AWS IAM Cloud Service - Identity & Access Management‎

 AWS IAM Cloud Service - Identity & Access Management‎

                    Securely control access to AWS services and resources for your users

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWSresources.


                                 

IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

To get started using IAM, or if you have already registered with AWS, go to the AWS Management Console and get started with these IAM Best Practices.

Use Cases

Use fine-grained access control, integrate with your corporate directory, and require MFA for highly privileged users

Fine-grained access control to AWS resources

IAM enables your users to control access to AWS service APIs and to specific resources. IAM also enables you to add specific conditions such as time of day to control how a user can use AWS, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi-factor authentication device.

Multi-factor authentication for highly privileged users

Protect your AWS environment by using AWS MFA, a security feature available at no extra cost that augments user name and password credentials. MFA requires users to prove physical possession of a hardware MFA token or MFA-enabled mobile device by providing a valid MFA code.

Manage access control for mobile applications with Web Identity Providers

You can enable your mobile and browser-based applications to securely access AWS resources by requesting temporary security credentials that grant access only to specific AWS resources for a configurable period of time.

Integrate with your corporate directory

IAM can be used to grant your employees and applications federated access to the AWS Management Console and AWS service APIs, using your existing identity systems such as Microsoft Active Directory. You can use any identity management solution that supports SAML 2.0, or feel free to use one of our federation samples (AWS Console SSO or API federation).

Functionality

IAM assists in creating roles and permissions

AWS IAM allows you to:

• Manage IAM users and their access – You can create users in IAM, assign them individual security credentials (in other words, access keys, passwords, and multi-factor authenticationdevices), or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform.
• Manage IAM roles and their permissions – You can create roles in IAM and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role. In addition, you can use service-linked roles to delegate permissions to AWS services that create and manage AWS resources on your behalf.
• Manage federated users and their permissions – You can enable identity federation to allow existing identities (users, groups, and roles) in your enterprise to access the AWS Management Console, call AWS APIs, and access resources, without the need to create an IAM user for each identity. Use any identity management solution that supports SAML 2.0, or use one of our federation samples (AWS Console SSO or API federation).

IAM Best Practices

Manage access control without losing flexibility or resiliency

AWS has a list of best practices to help IT professionals and developers. To get a full explanation of IAM best practices, watch the recorded session from re:Invent 2015 (in the video player to the right of this paragraph).

Users – Create individual users.

Groups – Manage permissions with groups.

Permissions – Grant least privilege.

Auditing – Turn on AWS CloudTrail.

Password – Configure a strong password policy.

MFA – Enable MFA for privileged users.

Roles – Use IAM roles for Amazon EC2 instances.

Sharing – Use IAM roles to share access.

Rotate – Rotate security credentials regularly.

Conditions – Restrict privileged access further with conditions.

Root – Reduce or remove use of root.

AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.

IAM User Guide
Introduces you to AWS Identity and Access Management, helps you set up users and groups, and shows you how to protect your resources with access control policies. Also shows how to connect to other identity services to grant external users access to your AWS resources.
HTML | PDF | Kindle

IAM section of AWS CLI Reference
Describes the AWS CLI commands that you can use to administer IAM. Provides syntax, options, and usage examples for each command.
HTML

IAM API Reference
Describes all the API operations for AWS Identity and Access Management in detail. Also provides sample requests, responses, and errors for the supported web services protocols.
HTML | PDF

STS section of the AWS CLI Reference
Describes the AWS CLI commands that you can use to generate temporary security credentials. Provides syntax, options, and usage examples for each command.
HTML

STS API Reference
Describes all the API operations for AWS STS in detail. Also provides sample requests, responses, and errors for the supported web services protocols.
HTML | PDF

Step 1: Set Up an AWS Account and Create an Administrator User

Before you use AWS Lambda for the first time, complete the following tasks:

1. Sign up for AWS
2. Create an IAM User

Sign up for AWS

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all services in AWS, including AWS Lambda. You are charged only for the services that you use.

With AWS Lambda, you pay only for the resources you use. For more information about AWS Lambda usage rates, see the AWS Lambda product page. If you are a new AWS customer, you can get started with AWS Lambda for free. For more information, see AWS Free Usage Tier.

If you already have an AWS account, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To create an AWS account

1. Open https://aws.amazon.com/, and then choose Create an AWS Account.
   Note

   This might be unavailable in your browser if you previously signed into the AWS Management Console. In that case, choose Sign In to the Console, and then choose Create a new AWS account.
2. Follow the online instructions.
   Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone keypad.

Note your AWS account ID, because you'll need it for the next task.

Create an IAM User

Services in AWS, such as AWS Lambda, require that you provide credentials when you access them, so that the service can determine whether you have permissions to access the resources owned by that service. The console requires your password. You can create access keys for your AWS account to access the AWS CLI or API. However, we don't recommend that you access AWS using the credentials for your AWS account. Instead, we recommend that you use AWS Identity and Access Management (IAM). Create an IAM user, add the user to an IAM group with administrative permissions, and then grant administrative permissions to the IAM user that you created. You can then access AWS using a special URL and that IAM user's credentials.

If you signed up for AWS, but you haven't created an IAM user for yourself, you can create one using the IAM console.

The Getting Started exercises and tutorials in this guide assume you have a user (adminuser) with administrator privileges. When you follow the procedure, create a user with name adminuser.

To create an IAM user for yourself and add the user to an Administrators group

1. Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.
2. In the navigation pane of the console, choose Users, and then choose Add user.
3. For User name, type Administrator.
4. Select the check box next to AWS Management Console access, select Custom password, and then type the new user's password in the text box. You can optionally select Require password reset to force the user to select a new password the next time the user signs in.
5. Choose Next: Permissions.
6. On the Set permissions for user page, choose Add user to group.
7. Choose Create group.
8. In the Create group dialog box, type Administrators.
9. For Filter, choose Job function.
10. In the policy list, select the check box for AdministratorAccess. Then choose Create group.
11. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.
12. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users, and to give your users access to your AWS account resources. To learn about using policies to restrict users' permissions to specific AWS resources, go to Access Management and Example Policies.

To sign in as the new IAM user

1. Sign out of the AWS Management Console.
2. Use the following URL format to log in to the console:

   
   
   Copy
   
   https://aws_account_number.signin.aws.amazon.com/console/

   The aws_account_number is your AWS account ID without hyphen. For example, if your AWS account ID is 1234-5678-9012, your AWS account number is 123456789012. For information about how to find your account number, see Your AWS Account ID and Its Alias in the IAM User Guide.
3. Enter the IAM user name and password that you just created. When you're signed in, the navigation bar displays your_user_name @ your_aws_account_id.

If you don't want the URL for your sign-in page to contain your AWS account ID, you can create an account alias.

To create or remove an account alias

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. On the navigation pane, choose Dashboard.
3. Find the IAM users sign-in link.
4. To create the alias, click Customize, enter the name you want to use for your alias, and then choose Yes, Create.
5. To remove the alias, choose Customize, and then choose Yes, Delete. The sign-in URL reverts to using your AWS account ID.

To sign in after you create an account alias, use the following URL:

Copy

https://your_account_alias.signin.aws.amazon.com/console/

To verify the sign-in link for IAM users for your account, open the IAM console and check under IAM users sign-in link: on the dashboard.

For more information about IAM, see the following:

• AWS Identity and Access Management (IAM)
• Getting Started
• IAM User Guide

Step 2: Set Up the AWS Command Line Interface (AWS CLI)

All the exercises in this guide assume that you are using administrator user credentials (adminuser) in your account to perform the operations. For instructions on creating an administrator user in your AWS account, see Step 1.1: Set Up an AWS Account and Create an Administrator User, and then follow the steps to download and configure the AWS Command Line Interface (AWS CLI).

To set up the AWS CLI

1. Download and configure the AWS CLI. For instructions, see the following topics in the AWS Command Line Interface User Guide.
   • Getting Set Up with the AWS Command Line Interface
   • Configuring the AWS Command Line Interface
2. Add a named profile for the administrator user in the AWS CLI config file. You use this profile when executing the AWS CLI commands.

   
   
   Copy
   
   [profile adminuser]
   aws_access_key_id = adminuser access key ID
   aws_secret_access_key = adminuser secret access key
   region = aws-region

   For a list of available AWS regions, see Regions and Endpoints in the Amazon Web Services General Reference.
3. Verify the setup by entering the following commands at the command prompt.
   • Try the help command to verify that the AWS CLI is installed on your computer:

     
     
     Copy
     
     aws help

   • Try a Lambda command to verify the user can reach AWS Lambda. This command lists Lambda functions in the account, if any. The AWS CLI uses the adminusercredentials to authenticate the request.

     
     
     Copy
     
     aws lambda list-functions --profile adminuser

Now that you have set up an account and AWS CLI, you can create your first Lambda function. For instructions, see Step 2: Create a HelloWorld Lambda Function and Explore the Console.

Creating an IAM User in Your AWS Account

You can create one or more IAM users in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.

Important

If you arrived at this page trying to enable Amazon Advertising for your application or website, see Becoming a Product Advertising API Developer.

