AWS Identity and Access Management
User Guide

How Users Sign In to Your Account

After you create IAM users (with passwords), those users can sign in to the AWS Management Console using your account ID or alias, or from a custom URL that includes your account ID.


If your company has an existing identity system, you might want to create a single sign-on (SSO) option. SSO gives users access to the AWS Management Console without requiring them to have an IAM user identity. SSO also eliminates the need for users to sign in to your organization's site and to AWS separately. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).

Before you create a sign-in URL for your account, you create an account alias so that the URL includes your account name instead of an account ID. For more information, see Your AWS Account ID and Its Alias.

You can find the sign-in URL for an account on the IAM console dashboard.

      IAM dashboard, sign-in URL

To create a sign-in URL for your IAM users, use the following pattern:

IAM users can also sign in at the following endpoint and enter the account ID or alias manually, instead of using your custom URL:

Permissions Required for Console Activities

IAM users in your account have access only to the AWS resources that you specify in the policy that is attached to the user or to an IAM group that the user belongs to. To work in the console, users must have permissions to perform the actions that the console performs, such as listing and creating AWS resources. For more information, see Access Management and Example IAM Identity-Based Policies.

Logging Sign-In Details in CloudTrail

If you enable CloudTrail to log sign-in events, you must understand how CloudTrail logs the events.

  • If your users sign in directly to a console, they are redirected to either a global or a Regional sign-in endpoint. This redirection is based on whether the selected service console supports Regions. For example, the main console home page supports Regions, so if you sign in to the following URL, you are redirected to a ''default" Regional sign-in endpoint

    This results in a Regional CloudTrail log entry in that Region's log.

    The console for some services, such as Amazon S3, do not support Regions. This means that if you sign in to that service using the following URL, AWS redirects you to the global sign-in endpoint at

    This results in a global CloudTrail log entry.

  • You can manually request a specific Regional sign-in endpoint by signing in to the Region-enabled main console home page. To do this, use a URL like the following example:

    AWS then redirects you to the ap-southeast-1 Regional sign-in endpoint. This results in a Regional CloudTrail log entry in that Region's log.

For more information about CloudTrail and IAM, see Logging IAM Events with AWS CloudTrail .

If users in your account need programmatic access, you can create an access key pair (an access key ID and a secret access key) for each user. For more information, see Managing Access Keys (Console).