Getting set up with IAM - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting set up with IAM


IAM best practices recommend that you require human users to use federation with an identity provider to access Amazon using temporary credentials instead of using IAM users with long-term credentials.

Amazon Identity and Access Management (IAM) helps you securely control access to Amazon Web Services (Amazon) and your account resources. IAM can also keep your sign-in credentials private. You don't specifically sign up to use IAM. There is no charge to use IAM.

Use IAM to give identities, such as users and roles, access to resources in your account. For example, you can use IAM with existing users in your corporate directory that you manage external to Amazon or you can create users in Amazon using Amazon IAM Identity Center. Federated identities assume defined IAM roles to access the resources they need. For more information about IAM Identity Center, see What is IAM Identity Center? in the Amazon IAM Identity Center User Guide.


IAM is integrated with several Amazon products. For a list of services that support IAM, see Amazon services that work with IAM.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services
  1. Open and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Prepare for least-privilege permissions

Using least-privilege permissions is an IAM best practice recommendation. The concept of least-privilege permissions is to grant users the permissions required to perform a task and no additional permissions. As you get set up, consider how you are going to support least-privilege permissions. Both the root user and the administrator user have powerful permissions that aren't required for everyday tasks. While you are learning about Amazon and testing out different services we recommend that you create at least one additional user in IAM Identity Center with lesser permissions that you can use in different scenarios. You can use IAM policies to define the actions that can be taken on specific resources under specific conditions and then connect to those resources with your lesser privileged account.

If you are using IAM Identity Center, consider using IAM Identity Center permissions sets to get started. To learn more, see Create a permission set in the IAM Identity Center User Guide.

If you aren't using IAM Identity Center, use IAM roles to define the permissions for different IAM entities. To learn more, see Creating IAM roles.

Both IAM roles and IAM Identity Center permissions sets can use Amazon managed policies based on job functions. For details on the permissions granted by these policies, see Amazon managed policies for job functions.


Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for use by all Amazon customers. After getting set up, we recommend that you use IAM Access Analyzer to generate least-privilege policies based on your access activity that's logged in Amazon CloudTrail. For more information about policy generation, see IAM Access Analyzer policy generation.