Amazon Identity and Access Management User Guide Amazon Identity and Access Management User Guide Amazon Identity and Access Management: User Guide Amazon Identity and Access Management User Guide Table of Contents What is IAM?..................................................................................................................................... 1 Video introduction to IAM ........................................................................................................... 1 IAM features.............................................................................................................................. 1 Accessing IAM ............................................................................................................................ 3 How IAM works ......................................................................................................................... 3 Terms............................................................................................................................... 4 Principal............................................................................................................................ 5 Request............................................................................................................................. 5 Authentication................................................................................................................... 6 Authorization..................................................................................................................... 6 Actions or operations ......................................................................................................... 6 Resources.......................................................................................................................... 7 Users in Amazon ........................................................................................................................ 7 First-time access only: Your root user credentials .................................................................... 7 IAM users.......................................................................................................................... 8 Federating existing users ................................................................................................... 10 Permissions and policies in IAM .................................................................................................. 11 Policies and accounts ........................................................................................................ 11 Policies and users ............................................................................................................. 11 Policies and groups .......................................................................................................... 12 Federated users and roles ................................................................................................. 12 Identity-based and resource-based policies .......................................................................... 12 What is ABAC? ......................................................................................................................... 13 Comparing ABAC to the traditional RBAC model ................................................................... 13 Security features outside IAM .................................................................................................... 14 Quick links to common tasks..................................................................................................... 15 Working with Amazon SDKs ...................................................................................................... 17 Getting set up ................................................................................................................................. 18 Access control methods............................................................................................................. 18 Sign up for an Amazon Web Services account .............................................................................. 20 Secure IAM users ...................................................................................................................... 20 Getting started ................................................................................................................................ 22 How IAM users sign in .............................................................................................................. 23 Permissions required for console activities ........................................................................... 23 Logging sign-in details in CloudTrail ................................................................................... 24 IAM console search................................................................................................................... 24 Using IAM console search .................................................................................................. 24 Icons in the IAM console search results ............................................................................... 24 Sample search phrases ...................................................................................................... 25 Tutorials.......................................................................................................................................... 26 Delegate access to the billing console ......................................................................................... 26 Prerequisites.................................................................................................................... 27 Step 1: Activate access to billing data on your Amazon test account ........................................ 27 Step 2: Create IAM policies that grant permissions to billing data ........................................... 27 Step 3: Attach billing policies to your user groups ................................................................ 28 Step 4: Test access to the billing console ............................................................................. 29 Related resources............................................................................................................. 29 Summary........................................................................................................................ 30 Delegate access across Amazon Web Services accounts using roles .................................................. 30 Prerequisites.................................................................................................................... 31 Step 1: Create a role in the Production Account ................................................................... 32 Step 2: Grant access to the role ......................................................................................... 34 Step 3: Test access by switching roles ................................................................................. 35 Related resources............................................................................................................. 39 iii Amazon Identity and Access Management User Guide Summary........................................................................................................................ 39 Create a customer managed policy ............................................................................................. 39 Prerequisites.................................................................................................................... 39 Step 1: Create the policy ................................................................................................... 40 Step 2: Attach the policy ................................................................................................... 40 Step 3: Test user access .................................................................................................... 41 Related resources............................................................................................................. 41 Summary........................................................................................................................ 41 Use attribute-based access control (ABAC) ................................................................................... 41 Tutorial overview.............................................................................................................. 42 Prerequisites.................................................................................................................... 43 Step 1: Create test users ................................................................................................... 43 Step 2: Create the ABAC policy .......................................................................................... 45 Step 3: Create roles .......................................................................................................... 47 Step 4: Test creating secrets .............................................................................................. 48 Step 5: Test viewing secrets ............................................................................................... 50 Step 6: Test scalability ...................................................................................................... 51 Step 7: Test updating and deleting secrets .......................................................................... 52 Summary........................................................................................................................ 53 Related resources............................................................................................................. 53 Use SAML session tags for ABAC ........................................................................................ 54 Permit users to manage their credentials and MFA settings ............................................................ 57 Prerequisites.................................................................................................................... 