Amazon Identity and Access Management in Amazon Cloud Map - Amazon Cloud Map
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Identity and Access Management in Amazon Cloud Map

To perform any action on Amazon Cloud Map resources, such as registering a domain or updating a record, Amazon Identity and Access Management (IAM) requires you to authenticate that you're an approved Amazon user. If you're using the Amazon Cloud Map console, you authenticate your identity by providing your Amazon user name and a password. If you're accessing Amazon Cloud Map programmatically, your application authenticates your identity for you by using access keys or by signing requests.

After you authenticate your identity, IAM controls your access to Amazon by verifying that you have permissions to perform actions and to access resources. If you are an account administrator, you can use IAM to control the access of other users to the resources that are associated with your account.

This chapter explains how to use IAM and Amazon Cloud Map to help secure your resources.



You can access Amazon as any of the following:

  • Amazon Web Services account root user – When you first create an Amazon account, you begin with a single sign-in identity that has complete access to all Amazon services and resources in the account. This identity is called the Amazon Web Services account root user and is accessed by signing in with the email address and password that you used to create the account. When you create an Amazon Web Services account, you begin with one sign-in identity that has complete access to all Amazon Web Services and resources in the account. This identity is called the Amazon Web Services account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide.

  • IAM user – An IAM user is an identity within your Amazon account that has specific custom permissions (for example, permissions to create an HTTP namespace in Amazon Cloud Map). You can use your IAM sign-in credentials to secure Amazon webpages like the Amazon Web Services Management Console, Amazon Discussion Forums, or the Amazon Web Services Support Center.

    In addition to sign-in credentials, you can also generate access keys for each user. You can use these keys when you access Amazon services programmatically, either through one of the several SDKs or by using the Amazon Command Line Interface. The SDK and CLI tools use the access keys to cryptographically sign your request. If you don’t use Amazon tools, you must sign the request yourself. Amazon Cloud Map supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services General Reference.

  • IAM role – An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an Amazon identity with permissions policies that determine what the identity can and cannot do in Amazon. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles with temporary credentials are useful in the following situations:

    • Federated user access – Instead of creating an IAM user, you can use existing user identities from Amazon Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. Amazon assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide.

    • Amazon service access – You can use an IAM role in your account to grant an Amazon service permissions to access your account's resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data from that bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an Amazon Service in the IAM User Guide.

    • Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an Amazon EC2 instance and making Amazon API requests. This is preferable to storing access keys within the Amazon EC2 instance. To assign an Amazon role to an Amazon EC2 instance and make it available to all of its applications, you create an instance profile that's attached to the instance. An instance profile contains the role and enables programs that are running on the Amazon EC2 instance to get temporary credentials. For more information, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances in the IAM User Guide.

Access Control

To create, update, delete, or list Amazon Cloud Map resources, you need permissions to perform the action, and you need permission to access the corresponding resources. In addition, to perform the action programmatically, you need valid access keys.

The following sections describe how to manage permissions for Amazon Cloud Map. We recommend that you read the overview first.