Create IAM administrative groups for AWS CloudHSM

The first step to getting started with AWS CloudHSM is to set up IAM permissions.

As a best practice, don't use your AWS account root user to interact with AWS, including AWS CloudHSM. Instead, use AWS Identity and Access Management (IAM) to create an IAM user, IAM role, or federated user. Follow the steps in the section Create an IAM user and administrator group to create an administrator group and attach the AdministratorAccess policy to it. Then create a new administrator user and add the user to the group. Add additional users to the group as needed. Each user you add inherits the AdministratorAccess policy from the group.

Another best practice is to create an AWS CloudHSM administrator group that has only the permissions required to run AWS CloudHSM. Add individual users to this group as needed. Each user inherits the limited permissions that are attached to the group rather than full AWS access. The Customer managed policies for AWS CloudHSM section that follows contains the policy that you should attach to your AWS CloudHSM administrator group.

AWS CloudHSM defines a service–linked role for your AWS account. The service–linked role currently defines permissions that allow your account to log AWS CloudHSM events. The role can be created automatically by AWS CloudHSM or manually by you. You cannot edit the role, but you can delete it. For more information, see Service-linked roles for AWS CloudHSM.

Create an IAM user and administrator group

Start by creating an IAM user along with an administrator group for that user.

Sign up for an AWS account

To get started with AWS, you need an AWS account. For information about creating an AWS account, see Getting started with an AWS account in the AWS Account Management Reference Guide.

For example policies for AWS CloudHSM that you can attach to your IAM user group, see Identity and access management for AWS CloudHSM.