Table Of ContentAWS Identity and
Access Management
User Guide
AWS Identity and Access Management User Guide
AWS Identity and Access Management: User Guide
Copyright © 2022 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
AWS Identity and Access Management User Guide
Table of Contents
What is IAM?..................................................................................................................................... 1
Video introduction to IAM ........................................................................................................... 1
IAM features.............................................................................................................................. 1
Accessing IAM ............................................................................................................................ 2
How IAM works ......................................................................................................................... 3
Terms............................................................................................................................... 4
Principal............................................................................................................................ 5
Request............................................................................................................................. 5
Authentication................................................................................................................... 5
Authorization..................................................................................................................... 5
Actions or operations ......................................................................................................... 6
Resources.......................................................................................................................... 6
Users in AWS............................................................................................................................. 7
First-time access only: Your root user credentials .................................................................... 7
IAM users.......................................................................................................................... 7
Federating existing users ................................................................................................... 10
Permissions and policies in IAM .................................................................................................. 11
Policies and accounts ........................................................................................................ 11
Policies and users ............................................................................................................. 11
Policies and groups .......................................................................................................... 11
Federated users and roles ................................................................................................. 12
Identity-based and resource-based policies .......................................................................... 12
What is ABAC? ......................................................................................................................... 13
Comparing ABAC to the traditional RBAC model ................................................................... 13
Security features outside IAM .................................................................................................... 14
Quick links to common tasks..................................................................................................... 15
Working with AWS SDKs ........................................................................................................... 16
Getting set up ................................................................................................................................. 18
Access control methods............................................................................................................. 18
Sign up for an AWS account ...................................................................................................... 20
Create an administrative user.................................................................................................... 21
Getting started ................................................................................................................................ 22
How IAM users sign in .............................................................................................................. 22
Permissions required for console activities ........................................................................... 23
Logging sign-in details in CloudTrail ................................................................................... 23
IAM console search................................................................................................................... 24
Using IAM console search .................................................................................................. 24
Icons in the IAM console search results ............................................................................... 24
Sample search phrases ...................................................................................................... 25
Tutorials.......................................................................................................................................... 26
Delegate access to the billing console ......................................................................................... 26
Prerequisites.................................................................................................................... 27
Step 1: Activate access to billing data on your AWS test account ............................................ 27
Step 2: Create IAM policies that grant permissions to billing data ........................................... 27
Step 3: Attach billing policies to your user groups ................................................................ 28
Step 4: Test access to the billing console ............................................................................. 29
Related resources............................................................................................................. 29
Summary........................................................................................................................ 30
Delegate access across AWS accounts using roles ......................................................................... 30
Prerequisites.................................................................................................................... 31
Step 1: Create a role in the Production Account ................................................................... 31
Step 2: Grant access to the role ......................................................................................... 34
Step 3: Test access by switching roles ................................................................................. 35
Related resources............................................................................................................. 38
iii
AWS Identity and Access Management User Guide
Summary........................................................................................................................ 38
Create a customer managed policy ............................................................................................. 39
Prerequisites.................................................................................................................... 39
Step 1: Create the policy ................................................................................................... 39
Step 2: Attach the policy ................................................................................................... 40
Step 3: Test user access .................................................................................................... 40
Related resources............................................................................................................. 41
Summary........................................................................................................................ 41
Use attribute-based access control (ABAC) ................................................................................... 41
Tutorial overview.............................................................................................................. 41
Prerequisites.................................................................................................................... 42
Step 1: Create test users ................................................................................................... 43
Step 2: Create the ABAC policy .......................................................................................... 44
Step 3: Create roles .......................................................................................................... 46
Step 4: Test creating secrets .............................................................................................. 47
Step 5: Test viewing secrets ............................................................................................... 49
Step 6: Test scalability ...................................................................................................... 50
Step 7: Test updating and deleting secrets .......................................................................... 51
Summary........................................................................................................................ 52
Related resources............................................................................................................. 53
Use SAML session tags for ABAC ........................................................................................ 53
Permit users to manage their credentials and MFA settings ............................................................ 56
Prerequisites.................................................................................................................... 56
