AWS Identity and Access Management User Guide AWS Identity and Access Management User Guide AWS Identity and Access Management: User Guide Copyright © 2022 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS Identity and Access Management User Guide Table of Contents What is IAM?..................................................................................................................................... 1 Video introduction to IAM ........................................................................................................... 1 IAM features.............................................................................................................................. 1 Accessing IAM ............................................................................................................................ 2 How IAM works ......................................................................................................................... 3 Terms............................................................................................................................... 4 Principal............................................................................................................................ 5 Request............................................................................................................................. 5 Authentication................................................................................................................... 5 Authorization..................................................................................................................... 5 Actions or operations ......................................................................................................... 6 Resources.......................................................................................................................... 6 Users in AWS............................................................................................................................. 7 First-time access only: Your root user credentials .................................................................... 7 IAM users.......................................................................................................................... 7 Federating existing users ................................................................................................... 10 Permissions and policies in IAM .................................................................................................. 11 Policies and accounts ........................................................................................................ 11 Policies and users ............................................................................................................. 11 Policies and groups .......................................................................................................... 11 Federated users and roles ................................................................................................. 12 Identity-based and resource-based policies .......................................................................... 12 What is ABAC? ......................................................................................................................... 13 Comparing ABAC to the traditional RBAC model ................................................................... 13 Security features outside IAM .................................................................................................... 14 Quick links to common tasks..................................................................................................... 15 Working with AWS SDKs ........................................................................................................... 16 Getting set up ................................................................................................................................. 18 Access control methods............................................................................................................. 18 Sign up for an AWS account ...................................................................................................... 20 Create an administrative user.................................................................................................... 21 Getting started ................................................................................................................................ 22 How IAM users sign in .............................................................................................................. 22 Permissions required for console activities ........................................................................... 23 Logging sign-in details in CloudTrail ................................................................................... 23 IAM console search................................................................................................................... 24 Using IAM console search .................................................................................................. 24 Icons in the IAM console search results ............................................................................... 24 Sample search phrases ...................................................................................................... 25 Tutorials.......................................................................................................................................... 26 Delegate access to the billing console ......................................................................................... 26 Prerequisites.................................................................................................................... 27 Step 1: Activate access to billing data on your AWS test account ............................................ 27 Step 2: Create IAM policies that grant permissions to billing data ........................................... 27 Step 3: Attach billing policies to your user groups ................................................................ 28 Step 4: Test access to the billing console ............................................................................. 29 Related resources............................................................................................................. 29 Summary........................................................................................................................ 30 Delegate access across AWS accounts using roles ......................................................................... 30 Prerequisites.................................................................................................................... 31 Step 1: Create a role in the Production Account ................................................................... 31 Step 2: Grant access to the role ......................................................................................... 34 Step 3: Test access by switching roles ................................................................................. 35 Related resources............................................................................................................. 38 iii AWS Identity and Access Management User Guide Summary........................................................................................................................ 38 Create a customer managed policy ............................................................................................. 39 Prerequisites.................................................................................................................... 39 Step 1: Create the policy ................................................................................................... 39 Step 2: Attach the policy ................................................................................................... 40 Step 3: Test user access .................................................................................................... 40 Related resources............................................................................................................. 41 Summary........................................................................................................................ 41 Use attribute-based access control (ABAC) ................................................................................... 41 Tutorial overview.............................................................................................................. 41 Prerequisites.................................................................................................................... 42 Step 1: Create test users ................................................................................................... 43 Step 2: Create the ABAC policy .......................................................................................... 44 Step 3: Create roles .......................................................................................................... 46 Step 4: Test creating secrets .............................................................................................. 47 Step 5: Test viewing secrets ............................................................................................... 49 Step 6: Test scalability ...................................................................................................... 50 Step 7: Test updating and deleting secrets .......................................................................... 51 Summary........................................................................................................................ 52 Related resources............................................................................................................. 53 Use SAML session tags for ABAC ........................................................................................ 53 Permit users to manage their credentials and MFA settings ............................................................ 56 Prerequisites.................................................................................................................... 