Initial set up informationPrepare for least-privilege permissionsChoose between IAM management methods

Get set up with IAM

Important

IAM best practices recommend that you require human users to use federation with an identity provider to access AWS using temporary credentials instead of using IAM users with long-term credentials.

AWS Identity and Access Management (IAM) helps you securely control access to Amazon Web Services (AWS) and your account resources. IAM can also keep your sign-in credentials private. You don't specifically sign up to use IAM. There is no charge to use IAM.

Use IAM to give identities, such as users and roles, access to resources in your account. For example, you can use IAM with existing users in your corporate directory that you manage external to AWS or you can create users in AWS using AWS IAM Identity Center. Federated identities assume defined IAM roles to access the resources they need. For more information about IAM Identity Center, see What is IAM Identity Center? in the AWS IAM Identity Center User Guide.

Note

IAM is integrated with several AWS products. For a list of services that support IAM, see AWS services that work with IAM.

Initial set up information

Before you start working with IAM, make sure you have completed the initial set up of your AWS environment.

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

When you signed up for the service, you created an AWS account using an email address and a password. Those are your AWS root user credentials. As a best practice, you don't use your root user credentials to access AWS for daily tasks. Only use your root user credentials to perform tasks that require root user credentials. Also, so not share your credentials with anyone else. Instead, add people to your directory and give them access to your AWS account.

Secure your AWS account root user

  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Grant access to the billing console

IAM users and roles in an AWS account can't access the Billing and Cost Management console by default. This is true even if they have IAM policies that grant access to certain Billing features. To grant access, the AWS account root user must first activate IAM access.

Note

As a security best practice, we recommend that you provide access to your resources through identity federation with AWS IAM Identity Center. When you enable IAM Identity Center in conjunction with AWS Organizations, the Billing and Cost Management console is enabled by default with consolidated billing for all AWS accounts in your organization. For more information, see Consolidating billing for AWS Organizations in the Billing and Cost Management User Guide.

  1. Sign in to the AWS Management Console with your root user credentials (specifically, the email address and password that you used to create your AWS account).

  2. On the navigation bar, select your account name, and then select Account.

  3. Scroll down the page until you find the section IAM User and Role Access to Billing Information, then select Edit.

  4. Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages.

  5. Choose Update.

    The page displays the message IAM user/role access to billing information is activated.

    Important

    Activating IAM access alone doesn't grant any permissions for users or roles to view the Billing and Cost Management console pages. You must also attach the required identity-based policies to IAM roles to grant access to the billing console. Roles provide temporary credentials that users can assume when needed.

  6. Use the AWS Management Console to create a role that a user can assume to access the billing console.

  7. On the Add permissions page for the role, add permissions to list and view details about the Billing resources in your AWS account.

    The AWS managed policy Billing grants users permission to view and edit the Billing and Cost Management console. This includes viewing account usage, modifying budgets and payment methods. For more policy examples that you can attach to IAM roles to control access to your account’s billing information, see AWS Billing policy examples in the Billing and Cost Management User Guide.

Prepare for least-privilege permissions

Using least-privilege permissions is an IAM best practice recommendation. The concept of least-privilege permissions is to grant users the permissions required to perform a task and no additional permissions. As you get set up, consider how you are going to support least-privilege permissions. Both the root user and the administrator user have powerful permissions that aren't required for everyday tasks. While you are learning about AWS and testing out different services we recommend that you create at least one additional user in IAM Identity Center with lesser permissions that you can use in different scenarios. You can use IAM policies to define the actions that can be taken on specific resources under specific conditions and then connect to those resources with your lesser privileged account.

If you are using IAM Identity Center, consider using IAM Identity Center permissions sets to get started. To learn more, see Create a permission set in the IAM Identity Center User Guide.

If you aren't using IAM Identity Center, use IAM roles to define the permissions for different IAM entities. To learn more, see Creating IAM roles.

Both IAM roles and IAM Identity Center permissions sets can use AWS managed policies based on job functions. For details on the permissions granted by these policies, see AWS managed policies for job functions.

Important

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for use by all AWS customers. After getting set up, we recommend that you use IAM Access Analyzer to generate least-privilege policies based on your access activity that's logged in AWS CloudTrail. For more information about policy generation, see IAM Access Analyzer policy generation.

Choose between IAM management methods

You can manage IAM using either the AWS console, the AWS command-line interface, or through the application interfaces (APIs) in the associated SDKs. As you are getting set up, consider which methods you want to support and how you plan to support different users.

AWS Console

The AWS Management Console is a web application that comprises and refers to a broad collection of service consoles for managing AWS resources. When you first sign in, you see the console home page. The home page provides access to each service console and offers a single place to access the information for performing your AWS related tasks. Which services and applications are available to you after signing in to the console depend on which AWS resources you have permission to access. You can be granted permissions to resources either through assuming a role, being a member of a group that has been granted permissions, or being explicitly granted permission. For a stand-alone AWS account, the root user or IAM administrator configures access to resources. For AWS Organizations, the management account or delegated administrator configures access to resources.

