AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM you can create and manage AWS users and groups and use permissions to allow and deny their permissions to AWS resources.

First time users should visit the IAM Best Practices section of our IAM user guide. To get started using IAM, sign in to the AWS Management Console.

IAM also enables identity federation between your corporate directory and AWS services. This lets you use existing corporate identities to grant secure access to AWS resources, such as Amazon S3 buckets, without creating new AWS identities for those users. To learn more, try our sample application.

Introducing web identity federation

Web identity federation introduces a new AWS Security Token Service (STS) API, AssumeRoleWithWebIdentity, which you can use to create cloud-backed mobile apps that use public identity providers such as Facebook, Google, or the newly launched Login with Amazon service for authentication. With web identity federation, you have an easy way to integrate Amazon.com, Facebook, or Google sign-in into your apps without having to write any server-side code and without distributing long-term AWS security credentials with the app.

For more information about web identity federation, please see Creating Temporary Security Credentials for Mobile Apps Using Public Identity Providers in the AWS STS guide.

Easy to sign up,
pay only for what you use
Sign Up

Video: Getting Started with Multi-Factor Authentication


Video: Getting Started IAM roles for EC2 instances



The page contains the following categories of information about IAM. Click to jump down to:

Functionality

IAM allows you to:

Manage IAM users and their access - You can create users in IAM, assign them individual security credentials (i.e., access keys, passwords, and Multi-Factor Authentication devices) or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform.

Manage IAM roles and their permissions - You can create roles in IAM, and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role.

Manage federated users and their permissions - You can enable identity federation to allow existing identities (e.g. users) in your enterprise to access the AWS Management Console, to call AWS APIs, and to access resources, without the need to create an IAM user for each identity.

You enable identity federation by requesting temporary security credentials that can be used to sign requests to AWS. The temporary security credentials are comprised of short- lived access keys and session tokens associated with the keys. Your enterprise users can use the access keys the same way as before, as long as they pass the token along in the calls that they make to the AWS APIs. The permissions associated with temporary security credentials are at most equal to those of the IAM user who issued them; you can further restrict them by specifying explicit permissions as part of the request to create them. There is no limit on the number of temporary security credentials that can be issued.

As an example, an enterprise might want an application running on all employee laptops to perform daily backups to an employee-specific subfolder in Amazon S3. The enterprise could run a small application that would serve as an “identity broker”, requesting an AWS temporary security credential for each user after they login to their corporate network. This credential could specify the exact permissions granted (i.e. write access to a particular S3 bucket/folder), and the duration of the permissions (i.e. 12 hours). The credential would be passed back to the backup application on the employee's laptop, providing secure and direct access to Amazon S3. To learn more about configuring identity federation with your corporate directory, try out our sample application.


IAM enables the following use cases:

Fine-grained access control to your AWS resources: IAM enables you to control access to AWS service APIs and to specific resources. IAM also enables you to add specific conditions to control how a user can use AWS, such as time of day, their originating IP address, whether they are using SSL, or whether they have authenticated with a Multi-Factor Authentication device.

Identity federation between your enterprise and AWS services: IAM can be used to grant your employees, and applications access to AWS Management Console and AWS service APIs, using your existing identity systems.

Mobile and browser-based applications: You can enable your mobile and browser-based applications to securely access AWS resources by requesting temporary security credentials that only grant access to specific AWS resources, for a configurable period of time.

Top

Service Highlights

Enhanced security – IAM enables security best practices by allowing you to grant unique security credentials to every user and specify which AWS service APIs and resources they can access. IAM is secure by default; users have no access to AWS resources until permissions are explicitly granted.

Control – IAM provides the granularity to control a user’s access to specific AWS services and resources (e.g., terminating EC2 instances or deleting Amazon S3 buckets).

Seamlessly integrated with other AWS services – IAM is natively integrated into most AWS Services.

Reliable – IAM is built using Amazon’s world-class technology infrastructure. Like other Amazon Web Services, the service runs within Amazon’s global network infrastructure and data centers.

Top

Features

IAM provides features for managing access to AWS service APIs and resources your AWS account has access to, including the ability to:

  • Manage IAM users:
    • Create IAM user identities - Add IAM users to your AWS account.
    • Organize IAM users in groups - Create groups to easily manage permissions for multiple IAM users under your AWS account.
  • Manage IAM roles:
    • Create IAM roles - Add IAM roles to your AWS account.
    • Define who can assume IAM roles - Create a list of trusted entities, users, or AWS services that are allowed to assume the role.
  • Manage permissions:
    • Centralize control of user access - Control which operations your users and roles can perform, such as accessing specific AWS service APIs and resources.
    • Conditional user access - Add conditions to control how your users and roles can use AWS, such as time of day, their originating IP address, or whether they are using SSL.
  • Manage credentials:
    • Create and assign security credentials - Assign security credentials to your IAM users, and rotate or revoke these credentials as desired.
    • Create temporary security credentials - Request temporary security credentials with configurable expiration and permissions for your IAM users, federated users or applications.

Top

Pricing

AWS Identity and Access Management is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your Users.

Top

Resources

Developer Resources
Additional Product Information
Related Services

Top

Detailed description

Working with AWS Identity and Access Management (IAM)

You can manage access to AWS using the AWS Management Console, which gives you a point-and-click, web-based interface to create and manage IAM users, IAM roles, permissions and security credentials. IAM also provides a set of APIs and Command Line Tools for fully scripted access for the above capabilities. For a full list of the available IAM APIs, see the AWS Identity and Access Management API Reference Guide. Some of the commonly used APIs and their functionality are listed below:


Manage users:
  • CreateUser: Creates an IAM user with a user name that you specify. The user name is a string of characters that must be unique within the AWS account to which it belongs.
  • CreateGroup: Creates a group with a group name that you specify.
  • AddUserToGroup: Adds an IAM user to the specified group.
  • RemoveUserFromGroup: Removes an IAM user from the specified group.

Manage roles:
  • CreateRole: Creates an IAM role with a name you specify. The role name is a string of characters that must be unique within the AWS account to which it belongs.
  • UpdateAssumeRolePolicy: Updates the policy that defines which trusted entity is allowed to assume the role.

Manage permissions:
  • PutUserPolicy: Adds (or updates) a policy document for the specified IAM user. A policy document contains a set of permissions.
  • PutRolePolicy: Adds (or updates) a policy document for the specified IAM role.
  • PutGroupPolicy: Adds (or updates) a policy document for a specified group.
  • PutRolePolicy: Adds (or updates) a policy document for a specified role.

Manage credentials
  • CreateAccessKey: Creates a unique AWS Access Key ID and corresponding Secret Access Key for the specified IAM user. These access keys enable the IAM users to make API calls to AWS services directly.
  • GetSessionToken: Creates a unique AWS Access Key ID, corresponding Secret Access Key and token for a specified duration for the IAM user calling this API.
  • GetFederationToken: Creates a unique AWS Access Key ID, corresponding Secret Access Key and token for a specified duration and permissions for a federated user or applications.

Getting Started

The best way to understand IAM is to review the Getting Started Guide, part of our Technical Documentation. Within a few minutes, you will be able to create your own users, roles and groups and assign permissions.

Top

Intended Usage and Restrictions

Your use of this service is subject to your agreement with us governing your use of AWS. Please see the Amazon Web Services Customer Agreement for more details.

Top

©2013, Amazon Web Services, Inc. or its affiliates. All rights reserved.