AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Next »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

What Is IAM?

This section provides an introduction to IAM.

AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.

Without IAM, organizations with multiple users and systems must either create multiple AWS accounts, each with its own billing and subscriptions to AWS products, or employees must all share the security credentials of a single AWS account. Also, without IAM, you have no control over the tasks a particular user or system can do and what AWS resources they might use.

IAM addresses this issue by enabling organizations to create multiple users (each user is a person, system, or application) who can use AWS products, each with individual security credentials, all controlled by and billed to a single AWS account. With IAM, each user is allowed to do only what they need to do as part of the user's job.

Video Introduction to IAM

In the following video you'll learn the basics of using IAM to manage access to specific resources in your organization's AWS account. This video uses the AWS Management Console to show you how to create groups of users, set permissions for each group, generate a password, and use a sign-in URL to sign in to the console as an IAM user.

Pricing of IAM

AWS Identity and Access Management is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your IAM users. For information about the pricing of other AWS services, see the Amazon Web Services pricing page.

Features of IAM

IAM includes the following features:

  • Central control of users and security credentials—You can control creation, rotation, and revocation of each user's AWS security credentials (such as access keys)

  • Central control of user access—You can control what data in the AWS system users can access and how they access it

  • Shared AWS resources—Users can share data for collaborative projects

  • Permissions based on organizational groups—You can restrict users' AWS access based on their job duties (for example, admin, developer, etc.) or departments. When users move inside the organization, you can easily update their AWS access to reflect the change in their role

  • Central control of AWS resources—Your organization maintains central control of the AWS data the users create, with no breaks in continuity or lost data as users move around within or leave the organization

  • Control over resource creation—You can help make sure that users create AWS data only in sanctioned places

  • Networking controls—You can help make sure that users can access AWS resources only from within the organization's corporate network, using SSL

  • Single AWS bill—Your organization's AWS account gets a single AWS bill for all your users' AWS activity

Supported AWS Products

IAM is integrated with many AWS products. For information about which services are integrated with IAM, see AWS Services That Support IAM.

Important

The APIs for services do not change when they add support for IAM. Products that integrate with IAM have no new API actions related to access control.

If the users in your AWS account make API calls to any AWS products other than those that are integrated with IAM, they'll get an error. However, the AWS account itself (the umbrella entity above all the users) can call any AWS product the AWS account is signed up for.

Regarding IAM and Amazon DevPay:

  • Users in your AWS account can't create or sign up for products that use Amazon DevPay; only the AWS account can

  • If your AWS account purchases an Amazon EC2 paid Amazon Machine Image (AMI), the AWS account's users can launch and use instances of the AMI (assuming they have an IAM policy giving them permission to use the necessary Amazon EC2 actions)

  • If your AWS account purchases an Amazon S3 product that uses Amazon DevPay, the AWS account's users can't use the product; only the AWS account can

Migration to IAM

If your organization already uses AWS, migrating to IAM can be easy or potentially more challenging, depending on how your organization currently allocates its AWS resources. Here are the three scenarios.

  1. Your organization has just a single AWS account. In this case, you can easily migrate to using IAM, because all the organization's AWS resources are already together under a single AWS account.

  2. Your organization has multiple AWS accounts, with each AWS account belonging to a division in the organization. If these divisions don't need to share resources or users, then migrating is easy. Each division can keep its own AWS account and use IAM separately from the other divisions. You could also use Consolidated Billing, which would allow your organization to get a single bill across the AWS accounts (see IAM and Consolidated Billing).

  3. Your organization has multiple AWS accounts that don't represent logical boundaries between divisions. If you need the AWS accounts to share their resources and have common users, migrating to IAM will be more of a challenge. You will need to move the resources that need to be shared so they're under the ownership of a single AWS account. However, there's no automatic way to transfer the AWS resources from one AWS account to another. You need to create those resources again under the single AWS account.

No Change to Basic AWS Account Functions

There's no change to how an AWS account functions in terms of its login/password, security credentials, payment method, AWS account activity page, usage report, and so on. At this time, the AWS account activity page does not show a breakdown by user.

Security Credentials

Any person or application that interacts with AWS requires security credentials. AWS uses these credentials to identify who is making the call and whether to allow the requested access.

When you sign up for AWS, you sign up with an email address and password. Using these credentials, you can get full access to all resources in your AWS account. Because you can't control access on account credentials, AWS recommends that you use IAM credentials for day-to-day interaction with AWS. We recommend that you lock away the credentials that you used for setting up the account. As soon as you've created your account, set up an administrators group for your organization, create IAM users (including one for yourself), add them to the administrators group, and then give them privileges to administer your AWS resources. For more information, see IAM Best Practices.

Note

To help control who has access to the AWS account's credentials, AWS recommends that you use multi-factor authentication (MFA) with your AWS account's email address and password. For detailed information about AWS MFA, see the AWS Multi-Factor Authentication FAQs.

With IAM, you can control who can access which resources. For example, you can create individual users and give them each their own user name, password, and access keys. After you create your users, you can assign them different permissions to control which resources they can access. For more information, see IAM Users and Groups.

You can also use MFA with IAM. For information, see Using Multi-Factor Authentication (MFA) Devices with AWS.

For more information about account vs. IAM credentials, see Root Account Credentials vs. IAM User Credentials in the AWS General Reference.

How Do I Get Credentials?

AWS account credentials

To manage your AWS account credentials, such as your password, access keys (access key ID and secret access key), or MFA device, sign in with your account's email address and password at https://console.aws.amazon.com/iam/home?#security_credential.

IAM credentials

By default, a user has no security credentials. You create security credentials for your users as needed.

If your users require access to the AWS Management Console, you must create passwords for them. For more information, see Credentials (Passwords, Access Keys, MFA, and Certificates) . Users sign in to the console using a special URL for your account. For more information, see How IAM Users Sign in to Your AWS Account.

If your users require programmatic access to AWS, you must create access keys (access key ID and secret access key) for them. For more information, see Creating an IAM User in Your AWS Account.

You can also grant your users permission to create and manage their own credentials, or you can have an administrators group in your organization handle this. To grant users permissions to manage their credentials, see Permissions for Administering IAM Users, Groups, and Credentials.

Important

For security purposes, we recommend that you rotate your users' credentials on a regular basis. A user can have multiple access keys at a given time for this purpose. For more information, see Rotating Credentials.

IAM and Consolidated Billing

AWS offers a billing feature called Consolidated Billing. This lets you receive a single bill for multiple AWS accounts. (For more information, see Consolidated Billing in About AWS Billing and Cost Management.) In contrast, IAM lets you get a single bill across all the users in a single AWS account.

Your organization can use Consolidated Billing and IAM together. You might do this if your organization has multiple large divisions, and you want to isolate the users and AWS resources in each division from the other divisions. You could have a separate AWS account for each division, and use IAM in each division to create users and control their access to the division's AWS resources. You could then use Consolidated Billing to get a single bill across all the AWS accounts. The following diagram illustrates the concept.

Consolidated Billing and IAM together

With Consolidated Billing, one AWS account becomes the paying account, and pays for its own charges plus the charges of any linked AWS accounts. Each linked AWS account doesn't need to maintain a payment method with AWS, only the paying account does. Each month, AWS charges the paying account only. The paying account still functions like a normal AWS account; it could have its own users and AWS resources. Just as with the other AWS accounts, the users and resources in the paying account are isolated from the users and resources in the divisions' AWS accounts. The following diagram shows the paying account with its own users and AWS resources.

Paying account with own users and resources