|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
This section describes IAM users, which you create in order to provide AWS identities (authentication) for people and processes in your AWS account. This section also describes groups, which are collections of IAM users that you can manage as a unit.
An IAM user is an entity that you create in AWS that provides a way to interact with AWS. A primary use for IAM users is to give people you work with identities that they can use to sign in to the AWS Management Console and to make requests to AWS services.
Newly created IAM users have no password and no access key (access key ID and secret access key). If the user needs to administer your AWS resources using the AWS Management Console, you can create a password for the user. If the user needs to interact with AWS programmatically (using the command line interface (CLI), the AWS SDK, or service-specific APIs), you can create an access key for that user. The credentials you create for users are what they use to uniquely identify themselves to AWS.
You can enhance the security of the user's credentials by enabling multi-factor authentication (MFA) for the user. With MFA, users have to provide both the credentials that are part of their user identity (a password or access key) and a temporary numeric code that's generated on a hardware device or by an application on a smartphone or tablet.
New IAM users also have no permissions to do
anything —that is, they are not authorized to perform any AWS actions or to access any
AWS resources. An advantage of having individual IAM users is that you can assign
permissions individually to each user. You might assign administrative permissions to a few
users, who then can administer your AWS resources and can even administer other IAM users.
In most cases, you want to limit a user's permissions to just the tasks (AWS actions) and
resources that the user needs for his or her job. Imagine an IAM user named
Dave. When you create the user
Dave, you create a password for
that user and you attach permissions to the user that let him start Amazon EC2 instances and read
GET) information from an Amazon RDS database.
Each user is associated with one and only one AWS account. Because users are defined within your AWS account, users don't need to have a payment method on file with AWS. Any AWS activity performed by users in your account is billed to your account.
There's a limit to the number of users you can have. For more information, see Limitations on IAM Entities.
An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. You might create an IAM user to represent an application that needs to have credentials in order to make requests to AWS. An application might have its own identity in your account, and its own set of permissions, the same way that processes have their own identities and permissions in an operating system like Windows or Linux.
Because an IAM user is just an identity with specific permissions in your account, you might not need to create IAM users for every occasion on which you need credentials. In many cases, you can take advantage of the AWS Security Token Service to create temporary security credentials and IAM roles instead of using the long-term credentials associated with an IAM user.
Consider the following scenarios for when you might (and might not) need to create an IAM user in order to have credentials for accessing AWS.
Yes. You created an AWS account and you work by yourself. It's possible to work with AWS using the credentials for your root account. However, as a security best practice, we strongly recommend that you create an IAM user for yourself and use the credentials for that user when you work with AWS.
Yes. Other people in your group need to work in your AWS account, and your group is using no other identity mechanism. In that case, create IAM users for the individual people who need access to your AWS resources, assign appropriate permissions to each user, and give each user his or her own credentials.
Yes. You want to use the CLI to work with AWS; the CLI needs credentials that it can use to make calls to AWS. Create an IAM user and give that user permissions to run the CLI commands you need. Then configure the CLI on your computer to use these credentials.
No. You're creating an application that runs on an EC2 instance and that makes requests to AWS. Don't create an IAM user and pass the user's credentials to the application or embed the credentials in the application. Instead, use roles for EC2 to give the application temporary security credentials. For details, see Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources.
Not necessarily. You're creating an app that runs on a mobile phone and that makes requests to AWS. Don't create an IAM user and distribute the user's access key with the app. Instead, use an identity provider like Login with Amazon, Facebook, or Google to authenticate users, and then use that identity to get temporary security credentials. For details, see Creating a Mobile App with Third-Party Sign-In in the Using Temporary Security Credentials guide.
Maybe. You work in a company that already has an identity system, such as the login system for your corporate network. In that case, instead of creating individual IAM users for each user who needs AWS access, it might be practical to use a proxy server to translate user identities from the network into temporary AWS security credentials. For more information, see Using Your Company's Own Authentication System to Grant Access to AWS Resources in the Using Temporary Security Credentials guide.
A group is a collection of IAM users. Groups let you specify permissions for a collection of users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user's permissions, you can remove him or her from the old group and add him or her to the new group.
Following are some important characteristics of groups:
A group can contain many users, and a user can belong to multiple groups.
Groups can't be nested; they can contain only users, not other groups.
There's no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.
There's a limit to the number of groups you can have, and a limit to how many groups a user can be in. For more information, see Limitations on IAM Entities.
The following diagram shows a simple example of a small company. The company owner uses the AWS account credentials to create
that can includes users who can create and manage the users as the company grows. The
Admins group establishes a
Development group and a
Test group. Each of these groups consists of users (humans and applications)
that interact with AWS (Jim, Brad, DevApp1, and so on). Each user has an individual set of
security credentials. In this example, each user belongs to a single group. However, users can
belong to multiple groups.