Creating an Administrators Group Using the Console advises not to grant an access key to the IAM user I create for myself, intending, I'm guessing, to grant least privilege.
However, in addition to being an "Administrator," I also want to be a developer of an Elastic Beanstalk application. And, as a developer, I need an access key to Deploy to AWS Elastic Beanstalk with the command git aws.push.
So, how do I solve this dilemma? Should I just create two separate IAM users: one for administration (mpasquale-admin) and one for development (mpasquale-dev)?
There are a few ways to go about this - I will give an example using my setup.
I always ensure that the Root account (the account that setup the AWS account) has MFA turned enabled, and token or digital 2FA is stored securely.
Once the Root has been created, I setup an "Admin" group and user: mpasquale-admin and give this user Full Access to AWS (with or without billing/depending on business need).
From here, change your Root account password to something complex and set a Password Policy to something other than default - then logout of Root and try not to use it, except for emergencies, etc.
Logon to the Admin account and create a "Developer" group. From here, you need to Attach a Policy - so search for the following: AWSElasticBeanStalkFullAccess
Attach the policy and create the Group. Add the developer to that group (ie: mpasquale-dev). Give that user console access and setup the password, etc.
While in IAM, click on Users again and then scroll down to Security Credentials. Click on Manage Access Keys->then Create Access Key (download for later).
Now, I would suggest testing your application with Elastic Beanstalk.
From here, if you need to restrict this policy even more you can edit the policy attached to the Developer group and hone on resource restrictions, users, subnets, etc. if needed.
I suggest checking out the following for more information as well:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.html