Getting started with IAM - AWS Identity and Access Management

Getting started with IAM

Use this tutorial to get started with AWS Identity and Access Management (IAM). You'll learn how to create roles, users, and policies using the AWS Management Console.

AWS Identity and Access Management is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS products by your IAM users. For information about the pricing of other AWS products, see the Amazon Web Services pricing page.

Note

This set of documentation deals primarily with the IAM service. To learn about getting started with AWS and using multiple services to solve a problem such as building and launching your first project, see the Getting Started Resource Center.

Prerequisites

Before you begin, be sure that you've completed the steps in Getting set up with IAM. This tutorial uses the administrator account you created in that procedure.

Create your first IAM user

An IAM user is an identity within your AWS account that has specific permissions for a single person or application. Users can be organized into groups that share the same permissions.

Note

As a security best practice, we recommend that you provide access to your resources through identity federation instead of creating IAM users. For information about specific situations where an IAM user is required, see When to create an IAM user (instead of a role).

For the purpose of familiarizing yourself with the process of creating a IAM user, this tutorial steps you through creating an IAM user and group for emergency access.

To create your first IAM user

  1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide.

  2. On the Console Home page, select the IAM service.

  3. In the navigation pane, select Users and then select Add users.

    Note

    If you have IAM Identity Center enabled, the AWS Management Console displays a reminder that it is best to manage users' access in IAM Identity Center. In this tutorial, the IAM user you create is specifically for use only when your user in IAM Identity Center credentials are unavailable.

  4. For User name, enter EmergencyAccess. Names cannot contain spaces.

  5. Select the check box next to Provide user access to the AWS Management Console– optional and then choose I want to create an IAM user.

  6. Under Console password, select Autogenerated password.

  7. Clear the check box next to User must create a new password at next sign-in (recommended). Because this IAM user is for emergency access, a trusted administrator retains the password and only provides it when needed.

  8. On the Set permissions page, under Permissions options, select Add user to group. Then, under User groups, select Create group.

  9. On the Create user group page, in User group name, enter EmergencyAccessGroup. Then, under Permissions policies, select AdministratorAccess.

  10. Select Create user group to return to the Set permissions page.

  11. Under User groups, select the name of the EmergencyAccessGroup you created previously.

  12. Select Next to proceed to the Review and create page.

  13. On the Review and create page, review the list of user group memberships to be added to the new user. When you are ready to proceed, select Create user.

  14. On the Retrieve password page, select Download .csv file to save a .csv file with the user credential information (Connection URL, user name, and password).

  15. Save this file to use if you need to sign-in to IAM and do not have access to your federated identity provider.

The new IAM user is displayed in the Users list. Select the User name link to view the user details. Under Summary, copy the ARN of the user to the clipboard. Paste the ARN into a text document, so that you can use it in the next procedure.

Create your first role

IAM roles are a secure way to grant permissions to entities you trust. An IAM role has some similarities to an IAM user. Roles and users are both principals with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Using roles helps you follow the IAM best practices. You can use a role to:

  • Enable workforce identities and Identity Center enabled applications access to the AWS Management Console using AWS IAM Identity Center.

  • Delegate permission to an AWS service to carry out actions on your behalf.

  • Enable application code running on an Amazon EC2 instance to access or modify AWS resources.

  • Grant access to another AWS account.

Note

You can use AWS Identity and Access Management Roles Anywhere to give access to machine identities. Using IAM Roles Anywhere means you don't need to manage long-term credentials for workloads running outside of AWS. For more information, see What is AWS Identity and Access Management Roles Anywhere? in the AWS Identity and Access Management Roles Anywhere User Guide.

IAM Identity Center and other AWS services automatically create roles for their services. If you are using IAM users, we recommend that you create roles for your users to assume when they sign-in. This will give them temporary permissions during the session instead of long-term permissions.

The AWS Management Console wizard that guides you through the steps for creating a role displays slightly different steps depending on whether you're creating a role for an IAM user, AWS service, or for a federated user. Regular access to AWS accounts within an organization should be provided using federated access. If you are creating IAM users for specific purposes, such as emergency access or programmatic access, only grant those IAM users permission to assume a role and put those IAM users into role specific groups.

In this procedure, you create a role that provides SupportUser access for the EmergencyAccess IAM user. Before starting this procedure, copy the ARN of the IAM user to the clipboard.

To create a role for an IAM user

  1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide.

  2. On the Console Home page, select the IAM service.

  3. In the navigation pane of the IAM console, choose Roles and then choose Create role.

  4. Choose AWS account role type.

  5. In Select trusted entity, under Trusted entity type, choose Custom trust policy.

  6. In the Custom trust policy section, review the basic trust policy. This is the one we will use for this role. Use the Edit statement editor to update the trust policy:

    1. In Add actions for STS, select Assume Role.

    2. Next to Add a principal, select, Add. The Add principal window opens.

      Under Principal type, select IAM Users.

      Under ARN, paste the IAM user ARN you copied to the clipboard.

      Select Add principal.

    3. Verify that the Principal line in the trust policy now contains the ARN you specified:

      "Principal": { "AWS": "arn:aws:iam::123456789012:user/username" }

  7. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next.

  8. In Add permissions, select the check box next to the permissions policy to apply. For this tutorial we are going to select the SupportUser trust policy. You can then use this role to troubleshoot and resolve issues with the AWS account and open support cases with AWS. We are not going to set a permissions boundary at this time.

  9. Choose Next.

  10. In Name, review, and create complete these settings:

    • For Role name, enter a name that identifies this role, such as SupportUserRole.

    • For Description, explain the intended use of the role.

    Because other AWS resources might reference the role, you cannot edit the name of the role after it has been created.

  11. Select Create role.

    After the role is created, share the role information with the people who require the role. You can share the role information by:

    • Role link: Send users a link that takes them to the Switch Role page with all the details already filled in.

    • Account ID or alias: Provide each user with the role name along with the account ID number or account alias. The user then goes to the Switch Role page and adds the details manually.

    • Saving the role link information along with the EmergencyAccess user credentials.

    For details, see Providing information to the user.

Create your first IAM policy

IAM policies are attached to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.

To create your first IAM policy

  1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide.

  2. On the Console Home page, select the IAM service.

  3. In the navigation pane, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  4. Choose Create policy.

  5. On the Create policy page, choose Actions and then choose Import policy.

  6. In the Import policy window, in the Find policies box, type power to reduce the list of policies. Select the PowerUserAccess policy.

  7. Select Import policy. The policy displays in the JSON tab.

  8. Choose Next.

  9. On the Review and create page, for Policy name, type PowerUserExamplePolicy. For Description, type Allows full access to all services except those for user management. Then choose Create policy to save the policy.

You can attach this policy to a role to provide users who assume that role the permissions associated with this policy. The PowerUserAccess policy is commonly used to provide access to developers.

Programmatic access

Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS:

  • If you manage identities in IAM Identity Center, the AWS APIs require a profile, and the AWS Command Line Interface requires a profile or an environment variable.

  • If you have IAM users, the AWS APIs and the AWS Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.

To grant users programmatic access, choose one of the following options.

Which user needs programmatic access? To By

Workforce identity

(Users managed in IAM Identity Center)

Use short-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs).

Following the instructions for the interface that you want to use:

IAM Use short-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs). Following the instructions in Using temporary credentials with AWS resources.
IAM Use long-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs).

(Not recommended)

Following the instructions in Managing access keys for IAM users.