Document history for IAM
The following table describes major documentation updates for IAM.
| Change | Description | Date |
|---|---|---|
IAM Access Analyzer added support for permission to retrieve the current state of the
block public access for Amazon EC2 snapshots to the service-level permissions of AccessAnalyzerServiceRolePolicy | January 23, 2024 | |
IAM Access Analyzer added DynamoDB streams and tables to the service-level permissions of
AccessAnalyzerServiceRolePolicy | January 11, 2024 | |
IAM Access Analyzer added Amazon S3 directory buckets to the service-level permissions of
AccessAnalyzerServiceRolePolicy | December 1, 2023 | |
IAM Access Analyzer added permissions to IAMAccessAnalyzerReadOnlyAccess to allow you to check whether updates to your policies grant additional access. This permission is required by IAM Access Analyzer to perform policy checks on your policies. | November 26, 2023 | |
IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings. | November 26, 2023 | |
IAM Access Analyzer now provides custom policy checks to validate that IAM policies adhere to your security standards ahead of deployments. | November 26, 2023 | |
IAM Access Analyzer added IAM actions to the service-level permissions of AccessAnalyzerServiceRolePolicy
| November 26, 2023 | |
IAM now supports action last accessed information and generates policies with action-level information for over 60 additional services, along with a list of the actions for which action last accessed information is available. | November 1, 2023 | |
Action last accessed information support for over 140 services | IAM now provides action last accessed information for more than 140 services, along with a list of the actions for which action last accessed information is available. | September 14, 2023 |
Support for multiple multi-factor authentication (MFA) devices for root users and IAM users | Now you can to add up to eight MFA devices per user, including FIDO security keys, software time-based one-time password (TOTP) with virtual authenticator applications, or hardware TOTP tokens. | November 16, 2022 |
IAM Access Analyzer added support for the following resource types:
| October 25, 2022 | |
Removed mentions of U2F as an MFA option and added information about WebAuthn, FIDO2, and FIDO security keys. | May 31, 2022 | |
Added information about maintaining access to IAM credentials when an event disrupts communication between Amazon Web Services Regions. | May 16, 2022 | |
You can now control access to resources based on the account, Organizational Unit
(OU), or organization in Amazon Organizations that contains your resources. You can use the
| April 27, 2022 | |
Added code examples that show how to use IAM with an Amazon software development kit (SDK). The examples are divided into code excerpts that show you how to call individual service functions and examples that show you how to accomplish a specific task by calling multiple functions within the same service. | April 7, 2022 | |
Updates to the policy evaluation logic flow chart and related text in the Determining whether a request is allowed or denied within an account section. | November 17, 2021 | |
Added information about creating administrative users instead of using root user credentials, removed the best practice of using user groups to assign permissions to IAM users, and clarified when to use managed policies instead of inline policies. | October 5, 2021 | |
Updates to policy evaluation logic topic for resource-based policies | Added information about the impact of resource-based policies and different principal types in the same account. | October 5, 2021 |
The differences between single-valued and multivalued condition keys are now explained in more detail. The value type was added to each Amazon global condition context key. | September 30, 2021 | |
IAM Access Analyzer supports Amazon S3 Multi-Region Access Points | IAM Access Analyzer identifies Amazon S3 buckets that allow public and cross-account access, including those that use Amazon S3 Multi-Region Access Points. | September 2, 2021 |
Amazon managed policy updates - Update to an existing policy | IAM Access Analyzer updated an existing Amazon managed policy. | September 2, 2021 |
IAM Access Analyzer can generate IAM policies with action-level access activity information for additional Amazon services. | August 24, 2021 | |
You can now use IAM Access Analyzer to generate fine-grained policies based on your access activity using a Amazon CloudTrail trail in a different account, for example, a centralized Amazon Organizations trail. | August 18, 2021 | |
IAM Access Analyzer extended policy validation by adding new policy checks that validate conditions included in IAM policies. These checks analyze the condition block in your policy statement and report security warnings, errors, and suggestions along with actionable recommendations. IAM Access Analyzer added the following policy checks: | June 29, 2021 | |
