First-time access only: Your root user credentials IAM users and users in IAM Identity Center Federating existing users Access control methods

Overview of AWS identity management: Users

You can give access to your AWS account to specific users and provide them specific permissions to access resources in your AWS account. You can use both IAM and AWS IAM Identity Center (successor to AWS Single Sign-On) to create new users or federate existing users into AWS. The main difference between the two is that IAM users are granted long-term credentials to your AWS resources while users in IAM Identity Center have temporary credentials that are established each time the user signs-in to AWS. As a best practice, require human users to use federation with an identity provider to access AWS using temporary credentials instead of as an IAM user. A primary use for IAM users is to give workloads that cannot use IAM roles the ability to make programmatic requests to AWS services using the API or CLI.

Topics

First-time access only: Your root user credentials
IAM users and users in IAM Identity Center
Federating existing users
Access control methods

First-time access only: Your root user credentials

When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the AWS Account Management Reference Guide. Only service control policies (SCPs) in organizations can restrict the permissions that are granted to the root user.

IAM users and users in IAM Identity Center

IAM users are not separate accounts; they are users within your account. Each user can have its own password for access to the AWS Management Console. You can also create an individual access key for each user so that the user can make programmatic requests to work with resources in your account.

IAM users are granted long-term credentials to your AWS resources. As a best practice, do not create IAM users with long-term credentials for your human users. Instead, require your human users to use temporary credentials when accessing AWS.

Note

For scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you rotate access keys. For more information, see Rotating access keys.

In contrast, users in AWS IAM Identity Center (successor to AWS Single Sign-On) are granted short-term credentials to your AWS resources. For centralized access management, we recommend that you use AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to manage access to your accounts and permissions within those accounts. IAM Identity Center is automatically configured with an Identity Center directory as your default identity source where you can create users and groups, and assign their level of access to your AWS resources. For more information, see What is AWS IAM Identity Center (successor to AWS Single Sign-On) in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

Federating existing users

If the users in your organization already have a way to be authenticated, such as by signing in to your corporate network, you don't have to create separate IAM users or users in IAM Identity Center for them. Instead, you can federate those user identities into AWS using either IAM or AWS IAM Identity Center (successor to AWS Single Sign-On).

The following diagram shows how a user can get temporary AWS security credentials to access resources in your AWS account.

Users who are already authenticated elsewhere can be federated into AWS and assume
an IAM role that gives them permissions to access specific resources.For more
information about roles, see Roles terms and concepts.

Federation is particularly useful in these cases:

Your users already exist in a corporate directory.

If your corporate directory is compatible with Security Assertion Markup Language 2.0 (SAML 2.0), you can configure your corporate directory to provide single-sign on (SSO) access to the AWS Management Console for your users. For more information, see Common scenarios for temporary credentials.

If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users. For more information, see Enabling custom identity broker access to the AWS console.

If your corporate directory is Microsoft Active Directory, you can use AWS IAM Identity Center (successor to AWS Single Sign-On) to connect a self-managed directory in Active Directory or a directory in AWS Directory Service to establish trust between your corporate directory and your AWS account.

If you are using an external identity provider (IdP) such as Okta or Azure Active Directory to manage users, you can use AWS IAM Identity Center (successor to AWS Single Sign-On) to establish trust between your IdP and your AWS account. For more information, see Connect to an external identity provider in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.
Your users already have Internet identities.

If you are creating a mobile app or web-based app that can let users identify themselves through an Internet identity provider like Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider, the app can use federation to access AWS. For more information, see About web identity federation.

Tip
To use identity federation with Internet identity providers, we recommend you use Amazon Cognito.

Access control methods

Here are the ways you can control access to your AWS resources.

Type of user access	Why would I use it?	Where can I get more information?
Single sign-on access for human users, such as your workforce users, to AWS resources using IAM Identity Center	IAM Identity Center provides a central place that brings together administration of users and their access to AWS accounts and cloud applications. You can set up an identity store within IAM Identity Center or you can configure federation with an existing identity provider (IdP). Granting your human users limited credentials to AWS resources as needed is recommended as a security best practice. Users have an easier sign-in experience and you maintain control over their access to resources from a single system. IAM Identity Center supports multi-factor authentication (MFA) for additional account security.	For more information about setting up IAM Identity Center, see Getting Started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide For more information about using MFA in IAM Identity Center, see Multi-factor authentication in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide
Federated access for human users, such as your workforce users, to AWS services using IAM identity providers	IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). After you create an IAM identity provider, you must create one or more IAM roles that can be dynamically assigned to a federated user.	For more information about IAM identity providers and federation, see Identity providers and federation.
Cross-account access between AWS accounts	You want to share access to certain AWS resources with users in other AWS accounts. Roles are the primary way to grant cross-account access. However, some AWS services allow you to attach a policy directly to a resource (instead of using a role as a proxy). These are called resource-based policies.	For more information about IAM roles, see IAM roles. For more information about service-linked roles, see Using service-linked roles. For information about which services support using service-linked roles, see AWS services that work with IAM. Look for the services that have Yes in the Service-Linked Role column. To view the service-linked role documentation for that service select the link associated with the Yes in that column.
Long-term credentials for designated IAM users in your AWS account	You might have specific use cases that require long-term credentials with IAM users in AWS. You can use IAM to create these IAM users in your AWS account, and use IAM to manage their permissions. Some of the use cases include the following: Workloads that cannot use IAM roles Third-party AWS clients AWS IAM Identity Center (successor to AWS Single Sign-On) is not available for your account and you have no other identity provider As a best practice in scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you rotate access keys. For more information, see Rotating access keys.	For more information about setting up an IAM user, see Creating an IAM user in your AWS account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How IAM works

Permissions and policies in IAM