The root” account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided and IAM users for with required access are created.

Perform the following to create an IAM group and assign a policy to it:

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, click Groupsand then click Create New Group.
3. In the Group Namebox, type the name of the group and then click Next Step.
4. In the list of policies, select the checkbox for each policy that you want to apply to all members of the group. Then click Next Step.
5. Click Create Group

Perform the following to add a user to a given group:

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, click Groups
3. Select the group to add a user to
4. Click Add Users To Group
5. Select the users to be added to the group
6. Click Add Users

Perform the following to remove a direct association between a user and policy:

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the left navigation pane, click on Users
3. For each user:
   1. Select the user
   2. Click on the Permissions tab
   3. Expand Managed Policies
   4. Click Detach Policy for each policy
   5. Expand Inline Policies
   6. Click Remove Policy for each policy

References:

1. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
2. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html