57 Step 1: Create a policy to enforce MFA sign-in ..................................................................... 58 Step 2: Attach policies to your test user group ..................................................................... 58 Step 3: Test your user's access ........................................................................................... 59 Related resources............................................................................................................. 60 Signing in to Amazon....................................................................................................................... 61 Sign in as the root user ............................................................................................................ 61 Sign in as an IAM user.............................................................................................................. 62 Your Amazon Web Services account ID and its alias ...................................................................... 64 Finding your Amazon Web Services account ID ..................................................................... 64 About account aliases ....................................................................................................... 65 Creating, deleting, and listing an Amazon Web Services account alias ...................................... 65 Amazon sign-in issues............................................................................................................... 66 My credentials aren't working ............................................................................................ 67 I need my Amazon Web Services account ID or Amazon Web Services account alias ................... 68 I forgot my IAM user name or password .............................................................................. 68 I forgot the root user password for my Amazon Web Services account ..................................... 68 I don't have access to the email for my Amazon Web Services account ..................................... 68 I need to change the credit card for my Amazon Web Services account .................................... 69 I need to report fraudulent Amazon Web Services account activity .......................................... 69 I need to close my Amazon Web Services account ................................................................ 69 Identities......................................................................................................................................... 70 Amazon Web Services account root user..................................................................................... 70 IAM users................................................................................................................................ 71 IAM user groups ....................................................................................................................... 71 IAM roles................................................................................................................................. 71 Temporary credentials in IAM .................................................................................................... 72 When to use IAM Identity Center users? ...................................................................................... 72 When to create an IAM user (instead of a role) ............................................................................ 72 When to create an IAM role (instead of a user) ............................................................................ 73 Users...................................................................................................................................... 74 How Amazon identifies an IAM user ................................................................................... 74 IAM users and credentials .................................................................................................. 74 IAM users and permissions................................................................................................ 75 IAM users and accounts ..................................................................................................... 76 iv Amazon Identity and Access Management User Guide IAM users as service accounts ............................................................................................ 76 Adding a user .................................................................................................................. 76 Controlling user access to the console ................................................................................ 81 How IAM users sign in to Amazon ...................................................................................... 82 Managing users................................................................................................................ 84 Changing permissions for a user........................................................................................ 89 Managing passwords......................................................................................................... 93 Access keys.................................................................................................................... 104 Retrieving lost passwords or access keys ............................................................................ 113 Multi-factor authentication (MFA) ..................................................................................... 114 Finding unused credentials .............................................................................................. 156 Getting credential reports ................................................................................................ 159 Using IAM with CodeCommit........................................................................................... 163 Using IAM with Amazon Keyspaces ................................................................................... 165 Managing server certificates ............................................................................................ 166 User groups........................................................................................................................... 170 Creating user groups ....................................................................................................... 172 Managing user groups ..................................................................................................... 173 Roles..................................................................................................................................... 178 Terms and concepts ........................................................................................................ 179 Common scenarios.......................................................................................................... 182 Identity providers and federation ..................................................................................... 194 Service-linked roles......................................................................................................... 236 Creating roles................................................................................................................ 244 Using roles.................................................................................................................... 268 Managing roles.............................................................................................................. 296 Roles vs. resource-based policies ...................................................................................... 311 Tagging IAM resources ............................................................................................................ 314 Choose an Amazon tag naming convention ........................................................................ 314 Rules for tagging in IAM and Amazon STS ......................................................................... 315 Tagging IAM users .......................................................................................................... 317 Tagging IAM roles ........................................................................................................... 319 Tagging customer managed policies ................................................................................. 321 Tagging IAM identity providers ......................................................................................... 323 Tagging instance profiles ................................................................................................. 327 Tagging server certificates ............................................................................................... 329 Tagging virtual MFA devices ............................................................................................. 331 Session tags................................................................................................................... 332 Temporary security credentials ................................................................................................. 341 Amazon STS and Amazon regions ..................................................................................... 341 Common scenarios for temporary credentials ..................................................................... 341 Requesting temporary security credentials ......................................................................... 343 Using temporary credentials with Amazon resources ........................................................... 353 Controlling permissions for temporary security credentials ................................................... 356 Managing Amazon STS in an Amazon Web Services Region .................................................. 376 Using Amazon STS interface VPC endpoints ....................................................................... 380 Using bearer tokens ........................................................................................................ 382 Sample applications that use temporary credentials ............................................................ 