56 Step 1: Create a policy to enforce MFA sign-in ..................................................................... 57 Step 2: Attach policies to your test user group ..................................................................... 58 Step 3: Test your user's access ........................................................................................... 58 Related resources............................................................................................................. 59 Signing in to AWS............................................................................................................................ 60 Sign in as the root user ............................................................................................................ 60 Sign in as an IAM user.............................................................................................................. 61 Your AWS account ID and its alias .............................................................................................. 63 Finding your AWS account ID ............................................................................................. 63 About account aliases ....................................................................................................... 64 Creating, deleting, and listing an AWS account alias .............................................................. 64 AWS sign-in issues.................................................................................................................... 65 My credentials aren't working ............................................................................................ 66 I need my AWS account ID or AWS account alias .................................................................. 67 I forgot my IAM user name or password .............................................................................. 67 I forgot the root user password for my AWS account ............................................................ 67 I don't have access to the email for my AWS account ............................................................ 67 I need to change the credit card for my AWS account ........................................................... 67 I need to report fraudulent AWS account activity ................................................................. 67 I need to close my AWS account ........................................................................................ 68 Identities......................................................................................................................................... 69 AWS account root user .............................................................................................................. 69 IAM users................................................................................................................................ 70 IAM user groups ....................................................................................................................... 70 IAM roles................................................................................................................................. 70 Temporary credentials in IAM .................................................................................................... 71 When to use IAM Identity Center users? ...................................................................................... 71 When to create an IAM user (instead of a role) ............................................................................ 71 When to create an IAM role (instead of a user) ............................................................................ 72 Users...................................................................................................................................... 73 How AWS identifies an IAM user ........................................................................................ 73 IAM users and credentials .................................................................................................. 73 IAM users and permissions................................................................................................ 74 IAM users and accounts ..................................................................................................... 75 iv AWS Identity and Access Management User Guide IAM users as service accounts ............................................................................................ 75 Adding a user .................................................................................................................. 75 Controlling user access to the console ................................................................................ 80 How IAM users sign in to AWS ........................................................................................... 81 Managing users................................................................................................................ 83 Changing permissions for a user........................................................................................ 88 Managing passwords......................................................................................................... 92 Access keys.................................................................................................................... 103 Retrieving lost passwords or access keys ............................................................................ 112 Multi-factor authentication (MFA) ..................................................................................... 113 Finding unused credentials .............................................................................................. 155 Getting credential reports ................................................................................................ 157 Using IAM with CodeCommit........................................................................................... 161 Using IAM with Amazon Keyspaces ................................................................................... 163 Managing server certificates ............................................................................................ 164 User groups........................................................................................................................... 169 Creating user groups ....................................................................................................... 170 Managing user groups ..................................................................................................... 171 Roles..................................................................................................................................... 176 Terms and concepts ........................................................................................................ 177 Common scenarios.......................................................................................................... 180 Identity providers and federation ..................................................................................... 191 Service-linked roles......................................................................................................... 235 Creating roles................................................................................................................ 243 Using roles.................................................................................................................... 267 Managing roles.............................................................................................................. 294 Roles vs. resource-based policies ...................................................................................... 309 Tagging IAM resources ............................................................................................................ 312 Choose an AWS tag naming convention ............................................................................ 312 Rules for tagging in IAM and AWS STS .............................................................................. 313 Tagging IAM users .......................................................................................................... 315 Tagging IAM roles ........................................................................................................... 317 Tagging customer managed policies ................................................................................. 319 Tagging IAM identity providers ......................................................................................... 321 Tagging instance profiles ................................................................................................. 325 Tagging server certificates ............................................................................................... 327 Tagging virtual MFA devices ............................................................................................. 328 Session tags................................................................................................................... 330 Temporary security credentials ................................................................................................. 339 AWS STS and AWS regions .............................................................................................. 339 Common scenarios for temporary credentials ..................................................................... 339 Requesting temporary security credentials ......................................................................... 341 Using temporary credentials with AWS resources ................................................................ 351 Controlling permissions for temporary security credentials ................................................... 354 Managing AWS STS in an AWS Region .............................................................................. 373 Using AWS STS interface VPC endpoints ........................................................................... 377 Using bearer tokens ........................................................................................................ 