What is IAM?

You can grant other people permission to administer and use resources in your Amazon account without having to share your password or access key.

You can grant different permissions to different people for different resources. For example, you might allow some users complete access to Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, Amazon Redshift, and other Amazon services. For other users, you can allow read-only access to just some S3 buckets, or permission to administer just some EC2 instances, or to access your billing information but nothing else.

You can use IAM features to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other Amazon resources. Examples include S3 buckets and DynamoDB tables.

You can add two-factor authentication to your account and to individual users for extra security. With MFA you or your users must provide not only a password or access key to work with your account, but also a code from a specially configured device. If you already use a FIDO security key with other services, and it has an Amazon supported configuration, you can use WebAuthn for MFA security. For more information, see Supported configurations for using passkeys and security keys.

You can allow users who already have passwords elsewhere—for example, in your corporate network or with an internet identity provider—to get temporary access to your Amazon Web Services account.

If you use Amazon CloudTrail, you receive log records that include information about those who made requests for resources in your account. That information is based on IAM identities.

IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the Amazon Web Services PCI Compliance Package, see PCI DSS Level 1.

For a list of Amazon services that work with IAM, see Amazon services that work with IAM.

IAM, like many other Amazon services, is eventually consistent. IAM achieves high availability by replicating data across multiple servers within Amazon's data centers around the world. If a request to change some data is successful, the change is committed and safely stored. However, the change must be replicated across IAM, which can take some time. Such changes include creating or updating users, groups, roles, or policies. We recommend that you do not include such IAM changes in the critical, high-availability code paths of your application. Instead, make IAM changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. For more information, see Changes that I make are not always immediately visible.

Amazon Identity and Access Management (IAM) and Amazon Security Token Service (Amazon STS) are features of your Amazon account offered at no additional charge. You are charged only when you access other Amazon services using your IAM users or Amazon STS temporary security credentials. For information about the pricing of other Amazon products, see the Amazon Web Services pricing page.

The console is a browser-based interface to manage IAM and Amazon resources. For more information about accessing IAM through the console, see How to sign in to Amazon in the Amazon Sign-In User Guide.

You can use the Amazon command line tools to issue commands at your system's command line to perform IAM and Amazon tasks. Using the command line can be faster and more convenient than the console. The command line tools are also useful if you want to build scripts that perform Amazon tasks.

Amazon provides two sets of command line tools: the Amazon Command Line Interface (Amazon CLI) and the Amazon Tools for Windows PowerShell. For information about installing and using the Amazon CLI, see the Amazon Command Line Interface User Guide. For information about installing and using the Tools for Windows PowerShell, see the Amazon Tools for Windows PowerShell User Guide.

After signing in to the console, you can use Amazon CloudShell from your browser to run CLI or SDK commands. The permissions for accessing Amazon resources are based on the credentials you used to sign-in to the console. Depending on your experience, you may find the CLI to be a more efficient method of managing your Amazon Web Services account. For more information, see Using Amazon CloudShell to work with Amazon Identity and Access Management

Amazon provides SDKs (software development kits) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to IAM and Amazon. For example, the SDKs take care of tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about the Amazon SDKs, including how to download and install them, see the Tools for Amazon Web Services page.

You can access IAM and Amazon programmatically by using the IAM Query API, which lets you issue HTTPS requests directly to the service. When you use the Query API, you must include code to digitally sign requests using your credentials. For more information, see Calling the IAM API using HTTP query requests and the IAM API Reference.