2

I have users that have been added by other admins in my AWS account. I am afraid that these users might get deleted by other people.

Is there a way to add a description to an IAM user?

Luke Peterson
  • 8,584
  • 8
  • 45
  • 46
Muhammad Lukman Low
  • 8,177
  • 11
  • 44
  • 54

3 Answers3

4

I don't see any way to add description/tag when you create an IAM user. One suggestion is to create a IAM group for each admin and add the user to the admin's group when a user is created/added. You can have group(s) with no policy attached.

helloV
  • 50,176
  • 7
  • 137
  • 145
2

There is currently no way to add a description to a user. There are a number of better ways to solve your core issue however. Some of the IAM Best Practices specific to your use case include:

  1. Use AWS Defined Policies to Assign Permissions Whenever Possible - AWS-managed policies are designed to support common tasks, such as deleting and creating users. Assign these policies to the users that need them.
  2. Grant Least Privilege - Granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks. This is probably the most important factor in preventing users from being deleted accidentally.
  3. Monitor Activity in Your AWS Account - You can use logging features in AWS to determine the actions users have taken in your account, including deletion of users either accidentally or on purpose. Two very useful tools you should be using in this regard include:
    1. AWS CloudTrail - CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, including user deletions.
    2. AWS Config – Provides detailed historical information about the configuration of your AWS resources, including your IAM users, groups, roles, and policies.

As you can see, utilising the built-in tools that AWS provides can assist you in preventing administrators from deleting users unnecessarily.

Luke Peterson
  • 8,584
  • 8
  • 45
  • 46
1

As a workaround, you can add a TAG to your user with its key named "DESCRIPTION" and put in the description as a value. Note that for the value, you are very limited to the characters you can use. For instance, you cannot use the apostrophe ('). But it is better than nothing.

Hans Deragon
  • 504
  • 1
  • 7
  • 17