Users and groups Credentials (passwords, access keys, and MFA devices)Permissions and policies Federation and delegation IAM and other AWS products General security practices General resources

Resources to learn more about IAM

IAM is a rich product, and you'll find many resources to help you learn more about how IAM can help you secure your AWS account and resources.

Topics

Users and groups
Credentials (passwords, access keys, and MFA devices)
Permissions and policies
Federation and delegation
IAM and other AWS products
General security practices
General resources

Users and groups

Consult these resources for creating, managing, and using users and groups.

Creating your first IAM admin user and user group – A step-by-step procedure that shows how to create an IAM users and assign permissions.
IAM Identities (users, user groups, and roles) – An in-depth discussion of how to administer IAM users and groups.
Guidelines for When to Use Accounts, Users, and Groups – An AWS Security Blog post that discusses how to organize user access with separate AWS accounts or with IAM users and groups in a single account.

Credentials (passwords, access keys, and MFA devices)

Review the following guides to manage passwords for your AWS account and for IAM users. You'll also find information about access keys—the secret key that you use to make programmatic calls to AWS.

AWS Security Credentials – Describes the types of credentials you use to access Amazon Web Services, explains how to create and manage them, and includes recommendations for managing access keys securely.
Managing user passwords in AWS and Managing access keys for IAM users – Describes options for managing credentials for IAM users in your account.
Using multi-factor authentication (MFA) in AWS – Describes how to configure your account and IAM users to require both a password and a one-time use code that is generated on a device before sign-in is allowed. (This is sometimes called two-factor authentication.)

Permissions and policies

Learn the inner workings of IAM policies and find tips on the best ways to confer permissions:

Policies and permissions in IAM – Introduces the policy language that is used to define permissions. Describes how permissions can be attached to users or groups or, for some AWS products, to resources themselves.
IAM JSON policy elements reference – Provides descriptions and examples of each policy language element.
Validating IAM policies – Find resources for JSON policy validation.
Example IAM identity-based policies – Shows examples of policies for common tasks in various AWS products.
AWS Policy Generator – Create custom policies by choosing products and actions from a list.
IAM Policy Simulator – Test whether a policy would allow or deny a specific request to AWS.

Federation and delegation

You can grant access to resources in your AWS account for users who are authenticated (signed in) elsewhere. These can be IAM users in another AWS account (known as delegation), users who are authenticated with your organization's sign-in process, or users from an Internet identity provider like Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC) compatible identity provider. In these cases, the users get temporary security credentials to access AWS resources.

IAM tutorial: Delegate access across AWS accounts using IAM roles – Guides you through granting cross-account access to an IAM user in another AWS account.
Common scenarios for temporary credentials – Describes ways in which users can be federated into AWS after being authenticated outside of AWS.
Web Identity Federation Playground – Lets you experiment with Login with Amazon, Google, or Facebook to authenticate and then make a call to Amazon S3.

IAM and other AWS products

Most AWS products are integrated with IAM so that you can use IAM features to help protect access to the resources in those products. The following resources discuss IAM and security for some of the most popular AWS products. For a complete list of products that work with IAM, including links to more information on each, see AWS services that work with IAM.

Using IAM with Amazon EC2

Controlling Access to Amazon EC2 Resources – Describes how to use IAM features to permit users to administer Amazon EC2 instances, volumes, and more.
Using instance profiles – Describes how to use IAM roles to securely provide credentials for applications that run on Amazon EC2 instances and that need access to other AWS products.

Using IAM with Amazon S3

Managing Access Permissions to Your Amazon S3 Resources – Discusses the Amazon S3 security model for buckets and objects, which includes IAM policies.
Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket – Discusses how to let users protect their own folders in Amazon S3. (For more posts about Amazon S3 and IAM, choose the S3 tag below the title of the blog post.)

Using IAM with Amazon RDS

Using AWS Identity and Access Management (IAM) to Manage Access to Amazon RDS Resources – Describes how to use IAM to control access to database instances, database snapshots, and more.
A Primer on RDS Resource-Level Permissions – Describes how to use IAM to control access to specific Amazon RDS instances.

Using IAM with Amazon DynamoDB

Using IAM to Control Access to DynamoDB Resources – Describes how to use IAM to permit users to administer DynamoDB tables and indexes.
The following video (8:55) explains how to provide access control for individual DynamoDB database items or attributes (or both).

General security practices

Find expert tips and guidance on the best ways to secure your AWS account and resources:

AWS Security Best Practices (PDF) – Provides an in-depth look at how to manage security across AWS accounts and products, including suggestions for security architecture, use of IAM, encryption and data security, and more.
Security best practices in IAM – Offers recommendations for ways to use IAM to help secure your AWS account and resources.
AWS CloudTrail User Guide – Use AWS CloudTrail to track a history of API calls made to AWS and store that information in log files. This helps you determine which users and accounts accessed resources in your account, when the calls were made, what actions were requested, and more.

General resources

Explore the following resources to learn more about IAM and AWS.

Product Information for IAM – General information about the AWS Identity and Access Management product.
Discussion Forms for AWS Identity and Access Management – A community forum for customers to discuss technical questions related to IAM.

Classes & Workshops – Links to role-based and specialty courses, in addition to self-paced labs to help sharpen your AWS skills and gain practical experience.
AWS Developer Tools – Links to developer tools, SDKs, IDE toolkits, and command line tools for developing and managing AWS applications.
AWS Whitepapers – Links to a comprehensive list of technical AWS whitepapers, covering topics such as architecture, security, and economics and authored by AWS Solutions Architects or other technical experts.
AWS Support Center – The hub for creating and managing your AWS Support cases. Also includes links to other helpful resources, such as forums, technical FAQs, service health status, and AWS Trusted Advisor.
AWS Support – The primary webpage for information about AWS Support, a one-on-one, fast-response support channel to help you build and run applications in the cloud.
Contact Us – A central contact point for inquiries concerning AWS billing, account, events, abuse, and other issues.
AWS Site Terms – Detailed information about our copyright and trademark; your account, license, and site access; and other topics.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Actions, resources, and condition keys

Making HTTP query requests