Getting set up with IAM - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting set up with IAM


IAM best practices recommend that you require human users to use federation with an identity provider to access Amazon using temporary credentials instead of using IAM users with long-term credentials.

Amazon Identity and Access Management (IAM) helps you securely control access to Amazon Web Services (Amazon) and your account resources. IAM can also keep your sign-in credentials private. You don't need to specifically sign up to use IAM. There is no charge to use IAM.

Use IAM to give identities, such as users and roles, access to resources in your account. For example, you can use IAM with existing users in your corporate directory that you manage external to Amazon or you can create users in Amazon using Amazon IAM Identity Center (successor to Amazon Single Sign-On). Federated identities assume defined IAM roles to access only the resources they need. For more information about IAM Identity Center, see What is IAM Identity Center? in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide.


IAM works only with Amazon products that are integrated with IAM. For a list of services that support IAM, see Amazon services that work with IAM.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services
  1. Open and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Prepare for least-privilege permissions

Using least-privilege permissions is an IAM best practice recommendation. The concept of least-privilege permissions is to grant users only the permissions required to perform a task. As you get set up, consider how you are going to support least-privilege permissions. Both the root user and the administrator user have powerful privileges that are not required for everyday tasks. While you are learning about Amazon and testing out different services we recommend that you create at least one additional user in IAM Identity Center with lesser privileges that you can use in different scenarios. You can use IAM policies to define the actions that can be taken on specific resources under specific conditions and then connect to those resources with your lesser privileged account.

If you are using IAM Identity Center, consider using IAM Identity Center permissions sets to get started. To learn more, see Create a permission set in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide.

If you are not using IAM Identity Center, use IAM roles to define the privileges for different IAM entities. To learn more, see Creating IAM roles.

Both IAM roles and IAM Identity Center permissions sets can use Amazon managed policies based on job functions. For details on the permissions granted by these policies, see Amazon managed policies for job functions.


Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they are available for use by all Amazon customers. After getting set up, we recommend that you use IAM Access Analyzer to generate least-privilege policies based on your access activity that is logged in Amazon CloudTrail. For more information about policy generation, see IAM Access Analyzer policy generation.