If you arrived at this page from the IAM console, it is possible that your account does not include IAM users, even though you are logged in. You could be signed in as the AWS account root user, using a role, or signed in with temporary credentials. To learn more about these IAM identities, see Identities (Users, Groups, and Roles).

Topics

• Creating IAM Users (Console)
• Creating IAM Users (AWS CLI, Tools for Windows PowerShell, or IAM HTTP API)

In outline, the process of creating a user and making it usable for work tasks consists of these steps:

1. Create the user in the AWS Management Console or from an AWS CLI, Tools for Windows PowerShell, or IAM API command. If you create the user in the AWS Management Console, then steps 1–4 are handled automatically. If you create the users programmatically, then you must perform each of those steps individually.
2. Create credentials for the user, depending on the type of access the user requires:
   • Programmatic access: The IAM user might need to make API calls or use the AWS CLI or the Tools for Windows PowerShell. In that case, create an access key (an access key ID and a secret access key) for that user.
     AWS Management Console access: If the user needs to access AWS resources from the AWS Management Console, create a password for the user.
   As a best practice, do not create credentials of a certain type for a user who will never need that kind of access. For example, for a user who requires access through the AWS Management Console only, do not create access keys.
3. Give the user permissions to perform the required tasks by adding the user to one or more groups. You can grant permissions by attaching IAM permission policies directly to the user. However, we recommend instead that you put your users in groups and manage permissions through policies that are attached to those groups.
4. Provide the user with the necessary sign-in information. This includes the password and the URL for the account sign-in webpage where the user enters those credentials. For more information, see How IAM Users Sign In to AWS.
5. (Optional) Configure multi-factor authentication (MFA) for the user. MFA requires the user to provide a one-time-use code each time he or she signs into the AWS Management Console.
6. (Optional) Give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permitting IAM Users to Change Their Own Passwords.

For information about the permissions that you need in order to create a user, seeDelegating Permissions to Administer IAM Users, Groups, and Credentials.

Creating IAM Users (Console)

To create one or more IAM users from the AWS Management Console

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users and then choose Add user.
3. Type the user name for the new user. This is the sign-in name for AWS. If you want to add more than one user at the same time, choose Add another user for each additional user and type their user names. You can add up to 10 users at one time.
   Note

   User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser. For more information about limitations on IAM entities, see Limitations on IAM Entities and Objects.
4. Select the type of access this set of users will have. You can select programmatic access, access to the AWS Management Console, or both.
   • Select Programmatic access if the users require access to the API, AWS CLI, or Tools for Windows PowerShell. This creates an access key for each new user. You can view or download the access keys when you get to the Final page.
     
     
   • Select AWS Management Console access if the users require access to the AWS Management Console. This creates a password for each new user.
     
     
     1. For Console password type, choose one of the following:
        
        
        • Autogenerated password. Each user gets a randomly generated password that meets the current password policy in effect (if any). You can view or download the passwords when you get to the Final page.
          
          
        • Custom password. Each user is assigned the password that you type in the box.
          
          
     2. (Optional) We recommend that you choose Require password reset to ensure that users are forced to change their password the first time they sign in.
        Note

        If you have not enabled the account-wide password policy setting Allow users to change their own password, then selecting Require password reset automatically attaches an AWS managed policy named IAMUserChangePassword to the new users that grants them permission to change their own passwords.
5. Choose Next: Permissions.
6. On the Set permissions page, specify how you want to assign permissions to this set of new users. Choose one of the following three options:
   • Add user to group. Choose this option if you have groups with appropriate permission policies already created and want to assign the users to those groups. IAM displays a list of all currently defined groups, along with their attached policies. You can select one or more existing groups, or choose Create group to create a new group. For more information, see Changing Permissions for an IAM User.
   • Copy permissions from existing user. Choose this option to copy all of the group memberships, attached managed policies, and embedded inline policies from an existing user to the new users. IAM displays a list of currently defined users. Select the one whose permissions most closely match the needs of your new users. Each new user gets the same group memberships and attached policies as the selected user.
   • Attach existing policies to user directly Choose this option to select from existing managed policies or to create new managed policies that are attached to the new users. IAM displays a list of currently defined managed policies, both AWS and customer-defined. Select the policies that you want to attach to the new users or choose Create policy to create a new policy from scratch. For more information, see step 4 in the procedure Create a Policy.
7. Choose Next: Review to see all of the choices you made up to this point. When you are ready to proceed, choose Create user.
8. To view the users' access keys (access key IDs and secret access keys), choose Shownext to each password and secret access key that you want to see. To save the access keys, choose Download .csv and then save the file to a safe location.
   Important

   This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.
9. Provide each user with his or her credentials. On the final page you can choose Send email next to each user. Your local mail client opens with a draft that you can customize and send. The email template includes the following details to each user:
   • User name
     
     
   • URL to the account sign-in webpage. Use the following example, substituting the correct account ID number or account alias:

     
     
     Copy
     
     https://AWS-account-ID or alias.signin.aws.amazon.com/console

   For more information, see How IAM Users Sign In to AWS.
   Important

   The user's password is not included in the generated email. You must provide them to the customer in a way that complies with your organization's security guidelines.
10. (Optional) Grant the users permission to manage their own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

Creating IAM Users (AWS CLI, Tools for Windows PowerShell, or IAM HTTP API)

To create an IAM user from the AWS CLI, Tools for Windows PowerShell, or IAM HTTP API

1. Create a user.
   • AWS CLI: aws iam create-user
   • Tools for Windows PowerShell: New-IAMUser
   • IAM API: CreateUser
2. (Optional) Give the user access to the AWS Management Console. This requires a password. You must also give the user the URL of your account's sign-in page.
   • AWS CLI: aws iam create-login-profile
   • Tools for Windows PowerShell: New-IAMLoginProfile
   • IAM API: CreateLoginProfile
3. (Optional) Give the user programmatic access. This requires access keys.
   • AWS CLI: aws iam create-access-key
   • Tools for Windows PowerShell: New-IAMAccessKey
   • IAM API: CreateAccessKey
     Important

     This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.
4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.
   • AWS CLI: aws iam add-user-to-group
   • Tools for Windows PowerShell: Add-IAMUserToGroup
   • IAM API: AddUserToGroup
5. (Optional) Attach a policy to the user Attach a policy that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.
   • AWS CLI: aws iam attach-user-policy
   • Tools for Windows PowerShell: Register-IAMUserPolicy
   • IAM API: AttachUserPolicy
6. (Optional) Give the user permission to manage his or her own security credentials. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

How IAM Users Sign In to AWS

To sign in to the AWS Management Console as an IAM user, you must provide your account ID or account alias in addition to your user name and password. When your administrator created your IAM user in the console, they should have sent you your sign-in credentials, including your user name and the URL to your account sign-in page that includes your account ID or account alias.

Copy

https://My_AWS_Account_ID.signin.aws.amazon.com/console/

Tip

To create a bookmark for your account sign-in page in your web browser, you should manually type the sign-in URL for your account in the bookmark entry. Do not use your web browser bookmark feature because redirects can obscure the sign-in URL.

You can also sign in at the following general sign-in endpoint and type your account ID or account alias manually:

Copy

https://console.aws.amazon.com/

For convenience, the AWS sign-in page uses a browser cookie to remember the IAM user name and account information. The next time the user goes to any page in the AWS Management Console, the console uses the cookie to redirect the user to the account sign-in page.

You have access only to the AWS resources that your administrator specifies in the policy that is attached to your IAM user identity. To work in the console, you must have permissions to perform the actions that the console performs, such as listing and creating AWS resources. For more information, see Access Management and Example Policies.

Note

If your organization has an existing identity system, you might want to create a single sign-on (SSO) option. SSO gives users access to the AWS Management Console for your account without requiring them to have an IAM user identity. SSO also eliminates the need for users to sign in to your organization's site and to AWS separately. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).

Logging sign-in details in CloudTrail

If you enable CloudTrail to log sign-in events to your logs, you need to be aware of how CloudTrail chooses where to log the events.

• If your users sign-in directly to a console, they are redirected to either a global or a regional sign-in endpoint, based on whether the selected service console supports regions. For example, the main console home page supports regions, so if you sign in to the following URL:

  
  
  Copy
  
  https://alias.signin.aws.amazon.com/console

  you are redirected to a regional sign-in endpoint such as https://us-east-2.signin.aws.amazon.com, resulting in a regional CloudTrail log entry in the user's region's log:
  On the other hand, the Amazon S3 console does not support regions, so if you sign in to the following URL

  https://alias.signin.aws.amazon.com/console/s3

  AWS redirects you to the global sign-in endpoint athttps://signin.aws.amazon.com, resulting in a global CloudTrail log entry.
• You can manually request a certain regional sign-in endpoint by signing in to the region-enabled main console home page using a URL syntax like the following:

  
  
  Copy
  
  https://alias.signin.aws.amazon.com/console?region=ap-southeast-1

  AWS redirects you to the ap-southeast-1 regional sign-in endpoint and results in a regional CloudTrail log event.

For more information about CloudTrail and IAM, see Logging IAM Events with AWS CloudTrail.

If users need programmatic access to work with your account, you can create an access key pair (an access key ID and a secret access key) for each user, as described in Creating, Modifying, and Viewing Access Keys (Console).