You can now view action last accessed information in the IAM console about the last time an IAM principal used an action for the following services: Amazon EC2, IAM, Lambda, and Amazon S3 management actions. You can also use the Amazon CLI or Amazon API to retrieve a data report. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. | April 19, 2021 | |
Administrators can configure IAM roles to require that identities pass a source identity, which is logged in Amazon CloudTrail. Reviewing source identity information helps administrators determine who or what performed actions with assumed role sessions. | April 13, 2021 | |
You can now use IAM Access Analyzer to generate fine-grained policies based on your access activity found in your Amazon CloudTrail. | April 7, 2021 | |
IAM Access Analyzer now provides over 100 policy checks with actionable recommendations during policy authoring. | March 16, 2021 | |
Expanded policy validation available in the IAM console, Amazon API, and Amazon CLI using policy checks in IAM Access Analyzer to help you author secure and functional JSON policies. | March 15, 2021 | |
You can now tag additional IAM resources using a tag key-value pair. | February 11, 2021 | |
If you do not set a custom password policy for your Amazon Web Services account, IAM user passwords must now meet the default Amazon password policy. | November 18, 2020 | |
The actions, resources, and condition keys pages for Amazon services have moved | Each Amazon service can define actions, resources, and condition context keys for use in IAM policies. You can now find the list of Amazon services and their actions, resources, and condition context keys in the Service Authorization Reference. | November 16, 2020 |
IAM users can now have a longer role session duration when switching roles in the Amazon Web Services Management Console, reducing interruptions due to session expiration. Users are granted the maximum session duration set for the role, or the remaining time in the IAM user's session, whichever is less. | July 24, 2020 | |
Use Service Quotas to request quick increases for IAM entities | You can request quota increases for adjustable IAM quotas using the Service Quotas console. Now, some increases are automatically approved in Service Quotas and available in your account within a few minutes. Larger requests are submitted to Amazon Web Services Support. | June 25, 2020 |
Last accessed information in IAM now includes Amazon S3 management actions | In addition to service last accessed information, you can now view information in the IAM console about the last time an IAM principal used an Amazon S3 action. You can also use the Amazon CLI or Amazon API to retrieve the data report. The report includes information about the allowed services and actions that principals last attempted to access and when. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. | June 3, 2020 |
The security chapter helps you understand how to configure IAM and Amazon STS to meet your security and compliance objectives. You also learn how to use other Amazon services that help you to monitor and secure your IAM resources. | April 29, 2020 | |
You can now write a policy that grants permissions based on the session name that a principal specifies when assuming a role. | April 21, 2020 | |
When you sign in on the main Amazon sign-in page, you can no choose to sign in as the Amazon Web Services account root user or an IAM user. When you do, the label on the page indicates whether you should provide your root user email address or your IAM user information. This documentation includes updated screen captures to help you understand the Amazon sign-in pages. | March 4, 2020 | |
You can now write a policy to limit whether services can make requests on behalf
of an IAM principal (user or role). When a principal makes a request to an Amazon
service, that service might use the principal's credentials to make subsequent
requests to other services. Use the | February 20, 2020 | |
You can now test the effect of permissions boundaries on IAM entities with the IAM policy simulator. | January 23, 2020 | |
You can now learn how Amazon evaluates policies for cross-account access. This occurs when a resource in a trusting account includes a resource-based policy that allows a principal in another account to access the resource. The request must be allowed in both accounts. | January 2, 2020 | |
You can now include tags when you assume a role or federate a user in Amazon STS. When
you perform the | November 22, 2019 | |
Control access for groups of Amazon Web Services accounts in Amazon Organizations | You can now reference organizational units (OUs) from Amazon Organizations in IAM policies.
