Getting set up with IAM - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Getting set up with IAM

Important

The IAM best practices have been updated. As a best practice, require human users to use federation with an identity provider to access Amazon using temporary credentials. An additional best practice recommendation is to require workloads to use temporary credentials with IAM roles to access Amazon. IAM users are to be used only in very limited scenarios where an IAM role cannot be assumed. To learn about using Amazon IAM Identity Center (successor to Amazon Single Sign-On) to create users with temporary credentials, see Getting started in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide.

Amazon Identity and Access Management (IAM) helps you securely control access to Amazon Web Services (Amazon) and your account resources. IAM can also keep your sign-in credentials private. You don't need to specifically sign up to use IAM. There is no charge to use IAM.

Use IAM to give identities, such as users and roles, access to resources in your account. For example, you can use IAM with existing users in your corporate directory that you manage external to Amazon or you can create users in Amazon using Amazon IAM Identity Center (successor to Amazon Single Sign-On). Federated identities assume defined IAM roles to access only the resources they need. For more information about IAM Identity Center, see What is IAM Identity Center? in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide.

Note

IAM works only with Amazon products that are integrated with IAM. For a list of services that support IAM, see Amazon services that work with IAM.

Access control methods

Here are the ways you can use IAM to control access to your Amazon resources.

Type of access Why would I use it? Where can I get more information?

Single sign-on access for human users, such as your workforce users, to Amazon resources using IAM Identity Center

IAM Identity Center expands the capabilities of IAM to provide a central place that brings together administration of users and their access to Amazon Web Services accounts and cloud applications.

You can set up an identity store within IAM Identity Center or you can configure federation with an existing identity provider (IdP). Granting your human users limited credentials to Amazon resources as needed is recommended as a security best practice.

Users have an easier sign-in experience and you maintain control over their access to resources from a single system. IAM Identity Center supports multi-factor authentication (MFA) for additional account security.

For more information about setting up IAM Identity Center, see Getting Started in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide

For more information about using MFA in IAM Identity Center, see Multi-factor authentication in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide

Federated access for human users, such as your workforce users, to Amazon services using IAM identity providers

IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). After you create an IAM identity provider, you must create one or more IAM roles that can be dynamically assigned to a federated user.

For more information about IAM identity providers and federation, see Identity providers and federation.

Cross-account access between Amazon Web Services accounts

You want to share access to certain Amazon resources with users in other Amazon Web Services accounts.

Roles are the primary way to grant cross-account access. However, some Amazon services allow you to attach a policy directly to a resource (instead of using a role as a proxy). These are called resource-based policies.

For more information about IAM roles, see IAM roles.

For more information about service-linked roles, see Using service-linked roles.

For information about which services support using service-linked roles, see Amazon services that work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Long-term credentials for designated IAM users in your Amazon Web Services account

You might have specific use cases that require long-term credentials with IAM users in Amazon. You can use IAM to create these IAM users in your Amazon Web Services account, and use IAM to manage their permissions. Some of the use cases include the following:

  • Workloads that cannot use IAM roles

  • Third-party Amazon clients

  • Amazon IAM Identity Center (successor to Amazon Single Sign-On) is not available for your account and you have no other identity provider

As a best practice in scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you rotate access keys. For more information, see Rotating access keys.

For more information about setting up an IAM user see Creating an IAM user in your Amazon Web Services account.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services
  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide: