Each AWS account has root account credentials, which we don’t use.
Instead we access AWS resources using IAM.
IAM Roles for VMs
IAM Roles for Humans
We use separate IAM roles for users on our team to use via AWS’ assume-role feature. See the RE manual for details on how to do this. The available role ARNs that you’ll need for this are documented in paas-aws-account-wide-terrafom here
We manage all these IAM roles, and the corresponding policies using Terraform. The config is in the account-wide-terraform repo. This includes defining who is allowed to assume the above roles.