Welcome to the AWS Account Management Reference Guide - AWS Account Management

Welcome to the AWS Account Management Reference Guide

What is an AWS account?

This guide contains information about AWS accounts. How to create them, how to manage them, and how to use them.

An account in AWS is a fundamental part of accessing AWS services. It serves these two basic functions:

  • Container – An AWS account is the basic container for all the AWS resources you can create as an AWS customer. When you create an Amazon Simple Storage Service (Amazon S3) bucket or Amazon Relational Database Service (Amazon RDS) database to store your data, or an Amazon Elastic Compute Cloud (Amazon EC2) instance to process your data, you are creating a resource in your account. Every resource is uniquely identified by an Amazon Resource Name (ARN) that includes the account ID of the account that contains, or owns, the resource.

  • Security boundary – An AWS account is also the basic security boundary for your AWS resources. Resources that you create in your account are available only to users who have credentials for that same account.

    Among the key resources you can create in your account are identities, such as IAM users and roles. These identities have credentials that someone can use to sign in, or authenticate to AWS. Identities also have permission policies that specify what the person who signed in is authorized to do with the resources in the account.

    You can create an AWS Identity and Access Management (IAM) user to grant access for a person in your company. That IAM user can have a password that lets the person access the AWS console. The user can also have an access key to let the person run commands from the AWS Command Line Interface (AWS CLI) or invoke APIs from one of the AWS SDKs.

    IAM roles are particularly flexible because you can associate them with external people by using federation and an identity provider, such as AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center). If you already have an identity provider in use by your company, you can use it with federation to simplify how you provide access to the resources in your AWS account. AWS supports identity providers that are compatible with industry standards OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). The latter makes any Active Directory implementation a source identity provider if you combine it with Microsoft Active Directory Federation Services.