382 Additional resources for temporary credentials ................................................................... 383 Amazon Web Services account root user ................................................................................... 383 Create or delete an Amazon Web Services account ............................................................. 384 Enable MFA on the Amazon Web Services account root user ................................................. 384 Creating access keys for the root user ............................................................................... 385 Deleting access keys for the root user ............................................................................... 386 Changing the password for the root user ........................................................................... 386 Securing the credentials for the root user .......................................................................... 386 Transferring the root user owner ...................................................................................... 386 v Amazon Identity and Access Management User Guide Log events with CloudTrail ...................................................................................................... 386 IAM and Amazon STS information in CloudTrail .................................................................. 387 Logging IAM and Amazon STS API requests ....................................................................... 387 Logging API requests to other Amazon services .................................................................. 388 Logging Regional sign-in events ....................................................................................... 388 Logging user sign-in events ............................................................................................. 390 Logging sign-in events for temporary credentials ............................................................... 390 Example IAM API events in CloudTrail log .......................................................................... 391 Example Amazon STS API events in CloudTrail log .............................................................. 392 Example sign-in events in CloudTrail log ........................................................................... 398 Access management........................................................................................................................ 401 Access management resources ................................................................................................. 403 Policies and permissions .......................................................................................................... 403 Policy types................................................................................................................... 403 Policies and the root user ................................................................................................ 408 Overview of JSON policies ............................................................................................... 408 Grant least privilege....................................................................................................... 411 Managed policies and inline policies................................................................................. 412 Permissions boundaries................................................................................................... 420 Identity vs resource ........................................................................................................ 429 Controlling access using policies ....................................................................................... 432 Control access to IAM users and roles using tags ................................................................ 440 Control access to Amazon resources using tags .................................................................. 441 Example policies............................................................................................................. 444 Managing IAM policies............................................................................................................ 494 Creating IAM policies ...................................................................................................... 495 Validating policies.......................................................................................................... 501 Generating policies......................................................................................................... 502 Testing IAM policies ........................................................................................................ 502 Add or remove identity permissions .................................................................................. 511 Versioning IAM policies ................................................................................................... 519 Editing IAM policies ........................................................................................................ 522 Deleting IAM policies...................................................................................................... 526 Refining permissions using access information ................................................................... 529 Understanding policies............................................................................................................ 547 Policy summary (list of services) ....................................................................................... 548 Service summary (list of actions) ...................................................................................... 558 Action summary (list of resources) .................................................................................... 563 Example policy summaries ............................................................................................... 566 Permissions required............................................................................................................... 575 Permissions for administering IAM identities ...................................................................... 575 Permissions for working in the Amazon Web Services Management Console ........................... 576 Granting permissions across Amazon accounts ................................................................... 577 Permissions for one service to access another .................................................................... 577 Required actions............................................................................................................. 577 Example policies for IAM................................................................................................. 578 Code examples............................................................................................................................... 581 IAM examples........................................................................................................................ 582 Actions.......................................................................................................................... 585 Scenarios....................................................................................................................... 750 Cross-service examples.................................................................................................... 830 Amazon STS examples ............................................................................................................ 831 Actions.......................................................................................................................... 832 Scenarios....................................................................................................................... 838 Security......................................................................................................................................... 849 Data protection...................................................................................................................... 849 Data encryption in IAM and Amazon STS ........................................................................... 850 vi Amazon Identity and Access Management User Guide Key management in IAM and Amazon STS ......................................................................... 850 Internetwork traffic privacy in IAM and Amazon STS ........................................................... 850 Logging and monitoring.......................................................................................................... 851 Compliance validation............................................................................................................. 851 Resilience.............................................................................................................................. 852 Best practices for IAM resilience ....................................................................................... 853 Infrastructure security............................................................................................................. 853 Configuration and vulnerability analysis .................................................................................... 854 Security best practices and use cases ........................................................................................ 854 Security best practices .................................................................................................... 854 Business use cases.......................................................................................................... 859 Amazon managed policies ....................................................................................................... 862 IAMReadOnlyAccess........................................................................................................ 862 IAMUserChangePassword ................................................................................................. 