Keep in mind that anything with 'Admin' in it allows creation of other users as well as attaching / detaching policies to users.

Anything with 'user' in it, has no power to attach / detach policies or to create or manage users.

Having said that, these are the most common functional roles that may need to be mapped to AWS Groups (using built in managed policies in AWS)).

For Network Admins

NetworkAdministrator Managed policy

System Admin (akin to a Windows or Linux Administrator on premises)

You could attach an EC2FullAccess  to the networkadmin group as well, to get closer to an on premises System Administrator Role. EC2FullAccess allows any level of EC2 (and attached EBS access)

For Developers
The PowerUSerAccess Managed Policy gives access to  ALL AWS services and resources, without granting any ability to create or manage users.
What about Emergency Access for Developer Users?
What about certain emergency / one-off Admin Activities that  Developer may need to perform? For e.g. a Short Term access role may expire and leave an EC2 instance stranded.
Solution - Create a generic admin user (and create the corresponding access keys for this admin user). In an emergency situation, these access keys can  be shared with the appropriate developer user (or group).
Once the emergency is over, the access key can be deleted/rotated.
For Managerial Folks (typically read only access)
ReadOnlyaccess Managed Policy
For Admins
AdministratorAccess Managed Policy. Keep these to a minimum as these users can delete other admins etc.
For Security Read Only Access (read only for flow logs, aws config, security hub etc.)
Sometimes, you want to grant read only to all security alerts, logs and dashboards.
SecurityAudit Managed Policy along with ReadOnlyPolicy will serve this purpose.
For Console Read Only access on AWS - account level

 IAM --> Add User button-->enable the Programmatic Access checkbox (sometimes, the human user needs to access AWS services via an API call) and AWS Management Console access checkbox (if the user needs to access to the console). Click the Next: Permissions button --> Attach Policies --> Type 'Read Only'.

What about  EFS?

AmazonElasticFileSystemFullAccess

ELBs?

ElasticLoadBalancingFullAccess

What about AppStream Fleets - and user assignments to these fleets?
It is best to federate users to AppStream as opposed to doing local IAM user assignments. Either way, the ability to assign users to fleets is an IAM specific role - and in general, PowerUsers do not have this IAM privilege.

This should give the reader 'read only access'

Org Level Read Only Access
 Define a custom policy  - list and describe - for a read only policy at an org level
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"organizations:Describe*", 
"organizations:List*" 
],
"Resource": "*"
}
}
KMS Related Policies
KMS policies are actually different from IAM Policies - and are assigned on a PER KEY basis. You start with a KEY and then decide who gets access to it (via editing the KEY policy). Each key has a single Key policy associated with it.
However, in order to create and manage keys, you do need to be an IAM Admin in AWS.




Need an experienced AWS/GCP/Azure Professional to help out with your AWS Strategy? Set up a time with Anuj Varma.