Making Your AWS Account More Secure By Restricting Access Key Permissions

2020-10-25 17:50:24 | #sysadmin #aws

Tested On

  • Linux Ubuntu 20.04
  • Windows 10
  • macOS Catalina

If you've never visited your AWS IAM console, chances are, your root user has an access key that has full permissions. While convenient, this is a security risk and gives hackers full access to your account, should the keys ever get compromised. All it takes is one developer to accidently hard code the keys into live code or a public git repository for your services to come crashing down.

One of three things will happen. AWS will discover the public access key leak first, and revoke that root user's permissions, handicapping all of your services that rely on those keys. A hacker will use the keys to hijack your AWS resources, directly. Or a hacker will use the keys to access your databases, encrypt all of the records, and send you a random letter to pay up in bitcoin in exchange for your data.

Trust me when I say you need to stop using your root user's default access keys as soon as possible. The following steps will guide you through the process of setting up new, appropriate, limited-access keys you can use for the task at hand. For API tasks, at minimum, you should have a separate api user with temporary, API-only permissions. Once there are no API tasks left to carry out, there's no reason to even have these permissions, in place. Same for a user that would be in charge of deployments.

While it's up to every business owner to balance security with convenience, sacrificing too much security pose legal and ethical issues. Full access keys give you the most convenience, with the least amount of security. You'll get more tasks done, but a single breach can be magnitudes more costly than preventative measures. The ramifications of a security breach involving PII (Personally Identifiable Information), financial or patient information, cannot be undone. Always err on the side of caution, and expect to budget in the cost of security measures. If you're ready to get started, proceed to the next section.

Navigating to the AWS IAM Console

Navigate to your IAM console, log in, hover over the "Services" dropdown menu in the top left corder, and select "IAM". If you're having trouble finding it, type "IAM" into the search console like so:

Searching for the IAM service under the list of AWS Services

Creating a New AWS IAM User

Select "Users" from the left sidebar, under "Access Management". If this is the first time you're visiting this page, there should only be one user—the root user you use to sign in with. Create a new user by clicking the "Add User" button towards the top of the screen. Give this user a username like "api" or "deploy" and check the "Programmatic access" box. Then, click the "Next: Permissions" button at the bottom of the screen.

Creating a new user with the AWS IAM console

Click the "Next" buttons all the way through, until you get a "Create user" button and a prompt indicating your user has no permissions. Ignore this for now, and click the "Create user" button. On the following screen, copy your "Access Key ID" and "Secret access key". You also have the option to "Download .csv".

Granting Limited API Access to an IAM User

Once you hit the "Close" button, you'll be taken back to the Users lists. Click into your new user and you click the "Add permissions" button. From there, click the "Attach existing policies directly" button. Filter through the list for the necessary permissions, and click the checkbox for the required policies. When you're ready, click "Next: Review" and then "Add Permissions".

Filtering through IAM permissions policies to attach to a user

You can now use this user's access keys for AWS-related operations.


Feel free to create as many users and key pairs as necessary. And don't forget to revoke the permissions when they are no longer needed. That's the end of this tutorial. We hope you found it helpful. Make sure to check out our other tutorials, as well.

Book Recommendations for You


You must log in to comment. Don't have an account? Sign up for free.

Subscribe to comments for this post

Want To Receive More Free Content?

Would you like to receive free resources, tailored to help you reach your IT goals? Get started now, by leaving your email address below. We promise not to spam. You can also sign up for a free account and follow us on and engage with the community. You may opt out at any time.

Hire Us for IT and Consulting Services

Contact Us

Do you have a specific IT problem that needs solving or just have a general IT question? Use the contact form to get in touch with us and an IT professional will be with you, momentarily.


We offer web development, enterprise software development, QA & testing, google analytics, domains and hosting, databases, security, IT consulting, and other IT-related services.

Free IT Tutorials

Head over to our tutorials section to learn all about working with various IT solutions.

We Noticed Adblock Running

Because we offer a variety of free programming tools and resources to our visitors, we rely on ad revenue to keep our servers up. Would you consider disabling Adblock for our site and clicking the "Refresh Page" button?