IAM management methods - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM management methods

You can manage IAM using either the Amazon console, the Amazon command-line interface, or through the application interfaces (APIs) in the associated SDKs. As you are getting set up, consider which methods you want to support and how you plan to support different users.

Amazon Console

The Amazon Management Console is a web application that comprises and refers to a broad collection of service consoles for managing Amazon resources. When you first sign in, you see the console home page. The home page provides access to each service console and offers a single place to access the information for performing your Amazon related tasks. Which services and applications are available to you after signing in to the console depend on which Amazon resources you have permission to access. You can be granted permissions to resources either through assuming a role, being a member of a group that has been granted permissions, or being explicitly granted permission. For a stand-alone Amazon account, the root user or IAM administrator configures access to resources. For Amazon Organizations, the management account or delegated administrator configures access to resources.

If you plan to have people using the Amazon Management Console to manage Amazon resources, we recommend configuring users with temporary credentials as a security best practice. IAM users that have assumed a role, federated users, and users in IAM Identity Center have temporary credentials, while the IAM user and root user have long-term credentials. Root user credentials provide full access to the Amazon Web Services account, while other users have credentials that provide access to the resources granted them by IAM policies.

The sign-in experience is different for the different types of Amazon Web Services Management Console users.

  • IAM users and the root user sign-in from the main Amazon sign-in URL (https://signin.aws.amazon.com). Once they sign in they have access to the resources in the account to which they have been granted permission.

    To sign in as the root user you must have the root user email address and password.

    To sign in as an IAM user you must have the Amazon Web Services account number or alias, the IAM user name, and the IAM user password.

    We recommend that you restrict IAM users in your account to specific situations that require long-term credentials, such as for emergency access, and that you use the root user only for tasks that require root user credentials.

    For convenience, the Amazon sign-in page uses a browser cookie to remember the IAM user name and account information. The next time the user goes to any page in the Amazon Web Services Management Console, the console uses the cookie to redirect the user to the account sign-in page.

    Sign out of the console when you finish your session to prevent reuse of your previous sign in.

  • IAM Identity Center users sign in using a specific Amazon access portal that's unique to their organization. Once they sign in they can choose which account or application to access. If they choose to access an account, they choose which permission set they want to use for the management session.

  • Federated users managed in an external identity provider linked to an Amazon Web Services account sign-in using a custom enterprise access portal. The Amazon resources available to federated users are dependent upon the policies selected by their organization.


To provide an additional level of security, root user, IAM users, and users in IAM Identity Center can have multi-factor authentication (MFA) verified by Amazon before granting access to Amazon resources. When MFA is enabled, you must also have access to the MFA device to sign in.

To learn more about how different users sign-in to the management console, see Sign in to the Amazon Management Console in the Amazon Sign-In User Guide.

Amazon Command Line Interface (CLI) and Software Development Kits (SDKs)

IAM Identity Center and IAM users use different methods to authenticate their credentials when they authenticate through the CLI or the application interfaces (APIs) in the associated SDKs.

Credentials and configuration settings are located in multiple places, such as the system or user environment variables, local Amazon configuration files, or explicitly declared on the command line as a parameter. Certain locations take precedence over others.

Both IAM Identity Center and IAM provide access keys that can be used with the CLI or SDK. IAM Identity Center access keys are temporary credentials that can be automatically refreshed and are recommended over the long-term access keys associated with IAM users.

To manage your Amazon Web Services account using the CLI or SDK you can use Amazon CloudShell from your browser. If you use CloudShell to run CLI or SDK commands you must first sign-in to the console. The permissions for accessing Amazon resources are based on the credentials you used to sign-in to the console. Depending on your experience, you may find the CLI to be a more efficient method of managing your Amazon Web Services account.

For application development, you can download the CLI or SDK to your computer and sign-in from the command prompt or a Docker window. In this scenario, you configure authentication and access credentials as part of the CLI script or SDK application. You can configure programmatic access to resources in different ways, depending on the environment and the access available to you.

  • Recommended options for authenticating local code with Amazon service are IAM Identity Center and IAM Roles Anywhere

  • Recommended options for authenticating code running within an Amazon environment are to use IAM roles or use IAM Identity Center credentials.

If you are using IAM Identity Center you can get short-term credentials from the start page of the Amazon access portal where you choose your permission set. These credentials have a defined duration and don't automatically refresh. If you want to use these credentials, after signing in to the Amazon portal, choose the Amazon Web Services account and then choose the permissions set. Select Command line or programmatic access to view the options you can use to access Amazon resources programmatically or from the CLI. For more information about these methods, see Getting and refreshing temporary credentials in the IAM Identity Center User Guide. These credentials are often used during application development to quickly test code.

We recommend using IAM Identity Center credentials that automatically refresh when automating access to your Amazon resources. If you have configured users and permission sets in IAM Identity Center you use the aws configure sso command to use a command-line wizard that will help you identify the credentials available to you and store them in a profile. For more information about configuring your profile, see Configure your profile with the aws configure sso wizard in the Amazon Command Line Interface User Guide for Version 2.


Many sample applications use long-term access keys associated with IAM users or root user. You should only use long-term credentials within a sandbox environment as part of a learning exercise. Review the alternatives to long-term access keys and plan to transition your code to use alternative credentials, such as IAM Identity Center credentials or IAM roles, as soon as possible. After transitioning your code, delete the access keys.

To learn more about configuring the CLI, see Install or update the latest version of the Amazon CLI in the Amazon Command Line Interface User Guide for Version 2 and Authentication and access credentials in the Amazon Command Line Interface User Guide

To learn more about configuring the SDK, see IAM Identity Center authentication in the Amazon SDKs and Tools Reference Guide and IAM Roles Anywhere in the Amazon SDKs and Tools Reference Guide.