Managing IAM Users

Amazon Web Services offers multiple tools for managing the IAM users in your AWS account.

Topics

• Listing IAM Users
• Renaming an IAM User
• Deleting an IAM User

Listing IAM Users

You can list the IAM users in your AWS account or in a specific IAM group, and list all the groups that a user is in. For information about the permissions that you need in order to list users, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

To list all the users in the account

• AWS Management Console: In the navigation pane, choose Users. The console displays the users in your AWS account.
• AWS CLI: aws iam list-users
• Tools for Windows PowerShell: Get-IAMUsers
• AWS API: ListUsers

To list the users in a specific group

• AWS Management Console: In the navigation pane, choose Groups, choose the name of the group, and then choose the Users tab.
• AWS CLI: aws iam get-group
• Tools for Windows PowerShell: Get-IAMGroup
• AWS API: GetGroup

To list all the groups that a user is in

• AWS Management Console: In the navigation pane, choose Users, choose the user name, and then choose the Groups tab.
• AWS CLI: aws iam list-groups-for-user
• Tools for Windows PowerShell: Get-IAMGroupForUser
• AWS API: ListGroupsForUser

Renaming an IAM User

To change a user's name or path, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API. There is no option in the console to rename a user. For information about the permissions that you need in order to rename a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

When you change a user's name or path, the following happens:

• Any policies attached to the user stay with the user under the new name.
• The user stays in the same groups under the new name.
• The unique ID for the user remains the same. For more information about unique IDs, see Unique IDs.
• Any resource or role policies that refer to the user as a principal (the user is being granted access) are automatically updated to use the new name or path. For example, any queue-based policies in Amazon SQS or resource-based policies in Amazon S3 are automatically updated to use the new name and path.

IAM does not automatically update policies that refer to the user as a resource to use the new name or path; you must manually do that. For example, imagine that user Bob has a policy attached to him that lets him manage his security credentials. If an administrator renames Bob to Robert, the administrator also needs to update that policy to change the resource from this:

arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/Bob

to this:

arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/Robert

This is true also if an administrator changes the path; the administrator needs to update the policy to reflect the new path for the user.

To rename a user

• AWS CLI: aws iam update-user
• Tools for Windows PowerShell: Update-IAMUser
• AWS API: UpdateUser

Deleting an IAM User

You might delete an IAM user from your account if someone quits your company. If the user is only temporarily away from your company, you can disable the user's credentials instead of deleting the user entirely from the AWS account. That way, you can prevent the user from accessing the AWS account's resources during the absence but you can re-enable the user later.

For more information about disabling credentials, see Managing Access Keys for IAM Users. For information about the permissions that you need in order to delete a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

Topics

• Deleting an IAM User (AWS Management Console)
• Deleting an IAM User (AWS CLI and Tools for Windows PowerShell)

Deleting an IAM User (AWS Management Console)

When you use the AWS Management Console to delete an IAM user, IAM automatically deletes the following information for you:

• The user
• Any group memberships—that is, the user is removed from any IAM groups that the user was a member of
• Any password associated with the user
• Any access keys belonging to the user
• All inline policies embedded in the user (policies that are applied to a user via group permissions are not affected)
  Note

  Any managed policies attached to the user are detached from the user when the user is deleted. Managed policies are not deleted when you delete a user.
• Any associated MFA device

To use the AWS Management Console to delete an IAM user

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users, and then select the check box next to the user name that you want to delete, not the name or row itself.
3. At the top of the page, choose Delete user.
4. In the confirmation dialog box, wait for the service last accessed data to load before you review the data. The dialog box shows when each of the selected users last accessed an AWS service. If you attempt to delete a user that has been active within the last 30 days, you must select an additional check box to confirm that you want to delete the active user. If you want to proceed, choose Yes, Delete.

Deleting an IAM User (AWS CLI and Tools for Windows PowerShell)

Unlike the AWS Management Console, when you delete a user with the AWS CLI or Tools for Windows PowerShell you have to delete the items attached to the user manually. This procedure illustrates the process. For a complete PowerShell code snippet, see the example in Remove-IAMUser.

To use the AWS CLI to delete a user from your account

1. Delete the user's keys and certificates. This helps ensure that the user can't access your AWS account's resources anymore. Note that when you delete a security credential, it's gone forever and can't be retrieved.
   aws iam delete-access-key and aws iam delete-signing-certificate
2. Delete the user's password, if the user has one.
   aws iam delete-login-profile
3. Deactivate the user's MFA device, if the user has one.
   aws iam deactivate-mfa-device
4. Detach any policies that are attached to the user.
   aws iam list-attached-user-policies (to list the policies attached to the user) and aws iam detach-user-policy (to detach the policies)
5. Get a list of any groups the user was in, and remove the user from those groups.
   aws iam list-groups-for-user and aws iam remove-user-from-group
6. Delete the user.
   aws iam delete-user

To use the Tools for Windows PowerShell to delete a user from your account

1. Delete the user's keys and certificates. This helps ensure that the user can't access your AWS account's resources anymore. Note that when you delete a security credential, it's gone forever and can't be retrieved.
   Remove-IAMAccessKey and Remove-IAMSigningCertificate
2. Delete the user's password, if the user has one.
   Remove-IAMLoginProfile
3. Deactivate the user's MFA device, if the user has one.
   Disable-IAMMFADevice
4. Detach any policies that are attached to the user.
   Get-IAMAttachedUserPolicies (to list the policies attached to the user) and Remove-IAMUserPolicy (to detach the policies).
5. Get a list of any groups the user was in, and remove the user from those groups.
   Get-IAMGroupForUser and Remove-IAMUserFromGroup.
6. Delete the user.
   Remove-IAMUser

Changing Permissions for an IAM User

You can change the permissions for an IAM user in your AWS account by changing its group memberships or by attaching and detaching managed policies. A user gets its permissions through one of the following methods:

Group membership

• Add or remove a user from a group.
• Add, remove, or edit a managed policy attached to the group. This policy can be customer-created and managed, or it can be an AWS managed policy.
• Add, remove, or edit a group's inline policies. This kind of policy is always customer-created.

Direct policy attachment

• Add, remove, or edit a managed policy attached directly to a user. This policy can be customer-created and managed or it can be an AWS managed policy.
• Add, remove, or edit a user's inline policies. This kind of policy is always customer-created.

For information about the permissions that you need in order to modify the permissions for a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

Adding Permissions to a New or Existing User (Console)

You can change permissions associated with a user through one of three techniques:

• Add user to group. Make the user a member of a group that already has policies attached. Every member of the group receives the permissions granted by the group's policies.
• Copy permissions from existing user. Copy all group memberships and attached managed policies as well as all inline policies embedded in the source user.
• Attach policies directly to user. Attach a managed policy directly to the user. As a best practice, we recommend that you instead attach your policies to a group and then make users members of the appropriate groups.

Adding Permissions by Adding the User to a Group

To add permissions to a user by adding the user to a group

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Review the current group memberships for users in the Groups column of the console. If necessary, add the column to the users table by completing the following steps:
   1. Above the table on the far right, choose the settings symbol (  ).
   2. In the Manage Columns dialog box, select the Groups column. Optionally, you can also clear the check box for any column headings that you do not want to appear in the users table.
   3. Choose Close to return to the list of users.
   The Groups column tells you to which groups the user belongs. The field includes the group names for up to two groups. If the user is a member of three or more groups, the first two groups are shown (ordered.alphabetically), and the number of additional group memberships is included. For example, if the user belongs to Group A, Group B, Group C, and Group D, then the field contains the value Group A, Group B + 2 more. To see the total number of groups to which the user belongs, you can add the Group countcolumn to the users table.
4. Choose the name of the user whose permissions you want to modify.
5. Choose the Permissions tab, and then choose Add permissions. Under Grant permissions choose Add user to group.
6. Select the check box for each group that you want the user to join. The list shows each group's name and the policies that the user receives if made a member of that group. The permissions in each selected group apply to the user as soon as you complete the process.
7. (Optional) In addition to selecting from existing groups, you can choose Create groupto define a new group:
   1. For Group name, type a name for your new group.
      Note

      Group names can be a combination of up to 128 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two groups named TESTGROUP and testgroup. For more information about limitations on IAM entities, see Limitations on IAM Entities and Objects.
   2. Select one or more check boxes for the managed policies that you want to attach to the group. You can also create a new managed policy by choosing Create policy. If you do, return to this browser tab or window when the new policy is done; choose Refresh; and then choose the new policy to attach it to your group. For more information, see Creating a New Policy.
   3. Choose Create group.
   4. Back in the list of groups, select the check box for your new group.
8. Choose Next: Review to see the list of group memberships to be added to the user. Then choose Add permissions.

The new permissions affect the user immediately.

Adding Permissions by Copying from Another User

To add permissions to a user by copying permissions from another user

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab.
3. Choose Add permissions, and then under Grant permissions choose Copy permissions from existing user. The list displays available users along with their group memberships and attached policies. If the full list of groups or policies don't fit on one line, you can choose the link for and n more. Doing that opens a new browser tab and see the full list of policies (Permissions tab) and groups (Groups tab).
4. Select the radio button next to the user whose permissions you want to copy.
5. Choose Next: Review to see the list of changes that are to be made to the user. Then choose Add permissions.