862 IAMAccessAnalyzerFullAccess............................................................................................ 863 IAMAccessAnalyzerReadOnlyAccess................................................................................... 864 AccessAnalyzerServiceRolePolicy....................................................................................... 864 .................................................................................................................................... 866 Policy updates................................................................................................................ 866 IAM Access Analyzer ....................................................................................................................... 868 Identifying resources shared with an external entity .................................................................... 868 Validating policies.................................................................................................................. 869 Generating policies................................................................................................................. 869 Findings for public and cross-account access .............................................................................. 870 How IAM Access Analyzer findings work ............................................................................ 870 Getting started with IAM Access Analyzer findings .............................................................. 871 Working with findings ..................................................................................................... 873 Reviewing findings.......................................................................................................... 873 Filtering findings............................................................................................................ 875 Archiving findings........................................................................................................... 877 Resolving findings.......................................................................................................... 877 Supported resource types ................................................................................................ 878 Settings......................................................................................................................... 882 Archive rules.................................................................................................................. 883 Monitoring with EventBridge ............................................................................................ 884 Security Hub integration ................................................................................................. 889 Logging with CloudTrail .................................................................................................. 892 IAM Access Analyzer filter keys ......................................................................................... 894 Using service-linked roles ................................................................................................ 897 Preview access....................................................................................................................... 899 Previewing access in Amazon S3 console ........................................................................... 899 Previewing access with IAM Access Analyzer APIs ................................................................ 900 IAM Access Analyzer policy validation ....................................................................................... 902 Validating policies in IAM (console) ................................................................................... 903 Validating policies using Access Analyzer (Amazon CLI or Amazon API) ................................... 904 Policy check reference ..................................................................................................... 904 IAM Access Analyzer policy generation ...................................................................................... 981 How policy generation works ........................................................................................... 981 Service and action-level information ................................................................................. 981 Things to know .............................................................................................................. 982 Permissions required....................................................................................................... 982 Generate a policy based on CloudTrail activity (console) ...................................................... 984 Generate a policy using Amazon CloudTrail data in another account ...................................... 987 Generate a policy based on CloudTrail activity (Amazon CLI) ................................................ 989 Generate a policy based on CloudTrail activity (Amazon API) ................................................ 989 IAM Access Analyzer policy generation and action last accessed support ................................ 990 IAM Access Analyzer quotas ..................................................................................................... 996 vii Amazon Identity and Access Management User Guide Troubleshooting IAM ....................................................................................................................... 998 General issues........................................................................................................................ 998 I can't sign in to my Amazon account ................................................................................ 998 I lost my access keys ....................................................................................................... 998 I get "access denied" when I make a request to an Amazon service ........................................ 999 I get "access denied" when I make a request with temporary security credentials ................... 1000 Policy variables aren't working ....................................................................................... 1001 Changes that I make are not always immediately visible .................................................... 1001 I am not authorized to perform: iam:DeleteVirtualMFADevice ............................................. 1001 How do I securely create IAM users? ................................................................................ 1002 Additional resources...................................................................................................... 1002 Access denied error messages ................................................................................................. 1003 Access denied examples................................................................................................. 1003 IAM policies......................................................................................................................... 1005 Troubleshoot using the visual editor ............................................................................... 1006 Troubleshoot using policy summaries.............................................................................. 1009 Troubleshoot policy management................................................................................... 1015 Troubleshoot JSON policy documents............................................................................. 1016 FIDO security keys ................................................................................................................ 1020 I can't enable my FIDO security key ................................................................................ 1020 I can't sign in using my FIDO security key ........................................................................ 1021 I lost or broke my FIDO security key ............................................................................... 1021 Other issues................................................................................................................. 1021 IAM roles............................................................................................................................. 1021 I can't assume a role..................................................................................................... 1022 A new role appeared in my Amazon account .................................................................... 1023 I can't edit or delete a role in my Amazon Web Services account ......................................... 1023 I'm not authorized to perform: iam:PassRole .................................................................... 1024 Why can't I assume a role with a 12-hour session? (Amazon CLI, Amazon API) ....................... 1024 I receive an error when I try to switch roles in the IAM console ........................................... 1024 My role has a policy that allows me to perform an action, but I get "access denied" ................ 1025 The service did not create the role's default policy version ................................................. 1025 There is no use case for a service role in the console ......................................................... 1026 IAM and Amazon EC2 ............................................................................................................ 1027 When attempting to launch an instance, I don't see the role I expected to see in the Amazon EC2 console IAM Role list.............................................................................................. 1027 The credentials on my instance are for the wrong role ....................................................... 1027 When I attempt to call the AddRoleToInstanceProfile, I get an AccessDenied error...... 1028 Amazon EC2: When I attempt to launch an instance with a role, I get an AccessDenied error. 1028 I can't access the temporary security credentials on my EC2 instance ................................... 1028 What do the errors from the info document in the IAM subtree mean? ............................... 