Skip to main content

AWS IAM User Setup

🧱 Service Inputs​

AWS IAM User Configuration Steps​

1. Login to AWS Portal as Aspireclan AWS Root User​

1.1 Open the AWS Console​

Open the AWS Portal and sign in using your AWS Root account.

https://aws.amazon.com/console/

1.2 Confirm you are signed in as the root/admin session​

Verify you are signed in and ready to proceed with IAM Identity Center configuration.

2. Permission Sets​

2.1 Open IAM Identity Center​

Open AWS IAM Identity Center.

2.2 Navigate to Permission sets​

Navigate to Permission sets. You will create (or verify) permission sets here before assigning access.

  1. Go to IAM Identity Center
  2. Click Permission sets
AWS IAM Identity Center - Permission sets

3. New Permission Set​

3.1 Start creating a new permission set​

Create a new permission set in AWS IAM Identity Center.

  1. From IAM Identity Center, go to Permission sets
  2. Click Create permission set
AWS IAM Identity Center - Create permission set

3.2 Purpose of the permission set​

This permission set will later be assigned to users or groups to control access to AWS accounts under the Shelvera Organizational Unit.

4. Fill Permission Set Details​

4.1 Choose the permission set type​

Configure the permission set by selecting a predefined AWS-managed permission.

4.2 Select AdministratorAccess​

  1. Select Predefined permission set
  2. Choose AdministratorAccess
  3. Click Next
AWS IAM Identity Center - Select AdministratorAccess permission set

5. Permission Set Name and Description​

5.1 Enter the permission set name​

Provide a clear and consistent name for the permission set.

  1. Permission Set Name:
    se-dev-iam-perm-set01

5.2 Enter the description​

Provide a description that matches your naming convention.

  1. Description:
    se dev iam admin access perm set01
  2. Click Next
AWS IAM Identity Center - Permission set name and description

6. Review and Create​

6.1 Review the configuration​

Review the permission set configuration to ensure all details are correct.

6.2 Create the permission set​

  1. Review the permission set summary
  2. Confirm AdministratorAccess is selected
  3. Verify the name and description
  4. Click Create
AWS IAM Identity Center - Review and create permission set

7. Create New User Group​

7.1 Start group creation​

Create a new user group in AWS IAM Identity Center.

  1. Go to IAM Identity Center
  2. Select Groups
  3. Click Create group
AWS IAM Identity Center - Create new user group

8. Group Details​

8.1 Provide the group name​

Provide a clear and standardized name for the user group.

  1. Group Name:
    se dev iam group
  2. Click Create group
AWS IAM Identity Center - Group details

9. Create IAM User​

9.1 Open Users and add a new user​

Create a new IAM user in AWS IAM Identity Center.

  1. Go to IAM Identity Center
  2. Select Users
  3. Click Add user
AWS IAM Identity Center - Add IAM user

10. User Details​

10.1 Fill in the user fields​

Provide the IAM user details using the standardized naming pattern.

  1. User name:
    se.dev.iam01
  2. Email:
    dev.se.aws01@aspireclan.com
  3. First Name:
    se dev iam user
  4. Last Name:
    01
  5. Display name:
    <Leave blank>
  6. Click Next
AWS IAM Identity Center - User details

11. Add User to Groups​

11.1 Select the target group​

Add the newly created user to the appropriate IAM group.

  1. Select the group name:
    2. se dev iam group
  2. Click Next
AWS IAM Identity Center - Add user to group

12. Review and Add User​

12.1 Review the user information​

Review the IAM user details and group assignment.

12.2 Add the user​

  1. Review the user information
  2. Confirm the group assignment
  3. Click Add user
AWS IAM Identity Center - Review and add user

13. Accept AWS IAM Identity Center Invitation and Assign AWS Account Access​

13.1 Accept the invitation email​

After you add the user, AWS IAM Identity Center sends an invitation email.

  1. An email will be sent to:
    dev.se.aws01@aspireclan.com
  2. Open the email and click Accept invitation
  3. Set a password and complete sign-in

13.2 Save the login + passkey details​

NordPass (recommended): save the IAM Identity Center login and passkey details.

  • NordPass login name:
    se dev aws iam 01
  • NordPass Passkey Name:
    passkey - se dev aws iam 01
  • Passkey name in AWS Account:
    nordpass-passkey

13.3 Assign AWS account + permission set​

Assign AWS Account + Permission Set

  1. Go to IAM Identity Center → Users
  2. Click the user you created:
    se.dev.iam01
AWS IAM Identity Center - accept invitation and assign account + permission set
  1. Open the AWS accounts tab
  2. Click Assign accounts
AWS IAM Identity Center - assign account (step 1)

13.4 Select account and permission set, then assign​

  1. Select AWS account:
    se.dev
  2. Select permission set:
    se-dev-iam-perm-set01
  3. Click Assign
AWS IAM Identity Center - select account
AWS IAM Identity Center - confirm assignment

14. Logout, Sign In as the New IAM User, and Register a Keeper Passkey Device​

14.1 Logout and open AWS Access Portal​

Log out of the AWS Root/Admin session, then sign in via the AWS Access Portal as the new IAM Identity Center user.

