Authentication
Access to Amazon Backup or the Amazon services that you are backing up requires credentials that Amazon can use to authenticate your requests. You can access Amazon as any of the following types of identities:
-
Amazon Web Services account root user – When you sign up for Amazon, you provide an email address and password that is associated with your Amazon account. This is your Amazon Web Services account root user. Its credentials provide complete access to all of your Amazon resources.
Important
For security reasons, we recommend that you use the root user only to create an administrator. The administrator is an IAM user with full permissions to your Amazon Web Services account. You can then use this admin user to create other IAM users and roles with limited permissions. For more information, see IAM Best Practices and Creating Your First IAM Admin User and Group in the IAM User Guide.
-
IAM user – An IAM user is an identity within your Amazon Web Services account that has specific custom permissions (for example, permissions to create a backup vault to store your backups in). You can use an IAM user name and password to sign in to secure Amazon webpages like the Amazon Web Services Management Console
, Amazon Discussion Forums , or the Amazon Web Services Support Center . In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access Amazon services programmatically, either through one of the several SDKs
or by using the Amazon Command Line Interface (Amazon CLI) . The SDK and Amazon CLI tools use the access keys to cryptographically sign your request. If you don't use the Amazon tools, you must sign the request yourself. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services General Reference. -
IAM role – An IAM role is another IAM identity that you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access Amazon services and resources. IAM roles with temporary credentials are useful in the following situations:
-
Federated user access – Instead of creating an IAM user, you can use pre-existing user identities from Amazon Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. Amazon assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide.
-
Cross-account administration – You can use an IAM role in your account to grant another Amazon Web Services account permissions to administer your account's resources. For an example, see Tutorial: Delegate Access Across Amazon Web Services accounts Using IAM Roles in the IAM User Guide.
-
Amazon service access – You can use an IAM role in your account to grant an Amazon service permissions to access your account's resources. For more information, see Creating a Role to Delegate Permissions to an Amazon Service in the IAM User Guide.
-
Applications running on Amazon Elastic Compute Cloud (Amazon EC2) – You can use an IAM role to manage temporary credentials for applications running on an Amazon EC2 instance and making Amazon API requests. This is preferable to storing access keys within the EC2 instance. To assign an Amazon role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances in the IAM User Guide.
-