IAM Identities - Amazon Identity and Access Management
IAM root userIAM usersIAM user groupsIAM roles
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM Identities

An IAM identity can be associated with one or more policies, which determine what actions an identity is authorized to perform, on which Amazon resources, and under what conditions. IAM identities include IAM users, IAM groups, and IAM roles. An IAM entity is a type of identity that represents a human user or programmatic workload that can be authenticated and then authorized to perform actions in Amazon Web Services accounts. IAM entities include IAM users and IAM roles. For definitions for commonly used terms, see Terms.

You can federate existing identities from an external identity provider. These identities will assume IAM roles to access Amazon resources. For more information, see Identity providers and federation.

You can also use Amazon IAM Identity Center to create and manage identities and access to Amazon resources. IAM Identity Center permission sets automatically create the IAM roles needed to provide access to resources. For more information, see What is IAM Identity Center?

The Amazon Web Services account root user is an Amazon Web Services account principal that is created when your Amazon Web Services account is established. The root user has access to all Amazon services and resources in the account. For more information, see IAM root user.

Note

IAM root user

When you first create an Amazon Web Services account, you begin with one sign-in identity that has complete access to all Amazon Web Services services and resources in the account. This identity is called the Amazon Web Services account root user. For more information, see Amazon account root user.

IAM users

An IAM user is an identity within your Amazon Web Services account that has specific permissions for a single person or application. For more information, see IAM users.

IAM user groups

An IAM user group is an identity that specifies a collection of IAM users. For more information, see User groups.

IAM roles

An IAM role is an identity within your Amazon Web Services account that has specific permissions. It's similar to an IAM user, but isn't associated with a specific person. For more information, see IAM roles.