The new permissions affect the user immediately.

Adding Permissions by Attaching Policies Directly to the User

To add permissions to a user by directly attaching managed policies

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab.
3. Choose Add permissions, and then under Grant permissions, choose Attach existing policies directly to user.
4. Select one or more check boxes for the managed policies that you want to attach to the group. You can also create a new managed policy by choosing Create policy. If you do, return to this browser tab or window when the new policy is done. Choose Refresh; and then select the check box for the new policy to attach it to your user. For more information, see Creating a New Policy.
5. Choose Next: Review to see the list of policies that are to be attached to the user. Then choose Add permissions.

The new permissions affect the user immediately.

Removing Permissions from an Existing User (Console)

To revoke permissions for IAM users

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab.
   The Permissions tab displays each policy that applies to the user, and how the user gets that policy.
3. If you want to revoke permissions by removing an existing policy, view the Policy typeto understand how the user is getting that policy before choosing X to remove the policy:
   • If the policy applies because of group membership, then choosing X removes the user from the group. Because you might have multiple policies attached from a single group, if you remove a user from a group, the user loses access to allpolicies that it received through that group membership..
   • If the policy is a managed policy attached directly to the user, then choosing Xdetaches the policy from the user. This does not affect the policy itself or any other entity that the policy might be attached to.
   • If the policy is an inline embedded policy, then choosing X removes the policy from IAM. Inline policies that are attached directly to a user exist only on that user.

Adding and Removing Permissions from a User (AWS API, AWS CLI, Tools for Windows PowerShell)

To add or remove permissions programmatically, you must add or remove the group memberships, attach or detach the managed policies, or add or delete the inline policies. For more information, see the following topics:

• Adding and Removing Users in an IAM Group
• Working with Managed Policies Using the AWS CLI or the IAM API
• Working with Inline Policies (AWS API, AWS CLI)

Managing Passwords

You can manage passwords for your AWS account root user and for IAM users in your account. IAM users need passwords in order to access the AWS Management Console. Users do not need passwords to access AWS resources programmatically by using the AWS CLI, Tools for Windows PowerShell, the AWS SDKs or APIs. For those environments, users need access keys instead.

Topics

• Changing the AWS Account Root User Password
• Setting an Account Password Policy for IAM Users
• Managing Passwords for IAM Users
• Permitting IAM Users to Change Their Own Passwords
• How IAM Users Change Their Own Password

How IAM Users Change Their Own Password

If IAM users have been granted permission to change their own passwords, they can use a special page in the AWS Management Console to do this. They can also use the command line interface or the IAM API.

For information about the permissions that users need in order to change their own passwords, see Permitting IAM Users to Change Their Own Passwords.

Topics

• How IAM Users Change Their Own Password (AWS Management Console)
• How IAM Users Change Their Own Password (AWS CLI, Tools for Windows PowerShell, or AWS API)

How IAM Users Change Their Own Password (AWS Management Console)

The following procedure describes how IAM users can use the AWS Management Console to change their own password.

To use the console to change your own password as an IAM user

1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
   Note

   For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
   To get your AWS account ID, contact your administrator.
2. In the navigation bar on the upper right, choose your user name, and then chooseSecurity Credentials.
   
3. For Current password, type your current password. Type a new password in the New password and Confirm new password boxes. Then click Submit.
   Note

   If the account has a password policy, the new password must meet the requirements of that policy. For more information, see Setting an Account Password Policy for IAM Users.

How IAM Users Change Their Own Password (AWS CLI, Tools for Windows PowerShell, or AWS API)

The following procedure describes how IAM users can use the AWS CLI, Tools for Windows PowerShell, or AWS API to change their own password.

To change your own IAM password, use the following commands

• AWS CLI: aws iam change-password
• Tools for Windows PowerShell: Edit-IAMPassword
• AWS API: ChangePassword

Changing the AWS Account Root User Password

You must be signed in as the AWS account root user in order to change the password.

To change the password for the root user

1. Use your AWS account email address and password to sign in to the AWS Management Console as the root user.
   Note

   If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, choose Sign-in using root account credentials near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account email address and password.
2. In the upper right corner of the console, choose your account name or number and then choose My Account.
3. On the right side of the page, next to the Account Settings section, choose Edit.
4. On the Password line choose Edit to change your password.
5. Choose a strong password. Although you can set an account password policy for IAM users, that policy does not apply to your AWS account root user.
   AWS requires that your password meet these conditions:
   • have a minimum of 8 characters and a maximum of 128 characters
   • include a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * () <> [] {} | _+-= symbols
   • not be identical to your AWS account name or email address
   Note

   AWS is rolling out improvements to the sign-in process. One of those improvements is to enforce a more secure password policy for your account. If your account has been upgraded, you are required to meet the password policy above. If your account has not yet been upgraded, then AWS does not enforce this policy, but highly recommends that you follow its guidelines for a more secure password.
   To protect your password, it's important to follow these best practices:
   • Change your password periodically and keep your password private, since anyone who knows your password may access your account.
   • Use a different password on AWS that you use on other sites.
   • Avoid passwords that are easy to guess. These include passwords such as secret, password, amazon, or 123456. They also include things like a dictionary word, your name, email address, or other personal information that can easily be obtained.

   Setting an Account Password Policy for IAM Users

   You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.

   You can use a password policy to do these things:

   • Set a minimum password length.
   • Require specific character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Be sure to remind your users that passwords are case sensitive.
   • Allow all IAM users to change their own passwords.
     Note

     When you allow your IAM users to change their own passwords, IAM automatically allows them to view the password policy. IAM users need permission to view the account's password policy in order to create a password that complies with the policy.
   • Require IAM users to change their password after a specified period of time (enable password expiration).
   • Prevent IAM users from reusing previous passwords.
   • Force IAM users to contact an account administrator when the user has allowed his or her password to expire.

   Important

   The password settings described here apply only to passwords assigned to IAM users and do not affect any access keys they might have. If a password expires, the user cannot sign-in to the AWS Management Console. However, if the user has valid access keys, then the user can still run any AWS CLI or Tools for Windows PowerShell commands or call any APIs through an application that the user's permissions allow.

   When you create or change a password policy, most of the password policy settings are enforced the next time your users change their passwords, but some of the settings are enforced immediately. For example:

   • When you set minimum length and character type requirements, the settings are enforced the next time your users change their passwords. Users are not forced to change their existing passwords, even if the existing passwords do not adhere to the updated password policy.
   • When you set a password expiration period, the expiration period is enforced immediately. For example, when you set a password expiration period of 90 days, all IAM users that currently have an existing password that is more than 90 days old are forced to change their password at next sign-in.

   For information about the permissions that you need in order to set a password policy, seePermitting IAM Users to Change Their Own Passwords.

   The IAM password policy does not apply to the AWS root account password.

   The options currently available do not allow you to create what is commonly called a "lockout policy" that locks a user out of the account after a specified number of failed sign-in attempts.To get that kind of enhanced security, we recommend that you combine password policies together with multi-factor authentication (MFA). For more information about MFA, see Using Multi-Factor Authentication (MFA) in AWS.

   Topics

   • Password Policy Options
   • Setting a Password Policy (AWS Management Console)
   • Setting a Password Policy (AWS CLI, Tools for Windows PowerShell, or AWS API)

   Password Policy Options

   The following list describes the options that are available when you configure a password policy for your account.

   Minimum password length

   You can specify the minimum number of characters allowed in an IAM user password. You can enter any number from 6 to 128.

   Require at least one uppercase letter

   You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).

   Require at least one lowercase letter

   You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).

   Require at least one number

   You can require that IAM user passwords contain at least one numeric character (0 to 9).

   Require at least one nonalphanumeric character

   You can require that IAM user passwords contain at least one of the following nonalphanumeric characters:

   ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '

   Allow users to change their own password

   You can permit all IAM users in your account to use the IAM console to change their own passwords, as described in Permitting IAM Users to Change Their Own Passwords.

   Alternatively, you can let only some users manage passwords, either for themselves or for others. To do so, you clear the Allow users to change their own password check box. For more information about using policies to limit who can manage passwords, see Permitting IAM Users to Change Their Own Passwords.

   Note

   When you allow your IAM users to change their own passwords, IAM automatically allows them to view the password policy. IAM users need permission to view the account's password policy in order to create a password that complies with the policy.

   Enable password expiration

   You can set IAM user passwords to be valid for only the specified number of days. You specify the number of days that passwords remain valid after they are set. For example, when you enable password expiration and set the password expiration period to 90 days, an IAM user can use a password for up to 90 days. After 90 days, the password expires and the IAM user must set a new password before accessing the AWS Management Console. You can choose a password expiration period between 1 and 1095 days, inclusive.

   Note

   The AWS Management Console warns IAM users when they are within 15 days of password expiration. IAM users can change their password at any time (as long as they have been given permission to do so). When they set a new password, the rotation period for that password starts over. An IAM user can have only one valid password at a time.

   Prevent password reuse

   You can prevent IAM users from reusing a specified number of previous passwords. You can set the number of previous passwords from 1 to 24, inclusive.

