AWS Identity and Access Management
用户指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

IAM 用户如何登录到 AWS

要以 IAM 用户身份登录 AWS 管理控制台,除了提供用户名和密码以外,您还必须提供账户 ID 或账户别名。管理员在控制台中创建 IAM 用户时,他们应该已经向您发送登录凭证,包括用户名和指向您的账户登录页面的 URL (其中包括账户 ID 和账户别名)。

https://My_AWS_Account_ID.signin.amazonaws.cn/console/

提示

要在 Web 浏览器中为您的账户登录页面创建书签,您应在标签条目中手动键入您的账户的登录 URL。不要使用 Web 浏览器的书签功能,因为重定向会掩盖登录 URL。

您还可以在以下通用登录终端节点登录并手动键入账户 ID 或账户别名:

https://console.amazonaws.cn/

For convenience, the AWS sign-in page uses a browser cookie to remember the IAM user name and account information. The next time the user goes to any page in the AWS 管理控制台, the console uses the cookie to redirect the user to the account sign-in page.

您只能访问管理员在附加到您的 IAM 用户身份的策略中指定的 AWS 资源。要在控制台开展工作,您必须有权限执行控制台执行的操作 (例如列出和创建 AWS 资源)。有关更多信息,请参阅 访问控制示例策略

注意

如果组织现在有一个身份系统,您可能需要创建单一登录 (SSO) 选项。SSO 向用户提供访问您的账户的 AWS 管理控制台的权限,而无需他们具有 IAM 用户身份。SSO 也无需用户单独登录您的组织的网站和 AWS。有关更多信息,请参阅 创建一个使联合身份用户能够访问 AWS 管理控制台 (自定义联合代理) 的 URL

Logging sign-in details in CloudTrail

If you enable CloudTrail to log sign-in events to your logs, you need to be aware of how CloudTrail chooses where to log the events.

  • If your users sign-in directly to a console, they are redirected to either a global or a regional sign-in endpoint, based on whether the selected service console supports regions. For example, the main console home page supports regions, so if you sign in to the following URL:

    https://alias.signin.aws.amazon.com/console

    you are redirected to a regional sign-in endpoint such as https://us-east-2.signin.aws.amazon.com, resulting in a regional CloudTrail log entry in the user's region's log:

    On the other hand, the Amazon S3 console does not support regions, so if you sign in to the following URL

    https://alias.signin.aws.amazon.com/console/s3

    AWS redirects you to the global sign-in endpoint at https://signin.aws.amazon.com, resulting in a global CloudTrail log entry.

  • You can manually request a certain regional sign-in endpoint by signing in to the region-enabled main console home page using a URL syntax like the following:

    https://alias.signin.aws.amazon.com/console?region=ap-southeast-1

    AWS redirects you to the ap-southeast-1 regional sign-in endpoint and results in a regional CloudTrail log event.

For more information about CloudTrail and IAM, see Logging IAM Events with AWS CloudTrail .

If users need programmatic access to work with your account, you can create an access key pair (an access key ID and a secret access key) for each user, as described in 管理访问密钥(控制台).