AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.
What Is IAM? - AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).
Table of contents
- AWS Identity and Access Management - User Guide PDF
- Resource-Level Permissions for EC2 and RDS Resources
- Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances
- Resource-level Permissions for EC2 - a four-step process that will show you how to use our new resource-level permissions feature along with IAM policies to help protect specific instances.
- How IAM Users Change Their Own Password
- Hardware Authentication Device - Amazon Web Services
|Using AWS IAM|
|Getting Started with AWS Identity and Access Management|
AWS May Webinar Series
|Become an AWS IAM Policy Ninja in 60 Minutes or Less|
AWS re:Invent 2016
|IAM Best Practices|
AWS re:Invent 2016
All AWS accounts have root account credentials. These credentials allow full access to all resources in the account. Because you can't control the privileges of the root account credentials, you should store them in a safe place and instead use AWS Identity and Access Management (IAM) user credentials for day-to-day interaction with AWS.2
When you use your account's root credentials, you can access all the resources in your AWS account. In contrast, when you create IAM users, IAM groups, or IAM roles, you must explicitly give permissions to these entities so that users can access your AWS resources.
An IAM user is an entity that you create in AWS that provides a way to interact with AWS. A primary use for IAM users is to give people you work with identities that they can use to sign in to the AWS Management Console and to make requests to AWS services.3
A group is a collection of IAM users. Groups let you specify permissions for a collection of users, which can make it easier to manage the permissions for those users.4
Permissions let you specify who has access to AWS resources, and what actions they can perform on those resources. Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys. To give a user permission to do something, you can add the permission to the user (that is, attach a policy to the user) or add the user to a group that has the desired permission.5
- Policies and Permissions - You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.
- Managing IAM Policies - IAM gives you the tools to create and manage all types of IAM policies (managed policies and inline policies).
- Overview of AWS IAM Policies - To assign permissions to a user, group, role, or resource, you create a policy, which is a document that explicitly lists permissions.
- The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.
- Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
- IAM Policy Elements Reference This section describes the elements that you can use in an IAM policy. The elements are listed here in the general order you use them in a policy. The order of the elements doesn't matter—for example, the Resource element can come before the Action element. You're not required to specify any Condition elements in the policy.
Controlling Access to Amazon EC2 Resources
Your security credentials identify you to services in AWS and grant you unlimited use of your AWS resources, such as your Amazon EC2 resources. You can use features of Amazon EC2 and AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your Amazon EC2 resources without sharing your security credentials. You can choose to allow full use or limited use of your Amazon EC2 resources.
- Setting an Account Password Policy for IAM Users This topic describes how you can set a password policy for your account that lets you specify password complexity for IAM users. You can specify that passwords for IAM users in your account must be of a certain minimum length, must include certain characters, and so on. The password policy also lets you specify whether all IAM users can change their own passwords.6
- AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password (the first factor – what they know), as well as for an authentication code from their AWS MFA device (the second factor – what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.7