   Password expiration requires administrator reset

   You can prevent IAM users from choosing a new password after their current password has expired. For example, if the password policy specifies a password expiration period, but an IAM user fails to choose a new password before the expiration period ends, the IAM user cannot set a new password. In that case, the IAM user must request a password reset from an account administrator in order to regain access to the AWS Management Console. If you leave this check box cleared and an IAM user allows his or her password to expire, the user will be required to set a new password before accessing the AWS Management Console.

   Warning

   Before you enable this option, be sure that your AWS account has more than one user with administrative permissions (that is, permission to reset IAM user passwords) or that your administrators also have access keys that enable them to use the AWS CLI or Tools for Windows PowerShell separately from the AWS Management Console. When this option is enabled and one administrator's password expires, a second administrator is required to sign-in to the console to reset the expired password of the first administrator. However, if the administrator with the expired password has valid access keys then he or she can run an AWS CLI or Tools for Windows PowerShell command to reset his or her own password. The requirement for a second administrator applies only if a password expires and the first administrator has no access keys.

   Setting a Password Policy (AWS Management Console)

   You can use the AWS Management Console to create, change, or delete a password policy. As part of managing the password policy, you can let all users manage their own passwords.

   To create or change a password policy

   1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
   2. In the navigation pane, click Account Settings.
   3. In the Password Policy section, select the options you want to apply to your password policy.
   4. Click Apply Password Policy.

   To delete a password policy

   1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
   2. In the navigation pane, click Account Settings, and then in the Password Policysection, click Delete Password Policy.

   Setting a Password Policy (AWS CLI, Tools for Windows PowerShell, or AWS API)

   To manage an account password policy from the AWS CLI, Tools for Windows PowerShell, or AWS APIs, use the following commands:

   To create or change a password policy

   • AWS CLI: aws iam update-account-password-policy
   • Tools for Windows PowerShell: Update-IAMAccountPasswordPolicy
   • AWS API: UpdateAccountPasswordPolicy

   To retrieve the password policy

   • AWS CLI: aws iam get-account-password-policy
   • Tools for Windows PowerShell: Get-IAMAccountPasswordPolicy
   • AWS API: GetAccountPasswordPolicy

   To delete a password policy

   • AWS CLI: aws iam delete-account-password-policy
   • Tools for Windows PowerShell: Remove-IAMAccountPasswordPolicy
   • AWS APII: DeleteAccountPasswordPolicy

   Managing Passwords for IAM Users

   IAM users who use the AWS Management Console to work with AWS resources must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your AWS account.

   After you have assigned a password to a user, the user can sign in to the AWS Management Console using the sign-in URL for your account, which looks like this:

   
   
   Copy
   
   https://12-digit-AWS-account-ID or alias.signin.aws.amazon.com/console

   For more information about how IAM users sign in to the AWS Management Console, see The IAM Console and Sign-in Page.

   In addition to manually creating individual passwords for your IAM users, you can create a password policy that applies to all IAM user passwords in your AWS account.

   You can use a password policy to do these things:

   • Set a minimum password length.
   • Require specific character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Be sure to remind your users that passwords are case sensitive.
   • Allow all IAM users to change their own passwords.
     Note

     When you allow your IAM users to change their own passwords, IAM automatically allows them to view the password policy. IAM users need permission to view the account's password policy in order to create a password that complies with the policy.
   • Require IAM users to change their password after a specified period of time (enable password expiration).
   • Prevent IAM users from reusing previous passwords.
   • Force IAM users to contact an account administrator when the user has allowed his or her password to expire.

   For information about managing your account's password policy, see Setting an Account Password Policy for IAM Users.

   Even if your users have their own passwords, they still need permissions to access your AWS resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see Identities (Users, Groups, and Roles). For information about using policies to set permissions, see Changing Permissions for an IAM User.

   You can grant users permission to change their own passwords. For more information, seePermitting IAM Users to Change Their Own Passwords. For information about how users access your account sign-in page, see The IAM Console and Sign-in Page.

   Topics

   • Creating, Changing, or Deleting an IAM User Password (Console)
   • Creating, Changing, or Deleting an IAM User Password (API, CLI, PowerShell)

   Creating, Changing, or Deleting an IAM User Password (Console)

   You can use the AWS Management Console to manage passwords for your IAM users.

   When users leave your organization or no longer need AWS access, it is important to find the credentials that they were using and ensure that they are no longer operational. Ideally, you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least you should change the credentials so that the former users no longer have access.

   To add a password for an IAM user

   1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
   2. In the navigation pane, choose Users.
   3. Choose the name of the user whose password you want to create.
   4. Choose the Security credentials tab, and then under Sign-in credentials, choose Manage password next to Console password.
   5. In Manage console access, for Console access choose Enable if not already selected. If console access is disabled, then no password is needed.
   6. For Set password, choose whether to have IAM generate a password or create a custom password:
      • To have IAM generate a password, choose Autogenerated password.
      • To create a custom password, choose Custom password, and type the password.
        Note

        The password that you create must meet the account's password policy, if one is currently set.
   7. To require the user to create a new password when signing in, choose Require password reset. Then choose Apply.
      Important

      If you select the Require password reset option, make sure that the user has permission to change his or her password. For more information, see Permitting IAM Users to Change Their Own Passwords.
   8. If you choose the option to autogenerate a password, choose Show in the New password dialog box. This lets you view the password so you can share it with the user.
      Important

      For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.

   To change the password for an IAM user

   1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
   2. In the navigation pane, choose Users.
   3. Choose the name of the user whose password you want to change.
   4. Choose the Security credentials tab, and then under Sign-in credentials, choose Manage password next to Console password.
   5. In Manage console access, for Console access choose Enable if not already selected. If console access is disabled, then no password is needed.
   6. For Set password, choose whether to have IAM generate a password or create a custom password:
      • To have IAM generate a password, choose Autogenerated password.
      • To create a custom password, choose Custom password, and type the password.
        Note

        The password that you create must meet the account's password policy, if one is currently set.
   7. To require the user to create a new password when signing in, choose Require password reset. Then choose Apply.
      Important

      If you select the Require password reset option, make sure that the user has permission to change his or her password. For more information, see Permitting IAM Users to Change Their Own Passwords.
   8. If you choose the option to autogenerate a password, choose Show in the New password dialog box. This lets you view the password so you can share it with the user.
      Important

      For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.

   To delete an IAM user's password

   1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
   2. In the navigation pane, choose Users.
   3. Choose the name of the user whose password you want to delete.
   4. Choose the Security credentials tab, and then under Sign-in credentials, choose Manage password next to Console password.
   5. For Console access, choose Disable, and then choose Apply.

   Important

   When you remove a user's password, the user can no longer sign in to the AWS Management Console. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, or AWS API function calls.

   Creating, Changing, or Deleting an IAM User Password (API, CLI, PowerShell)

   To manage passwords for IAM users, use the following commands:

   To create a password

   • AWS CLI: aws iam create-login-profile
   • Tools for Windows PowerShell: New-IAMLoginProfile
   • AWS API: CreateLoginProfile

   To determine whether a user has a password

   • AWS CLI: aws iam get-login-profile
   • Tools for Windows PowerShell: Get-IAMLoginProfile
   • AWS API: GetLoginProfile

   To determine when a user's password was last used

   • AWS CLI: aws iam get-user
   • Tools for Windows PowerShell: Get-IAMUser
   • AWS API: GetUser

   To change a user's password

   • AWS CLI: aws iam update-login-profile
   • Tools for Windows PowerShell: Update-IAMLoginProfile
   • AWS API: UpdateLoginProfile

   To delete a user's password

   • AWS CLI: aws iam delete-login-profile
   • Tools for Windows PowerShell: Remove-IAMLoginProfile
   • AWS API: DeleteLoginProfile

   Note

   You can use the AWS CLI, Tools for Windows PowerShell, or AWS API to delete a user from your AWS account. However, you must first delete the password as a separate step in the process of removing the user. For more information, see Deleting an IAM User (AWS CLI and Tools for Windows PowerShell).

Permitting IAM Users to Change Their Own Passwords

You can grant IAM users the permission to change their own passwords for signing in to the AWS Management Console. You can do this in one of two ways:

• Allow all IAM users in the account to change their own passwords.
• Allow only selected IAM users to change their own passwords. In this scenario, you disable the option for all users to change their own passwords and you use an IAM policy to grant permissions to only some users to change their own passwords and optionally other credentials like their own access keys.

Important

We recommend that you set a password policy so that users create strong passwords.

To allow all IAM users change their own passwords

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, click Account Settings.
3. In the Password Policy section, select Allow users to change their own password, and then click Apply Password Policy.
4. Point users to the following instructions that show how they can change their passwords: How IAM Users Change Their Own Password.

For information about the AWS CLI, Tools for Windows PowerShell, and API commands that you can use to change the account's password policy (which includes letting all users change their own passwords), see Setting a Password Policy (AWS CLI, Tools for Windows PowerShell, or AWS API).