If you plan to have people using the AWS Management Console to manage AWS resources, we recommend configuring users with temporary credentials as a security best practice. IAM users that have assumed a role, federated users, and users in IAM Identity Center have temporary credentials, while the IAM user and root user have long-term credentials. Root user credentials provide full access to the AWS account, while other users have credentials that provide access to the resources granted them by IAM policies.

The sign-in experience is different for the different types of AWS Management Console users.

  • IAM users and the root user sign-in from the main AWS sign-in URL (https://signin.aws.amazon.com). Once they sign in they have access to the resources in the account to which they have been granted permission.

    To sign in as the root user you must have the root user email address and password.

    To sign in as an IAM user you must have the AWS account number or alias, the IAM user name, and the IAM user password.

    We recommend that you restrict IAM users in your account to specific situations that require long-term credentials, such as for emergency access, and that you use the root user only for tasks that require root user credentials.

    For convenience, the AWS sign-in page uses a browser cookie to remember the IAM user name and account information. The next time the user goes to any page in the AWS Management Console, the console uses the cookie to redirect the user to the account sign-in page.

    Sign out of the console when you finish your session to prevent reuse of your previous sign in.

  • IAM Identity Center users sign in using a specific AWS access portal that's unique to their organization. Once they sign in they can choose which account or application to access. If they choose to access an account, they choose which permission set they want to use for the management session.

  • Federated users managed in an external identity provider linked to an AWS account sign-in using a custom enterprise access portal. The AWS resources available to federated users are dependent upon the policies selected by their organization.

Note

To provide an additional level of security, root user, IAM users, and users in IAM Identity Center can have multi-factor authentication (MFA) verified by AWS before granting access to AWS resources. When MFA is enabled, you must also have access to the MFA device to sign in.

To learn more about how different users sign-in to the management console, see Sign in to the AWS Management Console in the AWS Sign-In User Guide.

AWS Command Line Interface (CLI) and Software Development Kits (SDKs)

IAM Identity Center and IAM users use different methods to authenticate their credentials when they authenticate through the CLI or the application interfaces (APIs) in the associated SDKs.

Credentials and configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. Certain locations take precedence over others.

Both IAM Identity Center and IAM provide access keys that can be used with the CLI or SDK. IAM Identity Center access keys are temporary credentials that can be automatically refreshed and are recommended over the long-term access keys associated with IAM users.

To manage your AWS account using the CLI or SDK you can use AWS CloudShell from your browser. If you use CloudShell to run CLI or SDK commands you must first sign-in to the console. The permissions for accessing AWS resources are based on the credentials you used to sign-in to the console. Depending on your experience, you may find the CLI to be a more efficient method of managing your AWS account.

For application development, you can download the CLI or SDK to your computer and sign-in from the command prompt or a Docker window. In this scenario, you configure authentication and access credentials as part of the CLI script or SDK application. You can configure programmatic access to resources in different ways, depending on the environment and the access available to you.

  • Recommended options for authenticating local code with AWS service are IAM Identity Center and IAM Roles Anywhere

  • Recommended options for authenticating code running within an AWS environment are to use IAM roles or use IAM Identity Center credentials.

When signing in using the AWS access portal you can get short-term credentials from the start page of the where you choose your permission set. These credentials have a defined duration and don't automatically refresh. If you want to use these credentials, after signing in to the AWS portal, choose the AWS account and then choose the permissions set. Select Command line or programmatic access to view the options you can use to access AWS resources programmatically or from the CLI. For more information about these methods, see Getting and refreshing temporary credentials in the IAM Identity Center User Guide. These credentials are often used during application development to quickly test code.

We recommend using IAM Identity Center credentials that automatically refresh when automating access to your AWS resources. If you have configured users and permission sets in IAM Identity Center you use the aws configure sso command to use a command-line wizard that will help you identify the credentials available to you and store them in a profile. For more information about configuring your profile, see Configure your profile with the aws configure sso wizard in the AWS Command Line Interface User Guide for Version 2.

Note

Many sample applications use long-term access keys associated with IAM users or root user. You should only use long-term credentials within a sandbox environment as part of a learning exercise. Review the alternatives to long-term access keys and plan to transition your code to use alternative credentials, such as IAM Identity Center credentials or IAM roles, as soon as possible. After transitioning your code, delete the access keys.

To learn more about configuring the CLI, see Install or update the latest version of the AWS CLI in the AWS Command Line Interface User Guide for Version 2 and Authentication and access credentials in the AWS Command Line Interface User Guide

To learn more about configuring the SDK, see IAM Identity Center authentication in the AWS SDKs and Tools Reference Guide and IAM Roles Anywhere in the AWS SDKs and Tools Reference Guide.