Step 1: Create a policy to enforce MFA sign-in ..................................................................... 57
Step 2: Attach policies to your test user group ..................................................................... 58
Step 3: Test your user's access ........................................................................................... 58
Related resources............................................................................................................. 59
Signing in to AWS............................................................................................................................ 60
Sign in as the root user ............................................................................................................ 60
Sign in as an IAM user.............................................................................................................. 61
Your AWS account ID and its alias .............................................................................................. 63
Finding your AWS account ID ............................................................................................. 63
About account aliases ....................................................................................................... 64
Creating, deleting, and listing an AWS account alias .............................................................. 64
AWS sign-in issues.................................................................................................................... 65
My credentials aren't working ............................................................................................ 66
I need my AWS account ID or AWS account alias .................................................................. 67
I forgot my IAM user name or password .............................................................................. 67
I forgot the root user password for my AWS account ............................................................ 67
I don't have access to the email for my AWS account ............................................................ 67
I need to change the credit card for my AWS account ........................................................... 67
I need to report fraudulent AWS account activity ................................................................. 67
I need to close my AWS account ........................................................................................ 68
Identities......................................................................................................................................... 69
AWS account root user .............................................................................................................. 69
IAM users................................................................................................................................ 70
IAM user groups ....................................................................................................................... 70
IAM roles................................................................................................................................. 70
Temporary credentials in IAM .................................................................................................... 71
When to use IAM Identity Center users? ...................................................................................... 71
When to create an IAM user (instead of a role) ............................................................................ 71
When to create an IAM role (instead of a user) ............................................................................ 72
Users...................................................................................................................................... 73
How AWS identifies an IAM user ........................................................................................ 73
IAM users and credentials .................................................................................................. 73
IAM users and permissions................................................................................................ 74
IAM users and accounts ..................................................................................................... 75
iv
AWS Identity and Access Management User Guide
IAM users as service accounts ............................................................................................ 75
Adding a user .................................................................................................................. 75
Controlling user access to the console ................................................................................ 80
How IAM users sign in to AWS ........................................................................................... 81
Managing users................................................................................................................ 83
Changing permissions for a user........................................................................................ 88
Managing passwords......................................................................................................... 92
Access keys.................................................................................................................... 103
Retrieving lost passwords or access keys ............................................................................ 112
Multi-factor authentication (MFA) ..................................................................................... 113
Finding unused credentials .............................................................................................. 155
Getting credential reports ................................................................................................ 157
Using IAM with CodeCommit........................................................................................... 161
Using IAM with Amazon Keyspaces ................................................................................... 163
Managing server certificates ............................................................................................ 164
User groups........................................................................................................................... 169
Creating user groups ....................................................................................................... 170
Managing user groups ..................................................................................................... 171
Roles..................................................................................................................................... 176
Terms and concepts ........................................................................................................ 177
Common scenarios.......................................................................................................... 180
Identity providers and federation ..................................................................................... 191
Service-linked roles......................................................................................................... 235
Creating roles................................................................................................................ 243
Using roles.................................................................................................................... 267
Managing roles.............................................................................................................. 294
Roles vs. resource-based policies ...................................................................................... 309
Tagging IAM resources ............................................................................................................ 312
Choose an AWS tag naming convention ............................................................................ 312
Rules for tagging in IAM and AWS STS .............................................................................. 313
Tagging IAM users .......................................................................................................... 315
Tagging IAM roles ........................................................................................................... 317
Tagging customer managed policies ................................................................................. 319
Tagging IAM identity providers ......................................................................................... 321
Tagging instance profiles ................................................................................................. 325
Tagging server certificates ............................................................................................... 327
Tagging virtual MFA devices ............................................................................................. 328
Session tags................................................................................................................... 330
Temporary security credentials ................................................................................................. 339
AWS STS and AWS regions .............................................................................................. 339
Common scenarios for temporary credentials ..................................................................... 339
Requesting temporary security credentials ......................................................................... 341
Using temporary credentials with AWS resources ................................................................ 351
Controlling permissions for temporary security credentials ................................................... 354
Managing AWS STS in an AWS Region .............................................................................. 373
Using AWS STS interface VPC endpoints ........................................................................... 377
Using bearer tokens ........................................................................................................ 379