To allow selected IAM users change their own passwords

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, click Account Settings.
3. In the Account Settings section, make sure that Allow users to change their own password is not selected. If this check box is selected, all users can change their own passwords. (See the previous procedure.)
4. Create the users who should be able to change their own password, if they do not already exist. For details, see Creating an IAM User in Your AWS Account.
5. Create an IAM group for the users who should be allowed to change their passwords, and then add the users from the previous step to the group. For details, see Creating Your First IAM Admin User and Group and Managing IAM Groups.
   This step is optional, but it's a best practice to use groups to manage permissions so that you can add and remove users and change the permissions for the group as a whole.
6. Assign the following policy to the group. For details, see Working with Policies.

   
   
   Copy
   
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": "iam:GetAccountPasswordPolicy",
         "Resource": "*"
       },
       {
         "Effect": "Allow",
         "Action": "iam:ChangePassword",
         "Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
       }
     ]
   }

   This policy grants access to the ChangePassword action, which lets users change only their own passwords from the console, the AWS CLI, Tools for Windows PowerShell, or the API. It also grants access to the GetAccountPasswordPolicy action, which lets the user view the current password policy; this permission is required so that the user can display the Change Password page in the console. The user must be able to read the current password policy to ensure the changed password meets the requirements of the policy.
7. Point users to the following instructions that show how they can change their passwords: How IAM Users Change Their Own Password.

For More Information

For more information on managing credentials, see the following topics:

• Permitting IAM Users to Change Their Own Passwords
• Managing Passwords
• Setting an Account Password Policy for IAM Users
• Working with Policies
• How IAM Users Change Their Own Password

Managing Access Keys for IAM Users

Note

If you found this topic because you are trying to configure the Product Advertising API to sell Amazon products on your website, see these topics:

• Getting Started with the Product Advertising API
• Getting Started as a Product Advertising API Developer

Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.

When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.

Important

To ensure the security of your AWS account, the secret access key is accessible only at the time you create it. If a secret access key is lost, you must delete the access key for the associated user and create a new key. For more details, see Retrieving Your Lost or Forgotten Passwords or Access Keys.

By default, when you create an access key, its status is Active, which means the user can use the access key for AWS CLI, Tools for Windows PowerShell, and API calls. Each user can have two active access keys, which is useful when you must rotate the user's access keys. You can disable a user's access key, which means it can't be used for API calls. You might do this while you're rotating keys or to revoke API access for a user.

You can delete an access key at any time. However, when you delete an access key, it's gone forever and cannot be retrieved. (You can always create new keys.)

You can give your users permission to list, rotate, and manage their own keys. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

For more information about the credentials used with AWS and IAM, see Temporary Security Credentials, and Types of Security Credentials in the Amazon Web Services General Reference.

Topics

• Creating, Modifying, and Viewing Access Keys (Console)
• Creating, Modifying, and Viewing Access Keys (API, CLI, PowerShell)
• Rotating Access Keys

Creating, Modifying, and Viewing Access Keys (Console)

You can use the AWS Management Console to manage the access keys of IAM users.

To list the access key IDs for multiple users

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. If necessary, add the Access key ID column to the users table by completing the following steps:
   1. Above the table on the far right, choose the settings icon (  ).
   2. In Manage Columns, select Access key ID.
   3. Choose Close to return to the list of users.
4. The Access key ID column includes the access key IDs. You can use this information to view and copy the access keys for users with one or two access keys. The column also shows whether the access key is (Active) or (Inactive). The column displays None for users with no access key.
   Note

   Only the user's access key ID and status is visible. The secret access key can only be retrieved when the key is created.

To find which user owns a specific access key

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. In the search box, type or paste the access key ID of the user you want to find.
4. If necessary, add the Access key ID column to the users table by completing the following steps:
   1. Above the table on the far right, choose the settings icon (  ).
   2. In Manage Columns, select Access key ID.
   3. Choose Close to return to the list of users and confirm that the filtered user owns the specified access key.

To list a user's access keys

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the intended user, and then choose the Security Credentials tab. The user's access keys and the status of each key is displayed.
   Note

   Only the user's access key ID is visible. The secret access key can only be retrieved when the key is created.

To create, modify, or delete a user's access keys

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the desired user, and then choose the Security Credentials tab.
4. If needed, expand the Access Keys section and do any of the following:
   • To create an access key, choose Create Access Key. Then choose Download Credentials to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, choose Close.
   • To disable an active access key, choose Make Inactive.
   • To reenable an inactive access key, choose Make Active.
   • To delete an access key, choose Delete and then choose Delete to confirm.

Creating, Modifying, and Viewing Access Keys (API, CLI, PowerShell)

To manage a user's access keys from the AWS CLI, Tools for Windows PowerShell, or the AWS API, use the following commands:

To create an access key

• AWS CLI: aws iam create-access-key
• Tools for Windows PowerShell: New-IAMAccessKey
• AWS API: CreateAccessKey

To disable or reenable an access key

• AWS CLI: aws iam update-access-key
• Tools for Windows PowerShell: Update-IAMAccessKey
• AWS API: UpdateAccessKey

To list a user's access keys

• AWS CLI: aws iam list-access-keys
• Tools for Windows PowerShell: Get-IAMAccessKey
• AWS API: ListAccessKeys

To determine when an access key was most recently used

• AWS CLI: aws iam get-access-key-last-used
• Tools for Windows PowerShell: Get-IAMAccessKeyLastUsed
• AWS API: GetAccessKeyLastUsed

To delete an access key

• AWS CLI: aws iam delete-access-key
• Tools for Windows PowerShell: Remove-IAMAccessKey
• AWS API: DeleteAccessKey

Rotating Access Keys

As a security best practice, we recommend that you, an administrator, regularly rotate (change) the access keys for IAM users in your account. If your users have the necessary permissions, they can rotate their own access keys. For information about how to give your users permissions to rotate their own access keys, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords. You can choose how often they must do so. For more information, see Setting an Account Password Policy for IAM Users.

Important

If you use the AWS account root user credentials, we recommend that you also regularly rotate them. The account password policy does not apply to the root user credentials. IAM users cannot manage credentials for the AWS account root user, so you must use the root user credentials (not a user's) to change the root user credentials. Note that we recommend against using the root user for everyday work in AWS.

To determine when access keys needs rotating (console)

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. If necessary, add the Access key age column to the users table by completing the following steps:
   1. Above the table on the far right, choose the settings icon (  ).
   2. In Manage Columns, select Access key age.
   3. Choose Close to return to the list of users.
4. The Access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that need rotating. The column displays None for users with no access key.

To rotate access keys without interrupting your applications (console)

The following steps describe the general process for rotating an access key without interrupting your applications. These steps show the AWS CLI, Tools for Windows PowerShell and AWS API commands for rotating access keys. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing Access Keys (Console), in the section above.

1. While the first access key is still active, create a second access key, which is active by default. At this point, the user has two active access keys.
   1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
   2. In the navigation pane, choose Users.
   3. Choose the name of the intended user, and then choose the Security Credentialstab.
   4. Choose Create Access Key and then choose Download Credentials to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the .csv file, choose Close.
2. Update all applications and tools to use the new access key.
3. Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.
4. Even if the Last used column value indicates that the old key has never been used, we recommend that you do not immediately delete the first access key. Instead, choose Make inactive to deactivate the first access key.
5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can choose Make active to reenable the first access key. Then return to Step 3and update this application to use the new key.
6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:
   1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
   2. In the navigation pane, choose Users.
   3. Choose the name of the intended user, and then choose the Security Credentialstab.
   4. Choose Create Access Key, choose Delete, and then choose Delete to confirm.

To rotate access keys without interrupting your applications (API, CLI, PowerShell)

1. While the first access key is still active, create a second access key, which is active by default. At this point, the user has two active access keys.
   • AWS CLI: aws iam create-access-key
   • Tools for Windows PowerShell: New-IAMAccessKey
   • AWS API: CreateAccessKey
2. Update all applications and tools to use the new access key.
3. Determine whether the first access key is still in use:
   • AWS CLI: aws iam get-access-key-last-used
   • Tools for Windows PowerShell: Get-IAMAccessKeyLastUsed
   • AWS API: GetAccessKeyLastUsed
   One approach is to wait several days and then check the old access key for any use before proceeding.
4. Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive.
   • AWS CLI: aws iam update-access-key
   • Tools for Windows PowerShell: Update-IAMAccessKey
   • AWS API: UpdateAccessKey
5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.
6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key.
   • AWS CLI: aws iam delete-access-key
   • Tools for Windows PowerShell: Remove-IAMAccessKey
   • AWS API: DeleteAccessKey

For more information, see the following:

• How to Rotate Access Keys for IAM Users. This entry on the AWS Security Blog provides more information on key rotation.
• IAM Best Practices. This page provides general recommendations for helping to secure your AWS resources.

