AWS Identity and Access Management
User Guide
AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

IAM Best Practices

To help secure your AWS resources, follow these recommendations for the AWS Identity and Access Management (IAM) service.

Use AWS Defined Policies to Assign Permissions Whenever Possible

We recommend that you use the managed policies that are created and maintained by AWS to grant permissions whenever possible. A key advantage of using these policies is that they are maintained and updated by AWS as new services or new APIs are introduced.

AWS-managed policies are designed to support common tasks. They typically provide access to a single service or a limited set of actions. For more information about AWS managed policies, see AWS Managed Policies.

AWS managed policies for job functions can span multiple services and align with common job functions in the IT industry. For a list and descriptions of job function policies, see AWS Managed Policies for Job Functions.

Use Groups to Assign Permissions to IAM Users

Instead of defining permissions for individual IAM users, it's usually more convenient to create groups that relate to job functions (administrators, developers, accounting, etc.). Next, define the relevant permissions for each group. Finally, assign IAM users to those groups. All the users in an IAM group inherit the permissions assigned to the group. That way, you can make changes for everyone in a group in just one place. As people move around in your company, you can simply change what IAM group their IAM user belongs to.

For more information, see the following:

Grant Least Privilege

When you create IAM policies, follow the standard security advice of granting least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks.

Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.

Defining the right set of permissions requires some research. Determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions. To have access levels help you determine what permissions are required, see Use Access Levels to Review IAM Permissions.

One feature that can help with this is the Access Advisor tab. This tab is available on the IAM console details page whenever you inspect a user, group, role, or policy. The tab includes information about which services are actually used by a user, group, role, or by anyone that uses a policy. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. For more information, see Service Last Accessed Data.

For more information, see the following:

Use Access Levels to Review IAM Permissions

To improve the security of your AWS account, you should regularly review and monitor each of your IAM policies. Make sure that your policies grant the least privilege that is needed to perform only the necessary actions.

When you review a policy, you can view the policy summary that includes a summary of the access level for each service within that policy. AWS categorizes each service action into one of four access levels based on what each action does: List, Read, Write, or Permissions management. You can use these access levels to determine which actions to include in your policies.

For example, in the Amazon S3 service, you might want to allow a large group of users to access List and Read actions. Such actions permit those users to list the buckets and get objects in Amazon S3. However, you should allow only a small group of users to access the Amazon S3 Write actions to delete buckets or put objects into an S3 bucket. Additionally, you should restrict permissions to allow only administrators to access the Amazon S3 Permissions management actions. This ensures that only a limited number of people can manage bucket policies in Amazon S3. This is especially important for Permissions management actions in IAM and AWS Organizations services.


Before you create or edit policies based on these access levels, review the definitions for each access level. Make sure that the actions you want are categorized the way you expect. To learn about each AWS access level and to view a list of actions that belong to each action level for a specific service, see IAM Policy Actions Grouped by Access Level.

To see the access levels for a policy, you must first locate the policy's summary. The policy summary is included on the Policies page for managed policies, and on the Users page for policies that are attached to a user. For more information, see Policy Summary (List of Services).

Within a policy summary, the Access level column shows that the policy provides Full or Limited access to one or more of the four AWS access levels for the service. Alternately, it might show that the policy provides Full access to all the actions within the service. You can use the information within this Access level column to understand the level of access that the policy provides. You can then take action to make your AWS account more secure. For details and examples of the access level summary, see Understanding Access Level Summaries Within Policy Summaries.

Configure a Strong Password Policy for Your Users

If you allow users to change their own passwords, require that they create strong passwords and that they rotate their passwords periodically. On the Account Settings page of the IAM console, you can create a password policy for your account. You can use the password policy to define password requirements, such as minimum length, whether it requires non-alphabetic characters, how frequently it must be rotated, and so on.

For more information, see Setting an Account Password Policy for IAM Users.

Use Roles for Applications That Run on Amazon EC2 Instances

Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions, but that isn't a user or group. Roles also don't have their own permanent set of credentials the way IAM users do. In the case of Amazon EC2, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated for you.

When you launch an EC2 instance, you can specify a role for the instance as a launch parameter. Applications that run on the EC2 instance can use the role's credentials when they access AWS resources. The role's permissions determine what the application is allowed to do.

For more information, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.

Delegate by Using Roles Instead of by Sharing Credentials

You might need to allow users from another AWS account to access resources in your AWS account. If so, don't share security credentials, such as access keys, between accounts. Instead, use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed. You can also designate which AWS accounts have the IAM users that are allowed to assume the role.

For more information, see Roles Terms and Concepts.

Rotate Credentials Regularly

Change your own passwords and access keys regularly, and make sure that all IAM users in your account do as well. That way, if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources. You can apply a password policy to your account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.

For more information about setting a password policy in your account, see Setting an Account Password Policy for IAM Users.

For more information about rotating access keys for IAM users, see Rotating Access Keys.

Remove Unnecessary Credentials

Remove IAM user credentials (that is, passwords and access keys) that are not needed. For example, an IAM user that is used for an application does not need a password (passwords are necessary only to sign in to AWS websites). Similarly, if a user does not and will never use access keys, there's no reason for the user to have them. Passwords and access keys that have not been used recently might be good candidates for removal. You can find unused passwords or access keys using the console, using the API, or by downloading the credentials report.

For more information about finding IAM user credentials that have not been used recently, see Finding Unused Credentials.

For more information about deleting passwords for an IAM user, see Managing Passwords for IAM Users.

For more information about deactivating or deleting access keys for an IAM user, see Managing Access Keys for IAM Users.

For more information about IAM credential reports, see Getting Credential Reports for Your AWS Account.

Use Policy Conditions for Extra Security

To the extent that it's practical, define the conditions under which your IAM policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only within a specified date range or time range. You can also set conditions that require the use of SSL.

For more information, see Condition in the IAM Policy Elements Reference.

Monitor Activity in Your AWS Account

You can use logging features in AWS to determine the actions users have taken in your account and the resources that were used. The log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

Logging features are available in the following AWS services:

  • Amazon CloudFront – Logs user requests that CloudFront receives. For more information, see Access Logs in the Amazon CloudFront Developer Guide.

  • AWS CloudTrail – Logs AWS API calls and related events made by or on behalf of an AWS account. For more information, see the AWS CloudTrail User Guide.

  • Amazon CloudWatch – Monitors your AWS Cloud resources and the applications you run on AWS. You can set alarms in CloudWatch based on metrics that you define. For more information, see the Amazon CloudWatch User Guide.

  • AWS Config – Provides detailed historical information about the configuration of your AWS resources, including your IAM users, groups, roles, and policies. For example, you can use AWS Config to determine the permissions that belonged to a user or group at a specific time. For more information, see the AWS Config Developer Guide.

  • Amazon Simple Storage Service (Amazon S3) – Logs access requests to your Amazon S3 buckets. For more information, see Server Access Logging in the Amazon Simple Storage Service Developer Guide.