Document History for IAM - AWS Identity and Access Management

Document History for IAM

The following table describes major documentation updates for IAM.

Change Description Date

Use Service Quotas to request quick increases for IAM entities

You can request quota increases for adjustable IAM quotas using the Service Quotas console. Now, some increases are automatically approved in Service Quotas and available in your account within a few minutes. Larger requests are submitted to AWS Support.

June 25, 2020

Last Accessed Information in IAM now includes Amazon S3 management actions

In addition to service last accessed information, you can now view information in the IAM console about the last time an IAM principal used an Amazon S3 action. You can also use the AWS CLI or AWS API to retrieve the data report. The report includes information about the allowed services and actions that principals last attempted to access and when. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege.

June 3, 2020

Security chapter addition

The security chapter helps you understand how to configure IAM and AWS STS to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your IAM resources.

April 29, 2020


You can now write a policy that grants permissions based on the session name that a principal specifies when assuming a role.

April 21, 2020

AWS Sign-in Page Update

When you sign in on the main AWS sign-in page, you can no choose to sign in as the AWS account root user or an IAM user. When you do, the label on the page indicates whether you should provide your root user email address or your IAM user account information. This documentation includes updated screen captures to help you understand the AWS sign-in pages.

March 4, 2020

aws:ViaAWSService and aws:CalledVia Condition Keys

You can now write a policy to limit whether services can make requests on behalf of an IAM principal (user or role). When a principal makes a request to an AWS service, that service might use the principal's credentials to make subsequent requests to other services. Use the aws:ViaAWSService condition key to match if any service makes a request using a principal's credentials. Use the aws:CalledVia condition keys to match if specific services make a request using a principal's credentials.

February 20, 2020

Policy Simulator adds support for Permissions Boundaries

You can now test the effect of permissions boundaries on IAM entities with the IAM policy simulator.

January 23, 2020

Cross-Account Policy Evaluation

You can now learn how AWS evaluates policies for cross-account access. This occurs when a resource in a trusting account includes a resource-based policy that allows a principal in another account to access the resource. The request must be allowed in both accounts.

January 2, 2020

Session Tags

You can now include tags when you assume a role or federate a user in AWS STS. When you perform the AssumeRole or GetFederationToken operation, you can pass the session tags as attributes. When you perform the AssumeRoleWithSAML or AssumeRoleWithWebIdentity operations, you can pass attributes from your corporate identities to AWS.

November 22, 2019

Control access for groups of AWS accounts in AWS Organizations

You can now reference organizational units (OUs) from AWS Organizations in IAM policies. If you use Organizations to organize your accounts into OUs, you can require that principals belong to a specific OU before granting access to your resources. Principals include AWS account root user, IAM users and IAM roles. To do this, specify the OU path in the aws:PrincipalOrgPaths condition key in your policies.

November 20, 2019

Role Last Used

You can now view the date, time, and Region where a role was last used. This information also helps you identify unused roles in your account. You can use the AWS Management Console, AWS CLI and AWS API to view information about when a role was last used.

November 19, 2019

Update to the Global Condition Context Keys Page

You can now learn when each of the global condition keys is included in the context of a request. You can also navigate to each key more easily using the page table of contents (TOC). The information on the page helps you to write more accurate policies. For example, if your employees use federation with IAM roles, you should use the aws:userId key and not the aws:userName key. The aws:userName key applies only to IAM users and not roles.

October 6, 2019


Learn how attribute-based access control (ABAC) works in AWS using tags, and how it compares to the traditional AWS authorization model. Use the ABAC tutorial to learn how to create and test a policy that allows IAM roles with principal tags to access resources with matching tags. This strategy allows individuals to view or edit only the AWS resources required for their jobs.

October 3, 2019

AWS STS GetAccessKeyInfo Operation

You can review the AWS access keys in your code to determine whether the keys are from an account that you own. You can pass an access key ID using the aws sts get-access-key-info AWS CLI command or the GetAccessKeyInfo AWS API operation.

July 24, 2019

Viewing Organizations Service Last Accessed Information in IAM

You can now view service last accessed information for an AWS Organizations entity or policy in the AWS Organizations section of the IAM console. You can also use the AWS CLI or AWS API to retrieve the data report. This data includes information about the allowed services that principals in an Organizations account last attempted to access and when. You can use this information to identify unnecessary permissions so that you can refine your Organizations policies to better adhere to the principle of least privilege.

June 20, 2019

Using a Managed Policy as a Session Policy

You can now pass up to 10 managed policy ARNs when you assume a role. This allows you to limit the permissions of the role's temporary credentials.

May 7, 2019

AWS STS Region Compatibility of Session Tokens for the Global Endpoint

You can now choose whether to use version 1 or version 2 global endpoint tokens. Version 1 tokens are valid only in AWS Regions that are available by default. These tokens will not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens.

April 26, 2019

Allow Enabling and Disabling AWS Regions

You can now create a policy that allows an administrator to enable and disable the Asia Pacific (Hong Kong) Region (ap-east-1).

April 24, 2019

IAM User My Security Credentials Page

IAM users can now manage all of their own credentials on the My Security Credentials page. This AWS Management Console page displays account information such as the account ID and canonical user ID. Users can also view and edit their own passwords, access keys, X.509 certificates, SSH keys, and Git credentials.

January 24, 2019

Access Advisor API

You can now use the AWS CLI and AWS API to view service last accessed information.

December 7, 2018

Tagging IAM Users and Roles

You can now use IAM tags to add custom attributes to an identity (IAM user or role) using a tag key–value pair. You can also use tags to control an identity's access to resources or to control what tags can be attached to an identity.

November 14, 2018

U2F security keys

You can now use U2F security keys as a multi-factor authentication (MFA) option when signing in to the AWS Management Console.

September 25, 2018

Support for Amazon VPC endpoints

You can now establish a private connection between your VPC and AWS STS in the US West (Oregon) Region.

July 31, 2018

Permissions Boundaries

New feature makes it easier to grant trusted employees the ability to manage IAM permissions without also granting full IAM administrative access.

July 12, 2018


New condition key provides an easier way to control access to AWS resources by specifying the AWS organization of IAM principals.

May 17, 2018


New condition key provides an easier way to use IAM policies to control access to AWS Regions.

April 25, 2018

Increased session duration for IAM roles

An IAM role can now have a session duration of 12 hours.

March 28, 2018

Updated role-creation workflow

New workflow improves the process of creating trust relationships and attaching permissions to roles.

September 8, 2017

AWS account sign-in process

Updated AWS sign-in experience allows both root users and IAM users to use the Sign In to the Console link on the AWS Management Console's home page.

August 25, 2017

Example IAM policies

Documentation update features more than 30 example policies.

August 2, 2017

IAM best practices

Information added to the Users section of the IAM console makes it easier to follow IAM best practices.

July 5, 2017

Auto Scaling resources

Resource-level permissions can control access to and permissions for Auto Scaling resources.

May 16, 2017

Amazon RDS for MySQL and Amazon Aurora databases

Database administrators can associate database users with IAM users and roles and thus manage user access to all AWS resources from a single location.

April 24, 2017

Service-linked roles

Service-linked roles provide an easier and more secure way to delegate permissions to AWS services.

April 19, 2017

Policy summaries

New policy summaries make it easier to understand permissions in IAM policies.

March 23, 2017