AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

IAM Best Practices

This article presents a list of suggestions for using the AWS Identity and Access Management (IAM) service to help secure your IAM resources.

Lock away your AWS account access keys

Any request you make for an AWS resource requires credentials so that AWS can make sure you have permission to access the resource. You can use access keys (an access key ID and secret access key) to make programmatic requests to AWS. However, we recommend that you do not use your AWS account access keys. The access key ID and secret access key for your AWS account give you access to all your resources, including your billing information. (For more information about credentials for working with AWS, see Types of Security Credentials in the Amazon Web Services General Reference.)

Therefore, protect your AWS account credentials like you would your credit card numbers or any other secret in these ways:

  • If you don't already have a set of access keys for your account, don't create them unless you absolutely need them. Instead, use your account password to sign in to the AWS Management Console and create an IAM user for yourself that has administrative privileges—see the next section.

  • If you do have a set of AWS access keys for your account, delete them. If you want to keep them, make sure that you rotate (change) the access keys credentials regularly. To delete or rotate your AWS account access keys, go to and sign in with your account's email address and password. You can manage your access keys in the Access Keys section.

  • Never share your AWS account password or access keys with anyone. The remaining sections of this document discuss various ways to avoid having to share your account credentials with other users and to avoid having to embed them in an application.

  • Use a strong password to help protect account-level access to the AWS Management Console. For information about managing your AWS account password, see Changing Your AWS Account Password.

  • Enable AWS multi-factor authentication (MFA) on your AWS account. For more information, see Using Multi-Factor Authentication (MFA) Devices with AWS.

Create individual IAM users

Don’t use your AWS root account credentials to access AWS, and don’t give your credentials to anyone else. Instead, create individual users (using the IAM console, the APIs, or the command line interface) for anyone who needs access to your AWS account. Create an IAM user for yourself as well, give that IAM user administrative privileges, and use that IAM user for all your work.

By creating individual IAM users for people accessing your account, you can give each IAM user a unique set of security credentials. You can also grant different permissions to each IAM user. If necessary, you can change or revoke an IAM user’s permissions any time. (If you give out your AWS root credentials, it can be difficult to revoke them.)


Before you set permissions for individual IAM users, though, see the next point about groups.

Use groups to assign permissions to IAM users

Instead of defining permissions for individual IAM users, it's usually more convenient to create groups that relate to job functions (Admins, Developers, Accounting, etc.), define the relevant permissions for each group, and then assign IAM users to those groups. All the users in an IAM group share the same permissions. That way, you can make changes for everyone in a group in just one place. As people move around in your company, you can simply change what IAM group their IAM user belongs to.

For more information, see the following:

Grant least privilege

When you create IAM policies, follow the standard security advice of granting least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks. Similarly, create policies for individual resources (such as Amazon S3 buckets) that identify precisely who is allowed to access the resource, and allow only the minimal permissions for those users. For example, perhaps developers should be allowed to write to an Amazon S3 bucket, but testers only need to read from it.

It’s more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Defining the right set of permissions requires some research to determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions.

A good way to start is to use the built-in AWS managed policies in the console. These policies include predefined permissions for common use cases (administrator, power user, etc.) in individual services.

You can also create custom policies that set permissions precisely. When you do, you need to be familiar with how Allow and Deny work in policies, and how policies are evaluated when more than one policy is in force during a request for a resource. (In cases where the right combination of permissions is complex, it can be tempting to loosen up the permissions—even to grant "all access" privileges—to make sure users have access to resources. But we do not recommend this approach; as noted, standard security advice is to grant least privilege.) You’ll also need to test thoroughly to make sure that users can do their work and that policies are working as you intend.

For more information, see the following:

Configure a strong password policy for your users

If you choose to allow users to change their own passwords, require that they create strong passwords, and that they rotate their passwords periodically. On the Account Settings page of the IAM console, you can create a password policy for your account. You can use the password policy to define password requirements, such as minimum length, whether it requires a non-alphabetic character, how frequently it must be rotated, and so on.

For more information, see Setting an Account Password Policy for IAM Users.

Enable MFA for privileged users

For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device, such as an app that runs on a smartphone.

For more information, see Using Multi-Factor Authentication (MFA) Devices with AWS.

Use roles for applications that run on Amazon EC2 instances

Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions, but that isn't a user or group. Roles also don't have their own permanent set of credentials the way IAM users do. Instead, a role is assumed by other entities. Credentials are then either associated with the assuming identity, or IAM dynamically provides temporary credentials (in the case of Amazon EC2).

When you launch an Amazon EC2 instance, you can specify a role for the instance as a launch parameter. Applications that run on the EC2 instance can use the role's credentials when they access AWS resources. The role's permissions determine what the application is allowed to do.

For more information, see Using IAM Roles to Delegate Permissions to Applications that Run on Amazon EC2.

Delegate by using roles instead of by sharing credentials

You might need to allow users from another AWS account to access resources in your AWS account. If so, don’t share security credentials, such as access keys, between accounts. Instead, use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts IAM users are allowed to assume the role.

For more information, see Roles - Terms and Concepts.

Rotate credentials regularly

Change your own passwords and access keys regularly, and make sure that all IAM users in your account do as well. That way, if a password is compromised without your knowledge, you limit how long the password can be used to access your resources. You can apply a password policy to your account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.

For more information about setting a password policy in your account, see Setting an Account Password Policy for IAM Users.

For more information about rotating credentials, see Rotating Credentials.

Remove unnecessary credentials

Remove IAM user credentials (that is, passwords and access keys) that are not needed. For example, an IAM user that is used for an application does not need a password (passwords are necessary only to sign in to AWS websites). Similarly, if a user does not and will never use access keys, there's no reason for the user to have them.

You can generate and download a credential report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, MFA devices, and signing certificates. For passwords, the credential report shows how recently a password has been used. Passwords that have not been used recently might be good candidates for removal.

For more information about IAM credential reports, see Getting Credential Reports for Your AWS Account.

Use policy conditions for extra security

To the extent that it's practical, define the conditions under which the policy allows access to a resource. For example, you can write conditions to specify a range of allowable IP addresses for a request, or you can specify that a request is allowed only within a specified date range or time range. You can also set conditions that require the use of SSL or MFA. For example, you can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance. The more explicitly you can define when resources are available (and otherwise unavailable), the safer your resources will be.

For more information, see Condition.

Keep a history of activity in your AWS account

Take advantage of the logging features available in AWS services. By examining log files of activity in your AWS account, you can see what actions users have taken in your account and what resources have been used, along with details like the time and date of actions, what the source IP was for an action, which actions failed due to inadequate permissions, and so on.

Logging is supported in multiple ways. AWS CloudTrail provides logging across AWS services. Amazon S3 and Amazon CloudFront have their own logging solutions. Log files about activity in your AWS account are written to Amazon S3 buckets.

For more information, see the following topics in the AWS documentation:

Video presentation about IAM best practices

The following video includes a conference presentation that covers these best practices and shows additional details about how to work with the features discussed here.