AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Limitations on IAM Entities and Objects

Entities and objects in IAM have size limitations. IAM limits how you name an entity, the number of entities you can create, and the number of characters you can use in an entity.


To get account-level information about entity usage and quotas, use the GetAccountSummary API operation or the get-account-summary AWS CLI command.

IAM Entity Name Limits

The following are restrictions on IAM names:

  • Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.

  • Names of users, groups, roles, policies, instance profiles, and server certificates must be alphanumeric, including the following common characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-).

  • Names of users, groups, and roles must be unique within the account. They are not distinguished by case, for example, you cannot create groups named both ADMINS and admins.

  • The external ID value that a third party uses to assume a role must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white space. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-). For more information about the external ID, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.

  • Path names must begin and end with a forward slash (/).

  • Policy names for inline policies must be unique to the user, group, or role they are embedded in. The names can contain any Basic Latin (ASCII) characters minus the following reserved characters: backward slash (\), forward slash (/), asterisk (*), question mark (?), and white space. These characters are reserved according to RFC 3986.

  • User passwords (login profiles) can contain any Basic Latin (ASCII) characters.

  • AWS account ID aliases must be unique across AWS products, and must be alphanumeric following DNS naming conventions. An alias must be lowercase, it must not start or end with a hyphen, it cannot contain two consecutive hyphens, and it cannot be a 12-digit number.

For a list of Basic Latin (ASCII) characters, go to the Library of Congress Basic Latin (ASCII) Code Table.

IAM Entity Object Limits

AWS allows you to request an increase to default IAM entity limits. To learn how to request a limit increase to these default limits, see AWS Service Limits in the Amazon Web Services General Reference documentation.

Default limits for IAM entities:

Resource Default Limit
Customer managed policies in an AWS account 1500
Groups in an AWS account 300
Roles in an AWS account 1000
Managed policies attached to an IAM role 10
Managed policies attached to an IAM user 10
Virtual MFA devices (assigned or unassigned) in an AWS account Equal to the user quota for the account
Instance profiles in an AWS account 1000
Server certificates stored in an AWS account 20

You cannot request a limit increase for the following limits.

Limits for IAM entities:

Resource Limit
Access keys assigned to an IAM user 2
Access keys assigned to the AWS account root user 2
Aliases for an AWS account 1
Groups an IAM user can be a member of 10
IAM users in a group Equal to the user quota for the account
Users in an AWS account 5000 (If you need to add a large number of users, consider using temporary security credentials.)
Identity providers (IdPs) associated with an IAM SAML provider object 10
Keys per SAML provider 10
Login profiles for an IAM user 1
Managed policies attached to an IAM group 10
Permissions boundaries for an IAM user 1
Permissions boundaries for an IAM role 1
MFA devices in use by an IAM user 1
MFA devices in use by the AWS account root user 1
Roles in an instance profile 1
SAML providers in an AWS account 100
Signing certificates assigned to an IAM user 2
SSH public keys assigned to an IAM user 5
Tags that can be attached to an IAM role 50
Tags that can be attached to an IAM user 50
Versions of a managed policy that can be stored 5

IAM Entity Character Limits

The following are the maximum lengths for entities:

Description Limit
Path 512 characters
User name 64 characters
Group name 128 characters
Role name 64 characters


If you intend to use a role with the Switch Role feature in the AWS console, then the combined Path and RoleName cannot exceed 64 characters.

Tag key 128 characters
Tag value 256 characters

Tag values can be empty. That is, tag values can have a length of 0 characters.

Instance profile name 128 characters

Unique IDs created by IAM, for example:

  • User IDs that begin with AIDA

  • Group IDs that begin with AGPA

  • Role IDs that begin with AROA

  • Managed policy IDs that begin with ANPA

  • Server certificate IDs that begin with ASCA


This is not intended to be an exhaustive list, nor is it a guarantee that IDs of a certain type begin only with the specified letter combination.

128 characters
Policy name 128 characters
Password for a login profile 1 to 128 characters
Alias for an AWS account ID 3 to 63 characters
Role trust policy JSON text (the policy that determines who is allowed to assume the role) 2,048 characters
Role session name 64 characters
Role session duration

12 hours

When you assume a role from the AWS CLI or API, you can use the duration-seconds CLI parameter or the DurationSeconds API parameter to request a longer role session. You can specify a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which can range from 1 to 12 hours. The maximum session duration setting does not limit sessions assumed by AWS services. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role. If you don't specify a value for the DurationSeconds parameter, your security credentials are valid for one hour.

For inline policies You can add as many inline policies as you want to an IAM user, role, or group. But the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits:
  • User policy size cannot exceed 2,048 characters.

  • Role policy size cannot exceed 10,240 characters.

  • Group policy size cannot exceed 5,120 characters.


IAM does not count white space when calculating the size of a policy against these limitations.

For managed policies
  • You can add up to 10 managed policies to an IAM user, role, or group.

  • The size of each managed policy cannot exceed 6,144 characters.


IAM does not count white space when calculating the size of a policy against this limitation.

For session policies
  • You can pass only one JSON policy as a parameter when you programmatically create a temporary session for a role or federated user.

  • The size of each managed policy cannot exceed 2,048 characters.