Identity and access management for Amazon EC2 - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Identity and access management for Amazon EC2

Your security credentials identify you to services in Amazon and grant you unlimited use of your Amazon resources, such as your Amazon EC2 resources. You can use features of Amazon EC2 and Amazon Identity and Access Management (IAM) to allow other users, services, and applications to use your Amazon EC2 resources without sharing your security credentials. You can use IAM to control how other users use resources in your Amazon account, and you can use security groups to control access to your Amazon EC2 instances. You can choose to allow full use or limited use of your Amazon EC2 resources.

For best practices for securing your Amazon resources using IAM, see Security best practices in IAM.

Network access to your instance

A security group acts as a firewall that controls the traffic allowed to reach one or more instances. When you launch an instance, you assign it one or more security groups. You add rules to each security group that control traffic for the instance. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances to which the security group is assigned.

For more information, see Authorize inbound traffic for your Linux instances.

Amazon EC2 permission attributes

Your organization might have multiple Amazon accounts. Amazon EC2 enables you to specify additional Amazon accounts that can use your Amazon Machine Images (AMIs) and Amazon EBS snapshots. These permissions work at the Amazon account level only; you can't restrict permissions for specific users within the specified Amazon account. All users in the Amazon account that you've specified can use the AMI or snapshot.

Each AMI has a LaunchPermission attribute that controls which Amazon accounts can access the AMI. For more information, see Make an AMI public.

Each Amazon EBS snapshot has a createVolumePermission attribute that controls which Amazon accounts can use the snapshot. For more information, see Share an Amazon EBS snapshot.

IAM and Amazon EC2

IAM enables you to do the following:

  • Create users and groups under your Amazon account

  • Assign unique security credentials to each user under your Amazon account

  • Control each user's permissions to perform tasks using Amazon resources

  • Allow the users in another Amazon account to share your Amazon resources

  • Create roles for your Amazon account and define the users or services that can assume them

  • Use existing identities for your enterprise to grant permissions to perform tasks using Amazon resources

By using IAM with Amazon EC2, you can control whether users in your organization can perform a task using specific Amazon EC2 API actions and whether they can use specific Amazon resources.

This topic helps you answer the following questions:

  • How do I create groups and users in IAM?

  • How do I create a policy?

  • What IAM policies do I need to carry out tasks in Amazon EC2?

  • How do I grant permissions to perform actions in Amazon EC2?

  • How do I grant permissions to perform actions on specific resources in Amazon EC2?

Create an IAM group and users

To create an IAM group

  1. Open the IAM console at

  2. In the navigation pane, choose User groups.

  3. Choose Create group.

  4. For User group name, enter a name for your group.

  5. For Attach permissions policies, select an Amazon managed policy. For example, for Amazon EC2, one of the following Amazon managed policies might meet your needs:

    • PowerUserAccess

    • ReadOnlyAccess

    • AmazonEC2FullAccess

    • AmazonEC2ReadOnlyAccess

  6. Choose Create group.

Your new group is listed under Group name.

To create an IAM user, add the user to your group, and create a password for the user

  1. In the navigation pane, choose Users.

  2. Choose Add users.

  3. For User name, enter a user name.

  4. For Select Amazon access type, select both Access key - Programmatic access and Password - Amazon Web Services Management Console access.

  5. For Console password, choose one of the following:

    • Autogenerated password. Each user gets a randomly generated password that meets the current password policy in effect (if any). You can view or download the passwords when you get to the Final page.

    • Custom password. Each user is assigned the password that you enter in the box.

  6. Choose Next: Permissions.

  7. On the Set permissions page, choose Add user to group. Select the check box next to the group that you created earlier.

  8. Choose Next: Tags.

  9. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources.

  10. Choose Next: Review to see all of the choices you made up to this point. When you are ready to proceed, choose Create user.

  11. To view the users' access keys (access key IDs and secret access keys), choose Show next to each password and secret access key to see. To save the access keys, choose Download .csv and then save the file to a safe location.


    You cannot retrieve the secret access key after you complete this step; if you misplace it you must create a new one.

  12. Provide each user his or her credentials (access keys and password); this enables them to use services based on the permissions you specified for the IAM group. You can choose Send email next to each user. Your local mail client opens with a draft that you can customize and send. The email template includes the following details to each user:

    • User name

    • URL to the account sign-in page. Use the following example, substituting the correct account ID number or account alias:

      https://AWS-account-ID or

    For more information, see How IAM users sign in to Amazon.


    The user's password is not included in the generated email. You must provide them to the user in a way that complies with your organization's security guidelines.

  13. Choose Close.

For more information about IAM, see the following: