AWS Identity and Access Management
User Guide

Access Management

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. When a principal makes a request in AWS, the IAM service checks whether the principal is authenticated (signed in) and authorized (has permissions). You manage access by creating policies and attaching them to IAM identities or AWS resources. Those policies specify the permissions that are allowed or denied. For details about the rest of the authentication and authorization process, see Understanding How IAM Works.


During authorization, IAM uses values from the request context to check for matching policies and determine whether to allow or deny the request.

Policies are stored in AWS as JSON documents and specify the permissions that are allowed or denied for principals (identity-based policies) or resources (resource-based policies). Identity-based policies include AWS managed policies, customer managed policies, and inline policies. Resource-based policies also include trust policies. For more information about these types of policies, see IAM Policies.

IAM checks each policy that matches the context of the request. If a single policy includes a denied action, IAMdenies the entire request and stops evaluating policies. This is called an explicit deny. Because requests are denied by default, IAM authorizes your request only if every part of your request is allowed by the matching policies. The evaluation logic follows these rules:

  • By default, all requests are denied.

  • An explicit allow overrides this default.

  • An explicit deny overrides any allows.


By default, only the AWS account root user has access to all of the resources in that account. So if you are not signed in as the root user, you must have permissions granted by a policy.

After your request has been authenticated and authorized, AWS approves the request. If you need to make a request in a different account, the resource in that account must have a resource-based policy that allows access from your account. Otherwise, you must assume a role within that account with the permissions that you need.

Access Management Resources

For more information about permissions and about creating policies, see the following resources: