Back to Guides
Beginner

AWS IAM Setup Guide

Learn how to create an IAM user with the correct permissions for Focal Deploy

⏱️ 10 minutes📅 Last updated: January 2025

What you'll learn

  • How to create an IAM user with programmatic access
  • Required AWS permissions for deployments
  • Best practices for credential security
  • How to connect your AWS account to Focal Deploy

Prerequisites

  • An active AWS account (free tier works fine)
  • AWS console access with IAM permissions
  • A Focal Deploy account (sign up at focuswithfocal.com)
1

Sign in to AWS Console

Navigate to the AWS Management Console and sign in with your AWS account.

Open IAM Console
2

Create IAM User

  1. Click "Users" in the left sidebar
  2. Click "Add users" button
  3. Enter username: focal-deploy
  4. Select "Programmatic access" (Access key - Programmatic access)
  5. Click "Next: Permissions"

Note: Make sure to select "Programmatic access" - this creates an access key for API calls, which Focal Deploy needs.

3

Attach Permissions Policy

You have two options for attaching permissions:

Option A: Use Managed Policies (Easiest)

Quick setup for testing. Grants broad permissions.

  1. Select "Attach existing policies directly"
  2. Search and select these policies:
    • AmazonEC2FullAccess
    • AmazonS3FullAccess
    • AmazonRoute53FullAccess

Option B: Custom Policy (Recommended for Production)

More secure - grants only necessary permissions.

  1. Select "Create policy" (opens new tab)
  2. Click "JSON" tab
  3. Paste the policy below
  4. Click "Next: Tags""Next: Review"
  5. Name it FocalDeployPolicy
  6. Click "Create policy"
  7. Go back to the user creation tab and refresh policies
  8. Select your FocalDeployPolicy

Custom Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:RebootInstances",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:CreateKeyPair",
        "ec2:DeleteKeyPair",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:AllocateAddress",
        "ec2:AssociateAddress",
        "ec2:DisassociateAddress",
        "ec2:ReleaseAddress"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:PutBucketPolicy",
        "s3:GetBucketPolicy",
        "s3:PutBucketWebsite",
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": [
        "arn:aws:s3:::*",
        "arn:aws:s3:::*/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:CreateHostedZone",
        "route53:DeleteHostedZone",
        "route53:ListHostedZones",
        "route53:GetHostedZone",
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets",
        "route53:GetChange"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "rds:CreateDBInstance",
        "rds:DeleteDBInstance",
        "rds:DescribeDBInstances",
        "rds:ModifyDBInstance",
        "rds:CreateDBSubnetGroup",
        "rds:DeleteDBSubnetGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateDistribution",
        "cloudfront:DeleteDistribution",
        "cloudfront:GetDistribution",
        "cloudfront:ListDistributions",
        "cloudfront:UpdateDistribution"
      ],
      "Resource": "*"
    }
  ]
}
4

Review and Create

  1. Add tags (optional): Environment: Production
  2. Click "Next: Review"
  3. Review the user details and permissions
  4. Click "Create user"
5

Save Your Credentials

CRITICAL: This is your only chance to see the secret access key!

AWS will never show it again. Save it securely now.

You'll see two values:

  • Access key ID
    AKIAIOSFODNN7EXAMPLE
  • Secret access key
    wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Save these credentials:

  • Click "Download .csv" and save to a secure location
  • Or copy both values to a password manager (recommended)
  • Never share these credentials or commit them to Git
6

Add to Focal Deploy

  1. Log in to your Focal Deploy dashboard
  2. Navigate to Credentials page
  3. Click "Add AWS Credentials"
  4. Enter:
    • • Credential name: Production AWS
    • • Access Key ID (paste from step 5)
    • • Secret Access Key (paste from step 5)
    • • Default region: us-east-1
  5. Click "Test Connection" to verify
  6. Click "Save"

Success! Your AWS credentials are now securely stored and encrypted. You can start deploying!

Security Best Practices

✓ DO

  • ✓ Use custom policies with minimal permissions
  • ✓ Rotate access keys every 90 days
  • ✓ Enable MFA on your AWS root account
  • ✓ Use separate IAM users for different environments
  • ✓ Monitor CloudTrail logs for unusual activity

✗ DON'T

  • ✗ Use your AWS root account credentials
  • ✗ Share credentials across team members
  • ✗ Commit credentials to version control
  • ✗ Email or message credentials in plaintext
  • ✗ Give more permissions than necessary

Next Steps

Deploy Your First App →

Now that your AWS credentials are set up, learn how to deploy your first application.

Add Google Cloud →

Want to deploy to GCP too? Set up your Google Cloud service account.

Need help? Contact support or join our Discord community