Controlling IAM users access to the Amazon Web Services Management Console - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controlling IAM users access to the Amazon Web Services Management Console

IAM users with permission who sign in to your Amazon Web Services account through the Amazon Web Services Management Console can access your Amazon resources. The following list shows the ways that you can grant IAM users access to your Amazon Web Services account resources through the Amazon Web Services Management Console. It also shows how IAM users can access other Amazon account features through the Amazon website.

Note

There is no charge to use IAM.

The Amazon Web Services Management Console

You create a password for each IAM user who needs access to the Amazon Web Services Management Console. Users access the console through your IAM-enabled Amazon Web Services account sign-in page. For information about accessing the sign-in page, see How to sign in to Amazon in the Amazon Sign-In User Guide. For information about creating passwords, see Managing user passwords in Amazon.

You can prevent an IAM user from accessing the Amazon Web Services Management Console by removing their password. This prevents them from signing into the Amazon Web Services Management Console using their sign-in credentials. It does not change their permissions or prevent them from accessing the console using an assumed role. If the user has active access keys, they continue to function and allow access through the Amazon CLI, Tools for Windows PowerShell, Amazon API, or the Amazon Console Mobile Application.

Your Amazon resources, such as Amazon EC2 instances, Amazon S3 buckets, and so on

Even if your IAM users have passwords, they still need permission to access your Amazon resources. When you create an IAM user, that user has no permissions by default. To give your IAM users the permissions they need, you attach policies to them. If you have many IAM users who perform the same tasks with the same resources, you can assign those IAM users to a group. Then assign the permissions to that group. For information about creating IAM users and groups, see IAM Identities (users, user groups, and roles). For information about using policies to set permissions, see Access management for Amazon resources.

Amazon Discussion Forums

Anyone can read the posts on the Amazon Discussion Forums. Users who want to post questions or comments to the Amazon Discussion Forum can do so using their user name. The first time a user posts to the Amazon Discussion Forum, the user is prompted to enter a nickname and email address. Only that user can use that nickname in the Amazon Discussion Forums.

Your Amazon Web Services account billing and usage information

You can grant users access your Amazon Web Services account billing and usage information. For more information, see Controlling Access to Your Billing Information in the Amazon Billing User Guide.

Your Amazon Web Services account profile information

Users cannot access your Amazon Web Services account profile information.

Your Amazon Web Services account security credentials

Users cannot access your Amazon Web Services account security credentials.

Note

IAM policies control access regardless of the interface. For example, you could provide a user with a password to access the Amazon Web Services Management Console. The policies for that user (or any groups the user belongs to) would control what the user can do in the Amazon Web Services Management Console. Or, you could provide the user with Amazon access keys for making API calls to Amazon. The policies would control which actions the user could call through a library or client that uses those access keys for authentication.