If you use Organizations to organize your accounts into OUs, you can require that principals
belong to a specific OU before granting access to your resources. Principals include
Amazon Web Services account root user, IAM users and IAM roles. To do this, specify the OU path in the
| November 20, 2019 |
You can now view the date, time, and Region where a role was last used. This information also helps you identify unused roles in your account. You can use the Amazon Web Services Management Console, Amazon CLI and Amazon API to view information about when a role was last used. | November 19, 2019 | |
You can now learn when each of the global condition keys is included in the
context of a request. You can also navigate to each key more easily using the page
table of contents (TOC). The information on the page helps you to write more accurate
policies. For example, if your employees use federation with IAM roles, you should
use the | October 6, 2019 | |
Learn how attribute-based access control (ABAC) works in Amazon using tags, and how it compares to the traditional Amazon authorization model. Use the ABAC tutorial to learn how to create and test a policy that allows IAM roles with principal tags to access resources with matching tags. This strategy allows individuals to view or edit only the Amazon resources required for their jobs. | October 3, 2019 | |
You can review the Amazon access keys in your code to determine whether the keys
are from an account that you own. You can pass an access key ID using the | July 24, 2019 | |
Viewing Organizations service last accessed information in IAM | You can now view service last accessed information for an Amazon Organizations entity or policy in the Amazon Organizations section of the IAM console. You can also use the Amazon CLI or Amazon API to retrieve the data report. This data includes information about the allowed services that principals in an Organizations account last attempted to access and when. You can use this information to identify unnecessary permissions so that you can refine your Organizations policies to better adhere to the principle of least privilege. | June 20, 2019 |
You can now pass up to 10 managed policy ARNs when you assume a role. This allows you to limit the permissions of the role's temporary credentials. | May 7, 2019 | |
Amazon STS Region compatibility of session tokens for the global endpoint | You can now choose whether to use version 1 or version 2 global endpoint tokens. Version 1 tokens are valid only in Amazon Regions that are available by default. These tokens will not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens. | April 26, 2019 |
You can now create a policy that allows an administrator to enable and disable the Asia Pacific (Hong Kong) Region (ap-east-1). | April 24, 2019 | |
IAM users can now manage all of their own credentials on the My Security Credentials page. This Amazon Web Services Management Console page displays account information such as the account ID and canonical user ID. Users can also view and edit their own passwords, access keys, X.509 certificates, SSH keys, and Git credentials. | January 24, 2019 | |
You can now use the Amazon CLI and Amazon API to view service last accessed information. | December 7, 2018 | |
You can now use IAM tags to add custom attributes to an identity (IAM user or role) using a tag key-value pair. You can also use tags to control an identity's access to resources or to control what tags can be attached to an identity. | November 14, 2018 | |
You can now use U2F security keys as a multi-factor authentication (MFA) option when signing in to the Amazon Web Services Management Console. | September 25, 2018 | |
You can now establish a private connection between your VPC and Amazon STS in the US West (Oregon) Region. | July 31, 2018 | |
New feature makes it easier to grant trusted employees the ability to manage IAM permissions without also granting full IAM administrative access. | July 12, 2018 | |
New condition key provides an easier way to control access to Amazon resources by specifying the Amazon organization of IAM principals. | May 17, 2018 | |
New condition key provides an easier way to use IAM policies to control access to Amazon Regions. | April 25, 2018 | |
An IAM role can now have a session duration of 12 hours. | March 28, 2018 | |
New workflow improves the process of creating trust relationships and attaching permissions to roles. | September 8, 2017 | |
Updated Amazon sign-in experience allows both the root user and IAM users to use the Sign In to the Console link on the Amazon Web Services Management Console's home page. | August 25, 2017 | |
Documentation update features more than 30 example policies. | August 2, 2017 | |
Information added to the Users section of the IAM console makes it easier to follow IAM best practices. | July 5, 2017 | |
Resource-level permissions can control access to and permissions for Auto Scaling resources. | May 16, 2017 | |
Database administrators can associate database users with IAM users and roles and thus manage user access to all Amazon resources from a single location. | April 24, 2017 | |
Service-linked roles provide an easier and more secure way to delegate permissions to Amazon services. | April 19, 2017 | |
New policy summaries make it easier to understand permissions in IAM policies. | March 23, 2017 |