  1. Logout from the AWS Portal (end your current session).

  2. Open the AWS Access Portal:

    https://d-90663e88c9.awsapps.com/start

14.2 Sign in as the new IAM Identity Center user​

  1. Sign in using the new IAM user:
    se.dev.iam01
  2. Click the top-right user menu (it should show the user label):
    se dev iam user 01
  3. Click Security.
AWS Access Portal - open user menu and select Security

14.3 Prepare Chrome extensions for passkey provider​

Prepare Chrome extensions so the passkey is created and stored in Keeper (not NordPass).

  1. Open Chrome → Extensions → Manage extensions.
Chrome - Manage extensions
  1. Switch OFF NordPass and switch ON Keeper.
  2. Close the extensions tab.
Chrome extensions - switch off NordPass and switch on Keeper

14.4 Register device (passkey) in AWS Access Portal​

Register device (passkey)

  1. Go back to the AWS Access Portal.
  2. Click Register device.
AWS Access Portal - Register device
  1. Select Built-in authenticator.
  2. Click Next.
AWS Access Portal - Built-in authenticator

14.5 Set passkey names (Keeper + AWS)​

  1. When Keeper prompts for the passkey name, use:
    passkey - se dev aws iam 01
  2. In the AWS account, set the passkey name as:
    keeper-passkey
Keeper - passkey name prompt
AWS - passkey name set to keeper-passkey
AWS - device registration confirmation (screen 1)
AWS - device registration confirmation (screen 2)

15. Restore Chrome Password Manager Extensions​

15.1 Restore your default extension settings​

  1. Open Chrome → Extensions → Manage extensions.

  2. Switch OFF Keeper and switch ON NordPass.

  3. Close the extensions tab.

16. Enable Root Password Recovery for the Account​

16.1 Login as AWS Org Root IAM User (ac-root-admin)​

Log in as the AWS Org Root IAM User (ac-root-admin) and enable password recovery for the target AWS account.

16.2 Open Root access management​

  1. Log in as AWS Org Root IAM User (ac-root-admin).
  2. Go to IAM.
  3. Select Root access management.
IAM Root Access Management

16.3 Take privileged action and allow password recovery​

  1. Select the account ts.dev.
  2. Click Take privileged action.
Take privileged action for AWS account
  1. Select Allow password recovery.
  2. Click Allow password recovery to confirm.
Allow password recovery confirmation
Password recovery enabled for AWS account

17. Reset Root User Password and Configure MFA​

17.1 Reset root password​

Sign out and complete the Root User password reset for the account.

  1. Sign out of the AWS Console.

  2. Go to

    https://aws.amazon.com/console/

  3. Click Sign in to console.
  1. Sign in using root user email:
    dev.se.aws01@aspireclan.com
  2. Click Forgot password.
  3. An email will be sent to:
    dev.se.aws01@aspireclan.com
  4. Set a new password (store securely).
  5. Sign in as Root User using:
    dev.se.aws01@aspireclan.com

17.2 Configure MFA using NordPass passkey​

  1. NordPass login name:
    se dev root user 01
  2. Enter the verification code sent to:
    dev.se.aws01@aspireclan.com
  3. MFA device name:
    nordpass-passkey
  4. Select Passkey or Security key → Click Next
  5. NordPass Passkey Name:
    passkey - se dev root user 01
Configure NordPass passkey for root user
Root user security credentials

17.3 Switch region and open security credentials​

  1. Continue to console.
  2. Select the region N. Virginia (if not selected already).
Assign Keeper MFA device
  1. Click top-right account menu:
    se.dev
  2. Click Security credentials.
Assign Keeper MFA device

17.4 Switch MFA provider to Keeper and assign passkey​

Switch MFA Provider

  1. Manage Chrome browser extensions.
  2. Switch off NordPass, switch on Keeper.
  3. Close the extensions tab.
  4. Click Assign MFA device.
Assign Keeper MFA device
  1. MFA device name:
    keeper-passkey
  2. Select Passkey or Security key → Click Next
  3. Keeper Passkey Name:
    passkey - se dev root user 01

17.5 Store credentials in Keeper​

Store Credentials in Keeper

  1. Open the Keeper Windows app.
  2. Create a new record → Login.
  3. Title:
    se dev root user 01
  4. Website Address:
    https://us-east-1.signin.aws.amazon.com
  5. Login ID:
    dev.se.aws01@aspireclan.com
  6. Save the password securely.
Keeper record for root user

17.6 Finalize MFA with Windows passkey (and restore extensions)​

Finalize MFA with Windows Passkey

  1. Manage Chrome browser extensions.
  2. Switch off Keeper, switch on NordPass.
  3. Close the extensions tab.
  4. Click Assign MFA device.
  5. Select Passkey or Security key.
  6. Authenticator name in AWS Account: Windows-Passkey
  7. Select a different passkey if NordPass appears again.
Assign Windows passkey
Windows passkey confirmation
Root user MFA final confirmation