  Managing Access Keys for IAM Users

  Note

  If you found this topic because you are trying to configure the Product Advertising API to sell Amazon products on your website, see these topics:

  • Getting Started with the Product Advertising API
  • Getting Started as a Product Advertising API Developer
  Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.
  When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.
  Important

  To ensure the security of your AWS account, the secret access key is accessible only at the time you create it. If a secret access key is lost, you must delete the access key for the associated user and create a new key. For more details, see Retrieving Your Lost or Forgotten Passwords or Access Keys.
  By default, when you create an access key, its status is Active, which means the user can use the access key for AWS CLI, Tools for Windows PowerShell, and API calls. Each user can have two active access keys, which is useful when you must rotate the user's access keys. You can disable a user's access key, which means it can't be used for API calls. You might do this while you're rotating keys or to revoke API access for a user.
  You can delete an access key at any time. However, when you delete an access key, it's gone forever and cannot be retrieved. (You can always create new keys.)
  You can give your users permission to list, rotate, and manage their own keys. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.
  For more information about the credentials used with AWS and IAM, see Temporary Security Credentials, and Types of Security Credentials in the Amazon Web Services General Reference.
  Topics

  • Creating, Modifying, and Viewing Access Keys (Console)
  • Creating, Modifying, and Viewing Access Keys (API, CLI, PowerShell)
  • Rotating Access Keys

  Creating, Modifying, and Viewing Access Keys (Console)

  You can use the AWS Management Console to manage the access keys of IAM users.
  To list the access key IDs for multiple users
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users.
  3. If necessary, add the Access key ID column to the users table by completing the following steps:
     1. Above the table on the far right, choose the settings icon (  ).
     2. In Manage Columns, select Access key ID.
     3. Choose Close to return to the list of users.
  4. The Access key ID column includes the access key IDs. You can use this information to view and copy the access keys for users with one or two access keys. The column also shows whether the access key is (Active) or (Inactive). The column displays None for users with no access key.
     Note

     Only the user's access key ID and status is visible. The secret access key can only be retrieved when the key is created.
  To find which user owns a specific access key
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users.
  3. In the search box, type or paste the access key ID of the user you want to find.
  4. If necessary, add the Access key ID column to the users table by completing the following steps:
     1. Above the table on the far right, choose the settings icon (  ).
     2. In Manage Columns, select Access key ID.
     3. Choose Close to return to the list of users and confirm that the filtered user owns the specified access key.
  To list a user's access keys
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users.
  3. Choose the name of the intended user, and then choose the Security Credentials tab. The user's access keys and the status of each key is displayed.
     Note

     Only the user's access key ID is visible. The secret access key can only be retrieved when the key is created.
  To create, modify, or delete a user's access keys
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users.
  3. Choose the name of the desired user, and then choose the Security Credentials tab.
  4. If needed, expand the Access Keys section and do any of the following:
     • To create an access key, choose Create Access Key. Then choose Download Credentials to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, choose Close.
     • To disable an active access key, choose Make Inactive.
     • To reenable an inactive access key, choose Make Active.
     • To delete an access key, choose Delete and then choose Delete to confirm.

  Creating, Modifying, and Viewing Access Keys (API, CLI, PowerShell)

  To manage a user's access keys from the AWS CLI, Tools for Windows PowerShell, or the AWS API, use the following commands:

  To create an access key

  • AWS CLI: aws iam create-access-key
  • Tools for Windows PowerShell: New-IAMAccessKey
  • AWS API: CreateAccessKey

  To disable or reenable an access key

  • AWS CLI: aws iam update-access-key
  • Tools for Windows PowerShell: Update-IAMAccessKey
  • AWS API: UpdateAccessKey

  To list a user's access keys

  • AWS CLI: aws iam list-access-keys
  • Tools for Windows PowerShell: Get-IAMAccessKey
  • AWS API: ListAccessKeys

  To determine when an access key was most recently used

  • AWS CLI: aws iam get-access-key-last-used
  • Tools for Windows PowerShell: Get-IAMAccessKeyLastUsed
  • AWS API: GetAccessKeyLastUsed

  To delete an access key

  • AWS CLI: aws iam delete-access-key
  • Tools for Windows PowerShell: Remove-IAMAccessKey
  • AWS API: DeleteAccessKey

  Rotating Access Keys

  As a security best practice, we recommend that you, an administrator, regularly rotate (change) the access keys for IAM users in your account. If your users have the necessary permissions, they can rotate their own access keys. For information about how to give your users permissions to rotate their own access keys, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.
  You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords. You can choose how often they must do so. For more information, see Setting an Account Password Policy for IAM Users.
  Important

  If you use the AWS account root user credentials, we recommend that you also regularly rotate them. The account password policy does not apply to the root user credentials. IAM users cannot manage credentials for the AWS account root user, so you must use the root user credentials (not a user's) to change the root user credentials. Note that we recommend against using the root user for everyday work in AWS.
  To determine when access keys needs rotating (console)
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users.
  3. If necessary, add the Access key age column to the users table by completing the following steps:
     1. Above the table on the far right, choose the settings icon (  ).
     2. In Manage Columns, select Access key age.
     3. Choose Close to return to the list of users.
  4. The Access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that need rotating. The column displays None for users with no access key.
  To rotate access keys without interrupting your applications (console)
  The following steps describe the general process for rotating an access key without interrupting your applications. These steps show the AWS CLI, Tools for Windows PowerShell and AWS API commands for rotating access keys. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing Access Keys (Console), in the section above.
  1. While the first access key is still active, create a second access key, which is active by default. At this point, the user has two active access keys.
     1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
     2. In the navigation pane, choose Users.
     3. Choose the name of the intended user, and then choose the Security Credentialstab.
     4. Choose Create Access Key and then choose Download Credentials to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the .csv file, choose Close.
  2. Update all applications and tools to use the new access key.
  3. Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.
  4. Even if the Last used column value indicates that the old key has never been used, we recommend that you do not immediately delete the first access key. Instead, choose Make inactive to deactivate the first access key.
  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can choose Make active to reenable the first access key. Then return to Step 3and update this application to use the new key.
  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:
     1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
     2. In the navigation pane, choose Users.
     3. Choose the name of the intended user, and then choose the Security Credentialstab.
     4. Choose Create Access Key, choose Delete, and then choose Delete to confirm.
  To rotate access keys without interrupting your applications (API, CLI, PowerShell)
  1. While the first access key is still active, create a second access key, which is active by default. At this point, the user has two active access keys.
     • AWS CLI: aws iam create-access-key
     • Tools for Windows PowerShell: New-IAMAccessKey
     • AWS API: CreateAccessKey
  2. Update all applications and tools to use the new access key.
  3. Determine whether the first access key is still in use:
     • AWS CLI: aws iam get-access-key-last-used
     • Tools for Windows PowerShell: Get-IAMAccessKeyLastUsed
     • AWS API: GetAccessKeyLastUsed
     One approach is to wait several days and then check the old access key for any use before proceeding.
  4. Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive.
     • AWS CLI: aws iam update-access-key
     • Tools for Windows PowerShell: Update-IAMAccessKey
     • AWS API: UpdateAccessKey
  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.
  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key.
     • AWS CLI: aws iam delete-access-key
     • Tools for Windows PowerShell: Remove-IAMAccessKey
     • AWS API: DeleteAccessKey
  For more information, see the following:
  • How to Rotate Access Keys for IAM Users. This entry on the AWS Security Blog provides more information on key rotation.
  • IAM Best Practices. This page provides general recommendations for helping to secure your AWS resources.

  Access Management

  When you use your AWS account root user credentials, you can access all the resources in your AWS account. In contrast, when you create IAM users, IAM groups, or IAM roles, you must explicitly give permissions to these entities so that users can access your AWS resources.

  This section describes permissions, which are rights that you grant to a user, group, or role that define what tasks users are allowed to perform in your AWS account. To define permissions, you use policies, which are documents in JSON format.

  To learn more, we recommend you read the following sections:

  • Overview of AWS IAM Permissions — This section discusses types of permissions, how to grant them, and how to manage permissions.
  • Overview of IAM Policies — This section discusses how to specify what actions are allowed, which resources to allow the actions on, and what the effect will be when the user requests access to the resources.
  • Working with Policies — This section describes how to create and manage policies by using the AWS Management Console, the AWS CLI, and the IAM API.
  • Testing IAM Policies with the IAM Policy Simulator — This section describes how to test user and group policies using the IAM Policy Simulator.
  • Using Policy Validator — This section describes how to use the Policy Validator when you have policies that do not comply with the AWS policy grammar.
  • AWS IAM Policy Reference — This section describes the elements, variables, and evaluation logic used in policies.
  • Example Policies for Administering IAM Resources — This section lists policies that let users perform tasks specific to IAM, like administer users, groups, and credentials.
  • Example Policies — This section lists policies that let users perform tasks with other AWS services, like Amazon S3, Amazon EC2, and DynamoDB.

  
  

  
  

• Overview of AWS IAM Permissions

  Permissions let you specify who has access to AWS resources, and what actions they can perform on those resources. Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys. To give a user permission to do something, you can add the permission to the user (that is, attach a policy to the user) or add the user to a group that has the desired permission.

  For example, you might grant a user permission to list his or her own access keys. You might also expand that permission and also let each user create, update, and delete their own keys.

  When you give permissions to a group, all users in that group get those permissions. For example, you can give the Admins group permission to perform any of the IAM actions on any of the AWS account resources. Another example: You can give the Managers group permission to describe the AWS account's Amazon EC2 instances.

  For information about how to delegate basic permissions to your users, groups, and roles, see Delegating Permissions to Administer IAM Users, Groups, and Credentials. For additional examples of policies that illustrate basic permissions, see Example Policies for Administering IAM Resources.

  Identity-Based (IAM) Permissions and Resource-Based Permissions

  Permissions can be assigned in two ways: as identity-based or as resource-based.