379 Sample applications that use temporary credentials ............................................................ 379 Additional resources for temporary credentials ................................................................... 380 AWS account root user ............................................................................................................ 380 Create or delete an AWS account ..................................................................................... 381 Enable MFA on the AWS account root user ........................................................................ 381 Creating access keys for the root user ............................................................................... 382 Deleting access keys for the root user ............................................................................... 382 Changing the password for the root user ........................................................................... 383 Securing the credentials for the root user .......................................................................... 383 Transferring the root user owner ...................................................................................... 383 v AWS Identity and Access Management User Guide Log events with CloudTrail ...................................................................................................... 383 IAM and AWS STS information in CloudTrail ...................................................................... 384 Logging IAM and AWS STS API requests ............................................................................ 384 Logging API requests to other AWS services ....................................................................... 384 Logging Regional sign-in events ....................................................................................... 385 Logging user sign-in events ............................................................................................. 387 Logging sign-in events for temporary credentials ............................................................... 387 Example IAM API events in CloudTrail log .......................................................................... 388 Example AWS STS API events in CloudTrail log ................................................................... 389 Example sign-in events in CloudTrail log ........................................................................... 395 Access management........................................................................................................................ 398 Access management resources ................................................................................................. 399 Policies and permissions .......................................................................................................... 399 Policy types................................................................................................................... 399 Policies and the root user ................................................................................................ 404 Overview of JSON policies ............................................................................................... 404 Grant least privilege....................................................................................................... 407 Managed policies and inline policies................................................................................. 408 Permissions boundaries................................................................................................... 416 Identity vs resource ........................................................................................................ 425 Controlling access using policies ....................................................................................... 428 Control access to IAM users and roles using tags ................................................................ 436 Control access to AWS resources using tags ....................................................................... 437 Example policies............................................................................................................. 440 Managing IAM policies............................................................................................................ 492 Creating IAM policies ...................................................................................................... 493 Validating policies.......................................................................................................... 499 Generating policies......................................................................................................... 500 Testing IAM policies ........................................................................................................ 500 Add or remove identity permissions .................................................................................. 509 Versioning IAM policies ................................................................................................... 517 Editing IAM policies ........................................................................................................ 520 Deleting IAM policies...................................................................................................... 524 Refining permissions using access information ................................................................... 527 Understanding policies............................................................................................................ 545 Policy summary (list of services) ....................................................................................... 546 Service summary (list of actions) ...................................................................................... 556 Action summary (list of resources) .................................................................................... 561 Example policy summaries ............................................................................................... 564 Permissions required............................................................................................................... 572 Permissions for administering IAM identities ...................................................................... 572 Permissions for working in the AWS Management Console ................................................... 573 Granting permissions across AWS accounts ........................................................................ 573 Permissions for one service to access another .................................................................... 574 Required actions............................................................................................................. 574 Example policies for IAM................................................................................................. 575 Code examples............................................................................................................................... 578 IAM examples........................................................................................................................ 579 Actions.......................................................................................................................... 582 Scenarios....................................................................................................................... 746 Cross-service examples.................................................................................................... 827 AWS STS examples ................................................................................................................. 828 Actions.......................................................................................................................... 829 Scenarios....................................................................................................................... 835 Security......................................................................................................................................... 846 Data protection...................................................................................................................... 846 Data encryption in IAM and AWS STS ............................................................................... 847 vi AWS Identity and Access Management User Guide Key management in IAM and AWS STS ............................................................................. 847 Internetwork traffic privacy in IAM and AWS STS ................................................................ 847 Logging and monitoring.......................................................................................................... 848 Compliance validation............................................................................................................. 848 Resilience.............................................................................................................................. 849 Best practices for IAM resilience ....................................................................................... 850 Infrastructure security............................................................................................................. 850 Configuration and vulnerability analysis .................................................................................... 851 Security best practices and use cases ........................................................................................ 851 Security best practices .................................................................................................... 851 Business use cases.......................................................................................................... 856 AWS managed policies ............................................................................................................ 859 IAMReadOnlyAccess........................................................................................................ 859 IAMUserChangePassword ................................................................................................. 