Using email IDs as IAM Username

Let’s face it. Finding out which IAM User belongs to whom, is a mammoth task, if you have a long list of them.

What if we use email ID’s as IAM username ?

I think it’s a good idea as it can be helpful in many ways:

  • Send an email directly to the user with their credentials, instead of scavenging documents or emails to check the user.
  • Email ID can represent where the user belongs. Let’s assume 2 users, `foo@bar.comandbar@foo.com`. Here we can see 2 users with different domains, which clearly distinguishes the IAM users.
  • Set’s a unique name to each IAM user.
  • The most important (what I think) is, using automation with IAM users. Let’s say we have password rotation script in place, which resets the password of all IAM users. Using automation, we can send the password alerts to the email IDs using command line or the password rotation script.

What about service-based IAM users?

As far as service-based IAM users are concerned, they can be named as: <SERVICE_NAME>-<REQUESTER_EMAILID>

This way, we can keep track of who has requested IAM credentials. I think, apart from service-based IAM users, rest of the users can be changed to email addresses. I am going to implement this as a prerequisite across all the AWS accounts I am handling to streamline methods and communications.

Comments are welcome.

amazon web services aws awscli