1029 IAM and Amazon S3 ............................................................................................................. 1030 How do I grant anonymous access to an Amazon S3 bucket? .............................................. 1030 I'm signed in as an Amazon Web Services account root user; why can't I access an Amazon S3 bucket under my account? ............................................................................................. 1030 SAML 2.0 federation............................................................................................................. 1030 Invalid SAML response................................................................................................... 1031 RoleSessionName is required .......................................................................................... 1031 Not authorized for AssumeRoleWithSAML........................................................................ 1031 Invalid RoleSessionName characters ................................................................................ 1032 Invalid Source Identity characters ................................................................................... 1032 Invalid response signature ............................................................................................. 1033 Failed to assume role .................................................................................................... 1033 Could not parse metadata............................................................................................. 1033 Could not parse metadata............................................................................................. 1033 DurationSeconds exceeds MaxSessionDuration .................................................................. 1033 Viewing a SAML response in your browser ....................................................................... 1034 viii Amazon Identity and Access Management User Guide Reference..................................................................................................................................... 1036 IAM identifiers...................................................................................................................... 1036 Friendly names and paths .............................................................................................. 1036 IAM ARNs.................................................................................................................... 1037 Unique identifiers......................................................................................................... 1041 Quotas, name requirements, and character limits ...................................................................... 1043 IAM name requirements ................................................................................................ 1043 IAM object quotas......................................................................................................... 1044 IAM Access Analyzer quotas ........................................................................................... 1046 IAM and STS character limits......................................................................................... 1046 Services that work with IAM ................................................................................................... 1049 Compute...................................................................................................................... 1050 Containers................................................................................................................... 1051 Storage....................................................................................................................... 1051 Database..................................................................................................................... 1052 Developer tools............................................................................................................ 1053 Security, identity, & compliance...................................................................................... 1054 Cryptography & PKI...................................................................................................... 1056 Machine learning.......................................................................................................... 1056 Management and governance......................................................................................... 1058 Migration & transfer..................................................................................................... 1060 Mobile......................................................................................................................... 1061 Networking & content delivery....................................................................................... 1062 Media.......................................................................................................................... 1063 Analytics...................................................................................................................... 1064 Application integration.................................................................................................. 1065 Business applications..................................................................................................... 1066 Satellite....................................................................................................................... 1066 Internet of Things......................................................................................................... 1066 Robotics...................................................................................................................... 1067 Quantum Computing.................................................................................................... 1067 Blockchain................................................................................................................... 1068 Game development....................................................................................................... 1068 AR & VR...................................................................................................................... 1068 Customer enablement................................................................................................... 1068 Customer engagement.................................................................................................. 1069 End user computing...................................................................................................... 1069 Billing and cost management ......................................................................................... 1070 Additional resources...................................................................................................... 1070 Policy reference.................................................................................................................... 1071 JSON element reference ................................................................................................ 1072 Policy evaluation logic................................................................................................... 1115 Policy grammar............................................................................................................ 1132 Amazon managed policies for job functions..................................................................... 1137 Global condition keys.................................................................................................... 1147 IAM condition keys ........................................................................................................ 1164 Actions, resources, and condition keys ............................................................................. 1177 Resources..................................................................................................................................... 1178 Identities............................................................................................................................. 1178 Credentials (passwords, access keys, and MFA devices) ............................................................... 1178 Permissions and policies ........................................................................................................ 1178 Federation and delegation ..................................................................................................... 1179 IAM and other Amazon products ............................................................................................ 1179 Using IAM with Amazon EC2 .......................................................................................... 1179 Using IAM with Amazon S3 ............................................................................................ 1179 Using IAM with Amazon RDS .......................................................................................... 1180 Using IAM with Amazon DynamoDB................................................................................ 1180 ix Amazon Identity and Access Management User Guide General security practices ...................................................................................................... 1180 General resources................................................................................................................. 1180 Making HTTP query requests ......................................................................................................... 1182 Endpoints............................................................................................................................ 1182 HTTPS required.................................................................................................................... 1183 Signing IAM API requests ....................................................................................................... 1183 Document history......................................................................................................................... 1184 x