859 IAMAccessAnalyzerFullAccess............................................................................................ 860 IAMAccessAnalyzerReadOnlyAccess................................................................................... 861 AccessAnalyzerServiceRolePolicy....................................................................................... 861 .................................................................................................................................... 863 Policy updates................................................................................................................ 863 IAM Access Analyzer ....................................................................................................................... 865 Identifying resources shared with an external entity .................................................................... 865 Validating policies.................................................................................................................. 866 Generating policies................................................................................................................. 866 Findings for public and cross-account access .............................................................................. 866 How IAM Access Analyzer findings work ............................................................................ 867 Getting started with IAM Access Analyzer findings .............................................................. 868 Working with findings ..................................................................................................... 870 Reviewing findings.......................................................................................................... 870 Filtering findings............................................................................................................ 872 Archiving findings........................................................................................................... 874 Resolving findings.......................................................................................................... 874 Supported resource types ................................................................................................ 875 Settings......................................................................................................................... 879 Archive rules.................................................................................................................. 880 Monitoring with EventBridge ............................................................................................ 881 Security Hub integration ................................................................................................. 886 Logging with CloudTrail .................................................................................................. 889 IAM Access Analyzer filter keys ......................................................................................... 891 Using service-linked roles ................................................................................................ 894 Preview access....................................................................................................................... 896 Previewing access in Amazon S3 console ........................................................................... 896 Previewing access with IAM Access Analyzer APIs ................................................................ 897 IAM Access Analyzer policy validation ....................................................................................... 899 Validating policies in IAM (console) ................................................................................... 899 Validating policies using Access Analyzer (AWS CLI or AWS API) ............................................ 900 Policy check reference ..................................................................................................... 901 IAM Access Analyzer policy generation ...................................................................................... 975 How policy generation works ........................................................................................... 975 Service and action-level information ................................................................................. 976 Things to know .............................................................................................................. 976 Permissions required....................................................................................................... 976 Generate a policy based on CloudTrail activity (console) ...................................................... 978 Generate a policy using AWS CloudTrail data in another account ........................................... 981 Generate a policy based on CloudTrail activity (AWS CLI) ..................................................... 983 Generate a policy based on CloudTrail activity (AWS API) ..................................................... 983 IAM Access Analyzer policy generation and action last accessed support ................................ 984 IAM Access Analyzer quotas ..................................................................................................... 990 vii AWS Identity and Access Management User Guide Troubleshooting IAM ....................................................................................................................... 992 General issues........................................................................................................................ 992 I can't sign in to my AWS account .................................................................................... 992 I lost my access keys ....................................................................................................... 992 I get "access denied" when I make a request to an AWS service ............................................. 993 I get "access denied" when I make a request with temporary security credentials ..................... 994 Policy variables aren't working ......................................................................................... 995 Changes that I make are not always immediately visible ...................................................... 995 I am not authorized to perform: iam:DeleteVirtualMFADevice ............................................... 995 How do I securely create IAM users? ................................................................................. 996 Additional resources........................................................................................................ 996 Access denied error messages .................................................................................................. 997 Access denied examples .................................................................................................. 997 IAM policies........................................................................................................................... 999 Troubleshoot using the visual editor ............................................................................... 1000 Troubleshoot using policy summaries.............................................................................. 1003 Troubleshoot policy management................................................................................... 1009 Troubleshoot JSON policy documents............................................................................. 1010 FIDO security keys ................................................................................................................ 1014 I can't enable my FIDO security key ................................................................................ 1014 I can't sign in using my FIDO security key ........................................................................ 1015 I lost or broke my FIDO security key ............................................................................... 1015 Other issues................................................................................................................. 1015 IAM roles............................................................................................................................. 1015 I can't assume a role..................................................................................................... 1015 A new role appeared in my AWS account ......................................................................... 1017 I can't edit or delete a role in my AWS account ................................................................. 1017 I'm not authorized to perform: iam:PassRole .................................................................... 1017 Why can't I assume a role with a 12-hour session? (AWS CLI, AWS API) ................................. 1018 I receive an error when I try to switch roles in the IAM console ........................................... 1018 My role has a policy that allows me to perform an action, but I get "access denied" ................ 1018 The service did not create the role's default policy version ................................................. 1019 There is no use case for a service role in the console ......................................................... 1020 IAM and Amazon EC2 ............................................................................................................ 1020 When attempting to launch an instance, I don't see the role I expected to see in the Amazon EC2 console IAM Role list.............................................................................................. 1021 The credentials on my instance are for the wrong role ....................................................... 1021 When I attempt to call the AddRoleToInstanceProfile, I get an AccessDenied error...... 1021 Amazon EC2: When I attempt to launch an instance with a role, I get an AccessDenied error. 1022 I can't access the temporary security credentials on my EC2 instance ................................... 1022 What do the errors from the info document in the IAM subtree mean? ............................... 