Sample applications that use temporary credentials ............................................................ 379
Additional resources for temporary credentials ................................................................... 380
AWS account root user ............................................................................................................ 380
Create or delete an AWS account ..................................................................................... 381
Enable MFA on the AWS account root user ........................................................................ 381
Creating access keys for the root user ............................................................................... 382
Deleting access keys for the root user ............................................................................... 382
Changing the password for the root user ........................................................................... 383
Securing the credentials for the root user .......................................................................... 383
Transferring the root user owner ...................................................................................... 383
v
AWS Identity and Access Management User Guide
Log events with CloudTrail ...................................................................................................... 383
IAM and AWS STS information in CloudTrail ...................................................................... 384
Logging IAM and AWS STS API requests ............................................................................ 384
Logging API requests to other AWS services ....................................................................... 384
Logging Regional sign-in events ....................................................................................... 385
Logging user sign-in events ............................................................................................. 387
Logging sign-in events for temporary credentials ............................................................... 387
Example IAM API events in CloudTrail log .......................................................................... 388
Example AWS STS API events in CloudTrail log ................................................................... 389
Example sign-in events in CloudTrail log ........................................................................... 395
Access management........................................................................................................................ 398
Access management resources ................................................................................................. 399
Policies and permissions .......................................................................................................... 399
Policy types................................................................................................................... 399
Policies and the root user ................................................................................................ 404
Overview of JSON policies ............................................................................................... 404
Grant least privilege....................................................................................................... 407
Managed policies and inline policies................................................................................. 408
Permissions boundaries................................................................................................... 416
Identity vs resource ........................................................................................................ 425
Controlling access using policies ....................................................................................... 428
Control access to IAM users and roles using tags ................................................................ 436
Control access to AWS resources using tags ....................................................................... 437
Example policies............................................................................................................. 440
Managing IAM policies............................................................................................................ 492
Creating IAM policies ...................................................................................................... 493
Validating policies.......................................................................................................... 499
Generating policies......................................................................................................... 500
Testing IAM policies ........................................................................................................ 500
Add or remove identity permissions .................................................................................. 509
Versioning IAM policies ................................................................................................... 517
Editing IAM policies ........................................................................................................ 520
Deleting IAM policies...................................................................................................... 524
Refining permissions using access information ................................................................... 527
Understanding policies............................................................................................................ 545
Policy summary (list of services) ....................................................................................... 546
Service summary (list of actions) ...................................................................................... 556
Action summary (list of resources) .................................................................................... 561
Example policy summaries ............................................................................................... 564
Permissions required............................................................................................................... 572
Permissions for administering IAM identities ...................................................................... 572
Permissions for working in the AWS Management Console ................................................... 573
Granting permissions across AWS accounts ........................................................................ 573
Permissions for one service to access another .................................................................... 574
Required actions............................................................................................................. 574
Example policies for IAM................................................................................................. 575
Code examples............................................................................................................................... 578
IAM examples........................................................................................................................ 579
Actions.......................................................................................................................... 582
Scenarios....................................................................................................................... 746
Cross-service examples.................................................................................................... 827
AWS STS examples ................................................................................................................. 828
Actions.......................................................................................................................... 829
Scenarios....................................................................................................................... 835
Security......................................................................................................................................... 846
Data protection...................................................................................................................... 846
Data encryption in IAM and AWS STS ............................................................................... 847
vi
AWS Identity and Access Management User Guide
Key management in IAM and AWS STS ............................................................................. 847
Internetwork traffic privacy in IAM and AWS STS ................................................................ 847
Logging and monitoring.......................................................................................................... 848
Compliance validation............................................................................................................. 848
Resilience.............................................................................................................................. 849
Best practices for IAM resilience ....................................................................................... 850
Infrastructure security............................................................................................................. 850
Configuration and vulnerability analysis .................................................................................... 851
Security best practices and use cases ........................................................................................ 851
Security best practices .................................................................................................... 851
Business use cases.......................................................................................................... 856
AWS managed policies ............................................................................................................ 859
IAMReadOnlyAccess........................................................................................................ 859
IAMUserChangePassword ................................................................................................. 859
