Getting set up with IAM - AWS Identity and Access Management

Getting set up with IAM

AWS Identity and Access Management (IAM) helps you securely control access to Amazon Web Services (AWS) and your account resources. IAM can also keep your account credentials private. With IAM, you can create multiple IAM users under the umbrella of your AWS account or enable temporary access through identity federation with your corporate directory. In some cases, you can also enable access to resources across AWS accounts.

Without IAM, however, you must either create multiple AWS accounts—each with its own billing and subscriptions to AWS products—or your employees must share the security credentials of a single AWS account. In addition, without IAM, you cannot control the tasks a particular user or system can do and what AWS resources they might use.

This guide provides a conceptual overview of IAM, describes business use cases, and explains AWS permissions and policies.

Using IAM to give users access to your AWS resources

Here are the ways you can use IAM to control access to your AWS resources.

Type of access Why would I use it? Where can I get more information?

Access for users in your AWS account

You want to add users under the umbrella of your AWS account, and you want to use IAM to create users and manage their permissions.

To learn how to use the AWS Management Console to create users and to manage their permissions in your AWS account, see Getting started with IAM.

To learn about using the IAM API or AWS Command Line Interface to create users in your AWS account, see Creating your first IAM admin user and user group.

For more information about working with IAM users, see IAM Identities (users, user groups, and roles).

Non-AWS user access via identity federation between your authorization system and AWS

You have non-AWS users in your identity and authorization system, and they need access to your AWS resources.

To learn how to use session tokens to give your users access to your AWS account resources through federation with your corporate directory, go to Temporary security credentials in IAM. For information about the AWS Security Token Service API, go to the AWS Security Token Service API Reference.

Cross-account access between AWS accounts

You want to share access to certain AWS resources with users under other AWS accounts.

To learn how to use IAM to grant permissions to other AWS accounts, see Roles terms and concepts.

Do I need to sign up for IAM?

If you don't already have an AWS account, you need to create one to use IAM. You don't need to specifically sign up to use IAM. There is no charge to use IAM.


IAM works only with AWS products that are integrated with IAM. For a list of services that support IAM, see AWS services that work with IAM.

To sign up for AWS

  1. Open

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to an administrative user, and use only the root user to perform tasks that require root user access.

Additional resources

Here are some resources to help you get things done with IAM.