1023 IAM and Amazon S3 ............................................................................................................. 1023 How do I grant anonymous access to an Amazon S3 bucket? .............................................. 1024 I'm signed in as an AWS account root user; why can't I access an Amazon S3 bucket under my account?...................................................................................................................... 1024 SAML 2.0 federation............................................................................................................. 1024 Invalid SAML response................................................................................................... 1025 RoleSessionName is required .......................................................................................... 1025 Not authorized for AssumeRoleWithSAML........................................................................ 1025 Invalid RoleSessionName characters ................................................................................ 1026 Invalid Source Identity characters ................................................................................... 1026 Invalid response signature ............................................................................................. 1026 Failed to assume role .................................................................................................... 1027 Could not parse metadata............................................................................................. 1027 Could not parse metadata............................................................................................. 1027 DurationSeconds exceeds MaxSessionDuration .................................................................. 1027 Viewing a SAML response in your browser ....................................................................... 1027 viii AWS Identity and Access Management User Guide Reference..................................................................................................................................... 1030 IAM identifiers...................................................................................................................... 1030 Friendly names and paths .............................................................................................. 1030 IAM ARNs.................................................................................................................... 1031 Unique identifiers......................................................................................................... 1035 Quotas, name requirements, and character limits ...................................................................... 1037 IAM name requirements ................................................................................................ 1037 IAM object quotas......................................................................................................... 1038 IAM Access Analyzer quotas ........................................................................................... 1040 IAM and STS character limits......................................................................................... 1040 Services that work with IAM ................................................................................................... 1042 Compute...................................................................................................................... 1043 Containers................................................................................................................... 1044 Storage....................................................................................................................... 1045 Database..................................................................................................................... 1046 Developer tools............................................................................................................ 1047 Security, identity, & compliance...................................................................................... 1048 Cryptography & PKI...................................................................................................... 1050 Machine learning.......................................................................................................... 1050 Management and governance......................................................................................... 1051 Migration & transfer..................................................................................................... 1054 Mobile......................................................................................................................... 1055 Networking & content delivery....................................................................................... 1055 Media.......................................................................................................................... 1057 Analytics...................................................................................................................... 1057 Application integration.................................................................................................. 1059 Business applications..................................................................................................... 1059 Satellite....................................................................................................................... 1060 Internet of Things......................................................................................................... 1060 Robotics...................................................................................................................... 1061 Quantum Computing.................................................................................................... 1061 Blockchain................................................................................................................... 1061 Game development....................................................................................................... 1061 AR & VR...................................................................................................................... 1061 Customer enablement................................................................................................... 1062 Customer engagement.................................................................................................. 1062 End user computing...................................................................................................... 1063 Billing and cost management ......................................................................................... 1063 Additional resources...................................................................................................... 1064 Policy reference.................................................................................................................... 1064 JSON element reference ................................................................................................ 1065 Policy evaluation logic................................................................................................... 1108 Policy grammar............................................................................................................ 1124 AWS managed policies for job functions .......................................................................... 1129 Global condition keys.................................................................................................... 1139 IAM condition keys ........................................................................................................ 1164 Actions, resources, and condition keys ............................................................................. 1177 Resources..................................................................................................................................... 1178 Identities............................................................................................................................. 1178 Credentials (passwords, access keys, and MFA devices) ............................................................... 1178 Permissions and policies ........................................................................................................ 1178 Federation and delegation ..................................................................................................... 1179 IAM and other AWS products ................................................................................................. 1179 Using IAM with Amazon EC2 .......................................................................................... 1179 Using IAM with Amazon S3 ............................................................................................ 1179 Using IAM with Amazon RDS .......................................................................................... 1180 Using IAM with Amazon DynamoDB................................................................................ 1180 ix AWS Identity and Access Management User Guide General security practices ...................................................................................................... 1180 General resources................................................................................................................. 1180 Making HTTP query requests ......................................................................................................... 1182 Endpoints............................................................................................................................ 1182 HTTPS required.................................................................................................................... 1183 Signing IAM API requests ....................................................................................................... 1183 Document history......................................................................................................................... 1184 x