IAMAccessAnalyzerFullAccess............................................................................................ 860
IAMAccessAnalyzerReadOnlyAccess................................................................................... 861
AccessAnalyzerServiceRolePolicy....................................................................................... 861
.................................................................................................................................... 863
Policy updates................................................................................................................ 863
IAM Access Analyzer ....................................................................................................................... 865
Identifying resources shared with an external entity .................................................................... 865
Validating policies.................................................................................................................. 866
Generating policies................................................................................................................. 866
Findings for public and cross-account access .............................................................................. 866
How IAM Access Analyzer findings work ............................................................................ 867
Getting started with IAM Access Analyzer findings .............................................................. 868
Working with findings ..................................................................................................... 870
Reviewing findings.......................................................................................................... 870
Filtering findings............................................................................................................ 872
Archiving findings........................................................................................................... 874
Resolving findings.......................................................................................................... 874
Supported resource types ................................................................................................ 875
Settings......................................................................................................................... 879
Archive rules.................................................................................................................. 880
Monitoring with EventBridge ............................................................................................ 881
Security Hub integration ................................................................................................. 886
Logging with CloudTrail .................................................................................................. 889
IAM Access Analyzer filter keys ......................................................................................... 891
Using service-linked roles ................................................................................................ 894
Preview access....................................................................................................................... 896
Previewing access in Amazon S3 console ........................................................................... 896
Previewing access with IAM Access Analyzer APIs ................................................................ 897
IAM Access Analyzer policy validation ....................................................................................... 899
Validating policies in IAM (console) ................................................................................... 899
Validating policies using Access Analyzer (AWS CLI or AWS API) ............................................ 900
Policy check reference ..................................................................................................... 901
IAM Access Analyzer policy generation ...................................................................................... 975
How policy generation works ........................................................................................... 975
Service and action-level information ................................................................................. 976
Things to know .............................................................................................................. 976
Permissions required....................................................................................................... 976
Generate a policy based on CloudTrail activity (console) ...................................................... 978
Generate a policy using AWS CloudTrail data in another account ........................................... 981
Generate a policy based on CloudTrail activity (AWS CLI) ..................................................... 983
Generate a policy based on CloudTrail activity (AWS API) ..................................................... 983
IAM Access Analyzer policy generation and action last accessed support ................................ 984
IAM Access Analyzer quotas ..................................................................................................... 990
vii
AWS Identity and Access Management User Guide
Troubleshooting IAM ....................................................................................................................... 992
General issues........................................................................................................................ 992
I can't sign in to my AWS account .................................................................................... 992
I lost my access keys ....................................................................................................... 992
I get "access denied" when I make a request to an AWS service ............................................. 993
I get "access denied" when I make a request with temporary security credentials ..................... 994
Policy variables aren't working ......................................................................................... 995
Changes that I make are not always immediately visible ...................................................... 995
I am not authorized to perform: iam:DeleteVirtualMFADevice ............................................... 995
How do I securely create IAM users? ................................................................................. 996
Additional resources........................................................................................................ 996
Access denied error messages .................................................................................................. 997
Access denied examples .................................................................................................. 997
IAM policies........................................................................................................................... 999
Troubleshoot using the visual editor ............................................................................... 1000
Troubleshoot using policy summaries.............................................................................. 1003
Troubleshoot policy management................................................................................... 1009
Troubleshoot JSON policy documents............................................................................. 1010
FIDO security keys ................................................................................................................ 1014
I can't enable my FIDO security key ................................................................................ 1014
I can't sign in using my FIDO security key ........................................................................ 1015
I lost or broke my FIDO security key ............................................................................... 1015
Other issues................................................................................................................. 1015
IAM roles............................................................................................................................. 1015
I can't assume a role..................................................................................................... 1015
A new role appeared in my AWS account ......................................................................... 1017
I can't edit or delete a role in my AWS account ................................................................. 1017
I'm not authorized to perform: iam:PassRole .................................................................... 1017
Why can't I assume a role with a 12-hour session? (AWS CLI, AWS API) ................................. 1018
I receive an error when I try to switch roles in the IAM console ........................................... 1018
My role has a policy that allows me to perform an action, but I get "access denied" ................ 1018
The service did not create the role's default policy version ................................................. 1019
There is no use case for a service role in the console ......................................................... 1020
IAM and Amazon EC2 ............................................................................................................ 1020
When attempting to launch an instance, I don't see the role I expected to see in the Amazon
EC2 console IAM Role list.............................................................................................. 1021
The credentials on my instance are for the wrong role ....................................................... 1021
When I attempt to call the AddRoleToInstanceProfile, I get an AccessDenied error...... 1021
Amazon EC2: When I attempt to launch an instance with a role, I get an AccessDenied error. 1022
I can't access the temporary security credentials on my EC2 instance ................................... 1022
What do the errors from the info document in the IAM subtree mean? ............................... 1023
