Before we introduce this recipe, we need to talk briefly about IAM. It's free, and is enabled on every account. It allows you to create groups and users, and allows you to control exactly what they can and can't do, through the use of a policy statement.

By default, groups, users and roles will have no permissions until you assign them either an AWS Managed Policy or a Customer-Managed Policy (one which you manage). You may want to use AWS Managed Policies as a starting point in order to avoid having to create and maintain your own, but it's good practice to refine your requirements, and scope down access privileges with custom policies.

You pretty much never want to assign a policy directly to a user. If you go down this path, you'll create a lot of work for yourself in the future, when you have a large number of users that need to be administered separately. Instead, you want to apply policies to groups, and then assign users to those groups. Fortunately, it's a pretty easy process, and we're about to walk you through it.

The IAM dashboard provides a URL that your IAM users can use to log in to the web console (if you've assigned them a password and given them access to do so). You can also customize this IAM sign-in link if necessary. Don't forget to give this URL to any IAM users that you create, so they know where to go to sign in.

It will look something like the following, until you customize it: https://<account-id>.signin.aws.amazon.com/console.

Now, jump right in. There's no excuse for not using IAM. Start today!