Differences between 'root account credentials' and 'IAM user credentials'

Question

What are the differences between 'root account credentials' and 'IAM user credentials'?

and one more question:

According to the description, it's recommended using 'IAM user credentials' but unable to access in S3 using 'IAM user credentials'

Can you explain why this is?

Answer 1

Your root credentials are your credentials through which you have signed up providing your card and billing details. IAM user accounts are user accounts which you can create for individual services offered by AWS.

Assume this scenario, you are the CEO of a product company and you signup for AWS providing your mail address, card and billing details and you have developers working for you, developing apps, deploying them in AWS. You cannot share your AWS account(your root credentials), which you just created, to your developer or devops and ask them to deploy apps. This is a huge security risk for you. Instead you create IAM users, attach group level policies or user level policies and share these IAM accounts with them. Group level and user level policies restrict and authorize individual IAM users to AWS services under your user account. It is extremely important that you understand and make use of IAM for your AWS account. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html

IAM S3 Access: If you authorize and assign an IAM user with required policies it should work well. You can simulate an IAM user's policy using https://policysim.aws.amazon.com/home/index.jsp (please login first).

hope this helps

Answer 2

From Amazon:

All AWS accounts have root account credentials. These credentials allow full access to all resources in the account. Because you can't control the privileges of the root account credentials, you should store them in a safe place and instead use AWS Identity and Access Management (IAM) user credentials for day-to-day interaction with AWS.

With IAM, you can securely control access to AWS services and resources for users in your AWS account. For example, if you require administrator-level permissions, you can create an IAM user, grant that user full access, and then use those credentials to interact with AWS. Later, if you need to revoke or modify your permissions, you can delete or modify any policies that are associated with that IAM user.

Your second question is still open: Unable to access any S3 resource when using IAM user credentials?

Answer 3

There are some things that you can do with a Root account that you can not do with an Administrator. For example, you can't create or delete account wide Budgets or enable MFA delete on as S3 bucket.