IAM and Amazon S3 ............................................................................................................. 1023
How do I grant anonymous access to an Amazon S3 bucket? .............................................. 1024
I'm signed in as an AWS account root user; why can't I access an Amazon S3 bucket under my
account?...................................................................................................................... 1024
SAML 2.0 federation............................................................................................................. 1024
Invalid SAML response................................................................................................... 1025
RoleSessionName is required .......................................................................................... 1025
Not authorized for AssumeRoleWithSAML........................................................................ 1025
Invalid RoleSessionName characters ................................................................................ 1026
Invalid Source Identity characters ................................................................................... 1026
Invalid response signature ............................................................................................. 1026
Failed to assume role .................................................................................................... 1027
Could not parse metadata............................................................................................. 1027
Could not parse metadata............................................................................................. 1027
DurationSeconds exceeds MaxSessionDuration .................................................................. 1027
Viewing a SAML response in your browser ....................................................................... 1027
viii
AWS Identity and Access Management User Guide
Reference..................................................................................................................................... 1030
IAM identifiers...................................................................................................................... 1030
Friendly names and paths .............................................................................................. 1030
IAM ARNs.................................................................................................................... 1031
Unique identifiers......................................................................................................... 1035
Quotas, name requirements, and character limits ...................................................................... 1037
IAM name requirements ................................................................................................ 1037
IAM object quotas......................................................................................................... 1038
IAM Access Analyzer quotas ........................................................................................... 1040
IAM and STS character limits......................................................................................... 1040
Services that work with IAM ................................................................................................... 1042
Compute...................................................................................................................... 1043
Containers................................................................................................................... 1044
Storage....................................................................................................................... 1045
Database..................................................................................................................... 1046
Developer tools............................................................................................................ 1047
Security, identity, & compliance...................................................................................... 1048
Cryptography & PKI...................................................................................................... 1050
Machine learning.......................................................................................................... 1050
Management and governance......................................................................................... 1051
Migration & transfer..................................................................................................... 1054
Mobile......................................................................................................................... 1055
Networking & content delivery....................................................................................... 1055
Media.......................................................................................................................... 1057
Analytics...................................................................................................................... 1057
Application integration.................................................................................................. 1059
Business applications..................................................................................................... 1059
Satellite....................................................................................................................... 1060
Internet of Things......................................................................................................... 1060
Robotics...................................................................................................................... 1061
Quantum Computing.................................................................................................... 1061
Blockchain................................................................................................................... 1061
Game development....................................................................................................... 1061
AR & VR...................................................................................................................... 1061
Customer enablement................................................................................................... 1062
Customer engagement.................................................................................................. 1062
End user computing...................................................................................................... 1063
Billing and cost management ......................................................................................... 1063
Additional resources...................................................................................................... 1064
Policy reference.................................................................................................................... 1064
JSON element reference ................................................................................................ 1065
Policy evaluation logic................................................................................................... 1108
Policy grammar............................................................................................................ 1124
AWS managed policies for job functions .......................................................................... 1129
Global condition keys.................................................................................................... 1139
IAM condition keys ........................................................................................................ 1164
Actions, resources, and condition keys ............................................................................. 1177
Resources..................................................................................................................................... 1178
Identities............................................................................................................................. 1178
Credentials (passwords, access keys, and MFA devices) ............................................................... 1178
Permissions and policies ........................................................................................................ 1178
Federation and delegation ..................................................................................................... 1179
IAM and other AWS products ................................................................................................. 1179
Using IAM with Amazon EC2 .......................................................................................... 1179
Using IAM with Amazon S3 ............................................................................................ 1179
Using IAM with Amazon RDS .......................................................................................... 1180
Using IAM with Amazon DynamoDB................................................................................ 1180
ix
AWS Identity and Access Management User Guide
General security practices ...................................................................................................... 1180
General resources................................................................................................................. 1180
Making HTTP query requests ......................................................................................................... 1182
Endpoints............................................................................................................................ 1182
HTTPS required.................................................................................................................... 1183
Signing IAM API requests ....................................................................................................... 1183
Document history......................................................................................................................... 1184
x
Description:May 8, 2010 Creating an Administrators Group Using the CLI or API . 55. Adding and
Removing Users in a Group (CLI and API) .
