Plan access to your Amazon account - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Plan access to your Amazon account

When setting up Amazon, plan how you intend people to access your Amazon account and resources to set up a well-designed and secure identity management solution.

Identity sources

According to IAM best practices human users and workloads should use temporary credentials when they access your Amazon resources. Temporary credentials are granted to identities who access your resources using an IAM role. Both users federated into IAM and user in IAM Identity Center (either federated or created in the IAM Identity Center directory) use IAM roles to access resources.

Before you get started using Amazon, plan how to set up your identities either by:

  • Enabling IAM Identity Center with Amazon Organizations and adding users in IAM Identity Center directly to the organizational directory.

    To learn how to add users directly to the IAM Identity Center organizational directory, see Add users

  • Federating your existing external identity provider with either IAM Identity Center or IAM.

    To learn how to federate an external identity provider to the IAM Identity Center organizational directory, use the appropriate Getting started tutorial.

Access management

Identify the Amazon resources and services that your users will access and define the access permissions and policies required for each user, group, or role.

  • If you use IAM Identity Center, an IAM identity provider as well as IAM roles and permissions policies are automatically created in each Amazon account in your organization. These roles and permissions align with the permissions you specify when you assign people or groups to specific applications or Amazon accounts.

    For more information, see Assign user access and Set up single sign-on access to your applications.

  • If you federate your identity provider directly with IAM in your Amazon Web Services account, you have to create a role for your users to assume and two policies; a trust policy that specifies who can assume the role, and a permissions policy that specifies the Amazon actions and resources that the person assuming the role is allowed or denied access to.

    For more information, see Identity providers and federation into Amazon