My preferred way of handling Administrative IAM Users & AWS Accounts has been,

  1. Use multiple AWS accounts instead of a single AWS account

Example – One each for the ENVIRONMENT,


2.Delete root access keys  for root user and enable MFA (Multi factor authentication),

Do  not use root user for AWS CLI or API calls.

3. Create IAM user for each team member with programmatic access for them to

work with AWS CLI & API calls. Add them to a team group/s with desired policies.

There can be a Middleware, Ops & DBA Groups etc.

4.  Create unix users for each team member & assign individual keys

5. Finally Create a single read only user for the entire team for console access