWS has many free resources you can use to learn more. You can learn more about the root account and best practices on the root account in the AWS documentation here.