IAM Identities - AWS Identity and Access Management
IAM root userIAM usersIAM user groupsIAM roles

IAM Identities

An IAM identity represents a human user or programmatic workload that can be authenticated and then authorized to perform actions in AWS accounts. An identity can be associated with one or more policies, which determine what actions an identity is authorized to perform, on which AWS resources, and under what conditions. IAM identities include, IAM users, IAM groups, and IAM roles.

You can federate existing identities from an external identity provider. These identities will assume IAM roles to access AWS resources. For more information, see Identity providers and federation.

You can also use AWS IAM Identity Center to create and manage identities and access to AWS resources. IAM Identity Center permission sets automatically create the IAM roles needed to provide access to resources. For more information, see What is IAM Identity Center?

The AWS account root user is an AWS account principal that is created when your AWS account is established. The root user has access to all AWS services and resources in the account. For more information, see IAM root user.

Note

IAM root user

When you first create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. For more information, see AWS account root user.

IAM users

An IAM user is an identity within your AWS account that has specific permissions for a single person or application. For more information, see IAM users.

IAM user groups

An IAM user group is an identity that specifies a collection of IAM users. For more information, see User groups.

IAM roles

An IAM role is an identity within your AWS account that has specific permissions. It's similar to an IAM user, but isn't associated with a specific person. For more information, see IAM roles.