What is an IAM user?
AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, AWS customers can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.
Without IAM, organizations with multiple users and systems must either create multiple AWS accounts, each with its own billing and subscriptions to AWS products, or employees must all share the security credentials of a single AWS account. Also, without IAM, customers have no control over the tasks a particular user or system can do and what AWS resources they might use.
IAM addresses this issue by enabling organizations to create multiple users (each user is a person, system, or application) who can use AWS products, each with individual security credentials, all controlled by and billed to a single AWS account. With IAM, each user is allowed to do only what they need to do as part of the user’s job.
How do I login as an IAM user?
This steps describes how to create an IAM group named Administrators, grant the group full permissions for all AWS services, create an IAM user for yourself, and add the user to the Administrators group.
To create the Administrators group
- Sign in to the AWS Management Console and open the IAM console.
- In the navigation pane, click Groups, then click Create New Group.
- Click Next Step, then click Create Group
- In the navigation pane, click on Add Users then click Users
- In the Group Name box, type Administrators and then click Next Step.
- Select AWS Management Console Access.
- Select Assign a custom password, then enter a password in the Password and Choose Next: Permissions
- Select The Check Box For Your New Group Then Choose Next Tag
- In the Create group dialog box, for Group name type
- The Check Box For AdministratorAccess. Then Choose Create group.
- On the Tags page, add metadata to the user by attaching tags as key-value pairs. For more information, see Tagging IAM users and roles.
- Verify the group memberships to be added to the new user. When you are ready to proceed, choose Create user.
- On the Complete page, you can download a .csv file with login information for the user, or send email with login instructions to the user.
- IAM gives you the following features:Shared access to your AWS account
- You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.Granular permissions
- You can grant different permissions to different people for different resources. For example, you might allow some users complete access to Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, Amazon Redshift, and other AWS services. For other users, you can allow read-only access to just some S3 buckets, or permission to administer just some EC2 instances, or to access your billing information but nothing else.Secure access to AWS resources for applications that run on Amazon EC2
- You can use IAM features to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources. Examples include S3 buckets and DynamoDB tables.Multi-factor authentication (MFA)
- You can add two-factor authentication to your account and to individual users for extra security. With MFA you or your users must provide not only a password or access key to work with your account, but also a code from a specially configured device.Identity federation
- You can allow users who already have passwords elsewhere—for example, in your corporate network or with an internet identity provider—to get temporary access to your AWS account.Identity information for assurance
- If you use AWS CloudTrail, you receive log records that include information about those who made requests for resources in your account. That information is based on IAM identities.PCI DSS Compliance
- IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.Integrated with many AWS services
- For a list of AWS services that work with IAM, see AWS services that work with IAM.Eventually Consistent
- IAM, like many other AWS services, is eventually consistent. IAM achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world. If a request to change some data is successful, the change is committed and safely stored. However, the change must be replicated across IAM, which can take some time. Such changes include creating or updating users, groups, roles, or policies. We recommend that you do not include such IAM changes in the critical, high-availability code paths of your application. Instead, make IAM changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. For more information, see Changes that I make are not always immediately visible.Free to use
- AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) are features of your AWS account offered at no additional charge. You are charged only when you access other AWS services using your IAM users or AWS STS temporary security credentials. For information about the pricing of other AWS products, see the Amazon Web Services pricing page.
You can work with AWS Identity and Access Management in any of the following ways.AWS Management Console
The console is a browser-based interface to manage IAM and AWS resources. For more information about accessing IAM through the console, see Signing in to the AWS Management Console as an IAM user or root user. For a tutorial that guides you through using the console, see Creating your first IAM admin user and group.AWS Command Line Tools
You can use the AWS command line tools to issue commands at your system’s command line to perform IAM and AWS tasks. Using the command line can be faster and more convenient than the console. The command line tools are also useful if you want to build scripts that perform AWS tasks.
AWS provides two sets of command line tools: the AWS Command Line Interface (AWS CLI) and the AWS Tools for Windows PowerShell. For information about installing and using the AWS CLI, see the AWS Command Line Interface User Guide. For information about installing and using the Tools for Windows PowerShell, see the AWS Tools for Windows PowerShell User Guide.AWS SDKs
AWS provides SDKs (software development kits) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about the AWS SDKs, including how to download and install them, see the Tools for Amazon Web Services page.IAM HTTPS API
You can access IAM and AWS programmatically by using the IAM HTTPS API, which lets you issue HTTPS requests directly to the service. When you use the HTTPS API, you must include code to digitally sign requests using your credentials. For more information, see Calling the IAM API using HTTP query requests and the IAM API Reference.