Menu
AWS Identity and Access Management
User Guide

Limitations on IAM Entities and Objects

This section lists restrictions on IAM entities, and describes how to get information about entity usage and IAM quotas.

Note

To get account-level information about entity usage and quotas, use the GetAccountSummary API action or the get-account-summary AWS CLI command.

The following are restrictions on names:

  • Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.

  • Names of users, groups, roles, policies, instance profiles, and server certificates must be alphanumeric, including the following common characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-).

  • Names of users, groups, and roles must be unique within the account. They are not distinguished by case, for example, you cannot create groups named both "ADMINS" and "admins".

  • Path names must begin and end with a forward slash (/).

  • Policy names for inline policies must be unique to the user, group, or role they are embedded in, and can contain any Basic Latin (ASCII) characters minus the following reserved characters: backward slash (\), forward slash (/), asterisk (*), question mark (?), and white space. These characters are reserved according to RFC 3986.

  • User passwords (login profiles) can contain any Basic Latin (ASCII) characters.

  • AWS account ID aliases must be unique across AWS products, and must be alphanumeric following DNS naming conventions. An alias must be lowercase, it must not start or end with a hyphen, it cannot contain two consecutive hyphens, and it cannot be a 12 digit number.

For a list of Basic Latin (ASCII) characters, go to the Library of Congress Basic Latin (ASCII) Code Table.

The following are the default maximums for IAM entities:

  • Groups in an AWS account: 100

  • Users in an AWS account: 5000

    If you need to add a large number of users, consider using temporary security credentials. For more information about temporary security credentials, go to Temporary Security Credentials.

  • Roles in an AWS account: 250

  • Instance profiles in an AWS account: 100

  • Roles in an instance profile: 1 (each instance profile can contain only 1 role)

  • Groups a user can be a member of: 10

  • Access keys assigned to a user: 2

  • MFA devices in use by a user: 1

  • MFA devices in use by the AWS root account: 1

  • Virtual MFA devices (assigned or unassigned) in an AWS account: equal to the user quota for the account

  • Signing certificates assigned to a user: 2

  • Server certificates stored in an AWS account: 20

  • Aliases for an AWS account: 1

  • Login profiles for a user: 1

  • SAML providers in an AWS account: 100

  • Identity providers (IdPs) associated with an IAM SAML provider object: 10

  • Keys per SAML provider: 10

  • Customer managed policies for an AWS account: 1000

  • Versions of a managed policy that can be stored: 5

  • Managed policies attached to an IAM user, group, or role: 10

You can request to increase some of these quotas for your AWS account on the IAM Limit Increase Contact Us Form. Currently you can request to increase the limit on users per AWS account, groups per AWS account, roles per AWS account, instance profiles per AWS account, and server certificates per AWS account.

The following are the maximum lengths for entities:

  • Path: 512 characters

  • User name: 64 characters

  • Group name: 128 characters

  • Role name: 64 characters

    Important

    If you intend to use a role with the Switch Role feature in the AWS console, then the combined Path and RoleName cannot exceed 64 characters.

  • Instance profile name: 128 characters

  • Unique ID (applicable to users, groups, roles, managed policies, and server certificates): 32 characters

  • Policy name: 128 characters

  • Certificate ID: 128 characters

  • Login profile password: 1 to 128 characters

  • AWS account ID alias: 3 to 63 characters

  • Role trust policy (the policy that determines who is allowed to assume the role): 2,048 characters

  • Role session name: 64 characters

  • For inline policies: You can add as many inline policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits:

    • User policy size cannot exceed 2,048 characters

    • Role policy size cannot exceed 10,240 characters

    • Group policy size cannot exceed 5,120 characters

    Note

    IAM does not count whitespace when calculating the size of a policy against these limitations.

  • For managed policies: You can add up to 10 managed policies to a user, role, or group. The size of each managed policy cannot exceed 5,120 characters.

    Note

    IAM does not count whitespace when calculating the size of a policy against this limitation.