  • Identity-based IAM permissions are attached to an IAM user, group, or role. These permissions let you specify what that user, group, or role can do. For example, you can assign permissions to the IAM user named Bob, stating that he has permission to use the Amazon Elastic Compute Cloud (Amazon EC2) RunInstances action and that he has permission to get items from an Amazon DynamoDB table named MyCompany. The user Bob might also be granted access to manage his own IAM security credentials. Identity-based permissions can be managed or inline.
  • Resource-based permissions are attached to a resource. You can specify resource-based permissions for Amazon S3 buckets, Amazon Glacier vaults, Amazon SNS topics, Amazon SQS queues, and AWS Key Management Service encryption keys. Resource-based permissions let you specify who has access to the resource and what actions they can perform on it. Resource-based policies are inline only, not managed.

  Note

  There's a difference between resource-based permissions and resource-levelpermissions. Resource-based permissions are permissions you can attach directly to a resource, as described in this topic. Resource-level permissions refers to the ability to specify not just what actions users can perform, but which resources they're allowed to perform those actions on. Some AWS services let you specify permissions for actions, but don't let you specify the individual resources for those actions. Other services let you specify permissions for a combination of actions and individual resources.

  Resource-based permissions are supported only by some AWS services. For a list of which services support resource-based and resource-level permissions, see AWS Services That Work with IAM.

  The following figure illustrates both types of permissions. The first column shows permissions attached to identities (two users and two groups). Some of those permissions identify specific resources that the actions can be used against. Those actions supportresource-level permissions. The second column shows permissions attached to resources. Those services support resource-based permissions.

  

  Note

  When you attach a policy to an AWS resource (including the trust policy of an IAM role), AWS validates, processes, and transforms the policy you write before storing it. When AWS returns the policy in response to a user query, AWS transforms the policy back into a human-readable format. This can result in differences in what you see in the policy: non-significant whitespace can be removed, elements within JSON maps can be re-ordered, and AWS account IDs within the Principal elements can be substituted with the ARN of the AWS account root user. Because of these possible changes, you should not compare JSON policy documents as strings.

  A user who has specific permissions might request a resource that also has permissions attached to it. In that case, both sets of permissions are evaluated when AWS determines whether to grant access to the resource. For information about how policies are evaluated, see IAM Policy Evaluation Logic.

  Note

  Amazon S3 supports policies both for IAM users and for resources (referred to in Amazon S3 as bucket policies). In addition, Amazon S3 supports a permission mechanism known as an ACL that's independent of IAM policies and permissions. You can use IAM policies in combination with Amazon S3 ACLs. For more information, see Access Control in the Amazon Simple Storage Service Developer Guide.

  Resource Creators Do Not Automatically Have Permissions

  Someone using the AWS account's security credentials has permission to perform any action on resources that belong to the account. However, this isn't true for IAM users. An IAM user might be granted access to create a resource, but the user's permissions, even for that resource, are limited to what's been explicitly granted. The user's permission can be revoked at any time by the account owner or by another user who has been granted access to manage user permissions.

  Granting Permissions Across AWS Accounts

  You can directly grant IAM users in your own account access to your resources. If users from another account need access to your resources, you can create an IAM role, which is an entity that includes permissions but that isn't associated with a specific user. Users from other accounts can then use the role and access resources according to the permissions you've assigned to the role. For more information, see IAM Roles.

  Note

  For services that support resource-based policies as described in Identity-Based (IAM) Permissions and Resource-Based Permissions (such as Amazon S3, Amazon SNS, and Amazon SQS), an alternative to using roles is to attach a policy to the resource (bucket, topic, or queue) that you want to share. The resource-based policy can specify the AWS account that has permissions to access the resource.

  Permissions For One Service to Access Another

  Many AWS services access other AWS services. For example, several AWS services—including Amazon EMR, Elastic Load Balancing, and Auto Scaling—manage Amazon EC2 instances. Other AWS services make use of Amazon S3 buckets, Amazon SNS topics, Amazon SQS queues, and so on.

  The scenario for managing permissions in these cases varies by service. Here are some examples of how permissions are handled for different services:

  • In Auto Scaling, users must have permission to use Auto Scaling, but don't need to be explicitly granted permission to manage Amazon EC2 instances.
  • In AWS Data Pipeline, an IAM role determines what a pipeline can do; users need permission to assume the role. (For details, see Granting Permissions to Pipelines with IAM in the AWS Data Pipeline Developer Guide.)

  For details about how to configure permissions properly so that an AWS service is able to accomplish the tasks you intend, refer to the documentation for the service you are calling.

  Configuring a service with an IAM role to work on your behalf

  When you want to configure an AWS service to work on your behalf, you typically provide the ARN for an IAM role that defines what the service is allowed to do. AWS checks to ensure that you have permissions to pass a role to a service. For more information, see Granting a User Permissions to Pass a Role to an AWS Service.

Overview of IAM Policies

This section provides an overview of IAM policies. A policy is a document that formally defines permissions.

For a complete reference to the IAM policy syntax and grammar, see AWS IAM Policy Reference.

Topics

• Managed Policies and Inline Policies
• Versioning for Managed Policies
• Deprecated AWS Managed Policies
• Controlling Access to Managed Policies
• Creating a New Policy
• Working with Policies
• Understanding Policy Summaries in the AWS Management Console
• Testing IAM Policies with the IAM Policy Simulator
• Using Policy Validator
• Service Last Accessed Data
• Example Policies

Introduction

To assign permissions to a user, group, role, or resource, you create a policy, which is a document that defines permissions. The policy document includes the following elements:

• Effect – whether the policy allows or denies access
• Action – the list of actions that are allowed or denied by the policy
• Resource – the list of resources on which the actions can occur
• Condition (Optional) – the circumstances under which the policy grants permission

To learn about these and other policy elements, see IAM Policy Elements Reference.

Policies are documents that are created using JSON. A policy consists of one or morestatements, each of which describes one set of permissions. Here's an example of a simple policy.

Copy

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
}

You can attach this policy to an IAM user or group. If that's the only policy for the user or group, the user or group is allowed to perform only this one action (ListBucket) on one Amazon S3 bucket (example_bucket).

To specify resource-based permissions, you can attach a policy to the resource, such as an Amazon SNS topic, an Amazon S3 bucket, or an Amazon Glacier vault. In that case, the policy has to include information about who is allowed to access the resource, known as theprincipal. (For user-based policies, the principal is the IAM user that the policy is attached to, or the user who gets the policy from a group.)

The following example shows a policy that might be attached to an Amazon S3 bucket and that grants permission to a specific AWS account to perform any Amazon S3 actions inmybucket. This includes both working with the bucket and with the objects in it. (Because the policy grants trust only to the account, individual users in the account must still be granted permissions for the specified Amazon S3 actions.)

Copy

{
  "Version": "2012-10-17",
  "Id": "S3-Account-Permissions",
  "Statement": [{
    "Sid": "1",
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::mybucket",
      "arn:aws:s3:::mybucket/*"
    ]
  }]
}

IAM policies control access regardless of the interface. For example, you could provide a user with a password to access the AWS Management Console, and the policies for that user (or any groups the user belongs to) would control what the user can do in the AWS Management Console. Or, you could provide the user with AWS access keys for making API calls to AWS, and the policies would control what actions the user could call through a library or client that uses those access keys for authentication.

For basic example policies that cover common scenarios, see Example Policies.

AWS managed policies and the Policy Generator are available from the IAM console in the AWS Management Console. For more information about creating policies in the console, see Working with Policies. Also, you can use the AWS Policy Generator online to create policies for AWS products without accessing the console.

Important

You cannot save any policy that does not comply with the established policy syntax. You can use Policy Validator to detect and correct invalid policies. One click takes you to an editor that shows both the existing policy and a copy with the recommended changes. You can accept the changes or make further modifications. For more information, see Using Policy Validator.

Note

When you apply a custom policy, IAM checks its syntax. However, because IAM evaluates policies at run time using a specific request context (in which multiple policies might be in effect), it cannot check the validity of all resources, actions, and permissions in a custom policy at the time that you apply the policy. If you need help in creating a policy, we recommend using an AWS managed policy or the Policy Generator. For help testing the effects of your IAM policies with the IAM Policy Simulator, see Testing IAM Policies with the IAM Policy Simulator.

Multiple Statements and Multiple Policies

You can attach more than one policy to an entity. If you have multiple permissions to grant to an entity, you can put them in separate policies, or you can put them all in one policy.

Generally, each statement in a policy includes information about a single permission. If your policy includes multiple statements, a logical OR is applied across the statements at evaluation time. Similarly, if multiple policies are applicable to a request, a logical OR is applied across the policies at evaluation time.

Users often have multiple policies that apply to them (but aren't necessarily attached to them). For example, IAM user Bob could have policies attached to him, and other policies attached to the groups he's in. In addition, he might be accessing an Amazon S3 bucket that has its own bucket policy (resource-based policy). All applicable policies are evaluated and the result is always that access is either granted or denied. For more information about the evaluation logic we use, see IAM Policy Evaluation Logic.

Policy Structure

Each policy is a JSON document. As illustrated in the following figure, a policy includes:

• Optional policy-wide information (at the top of the document)
• One or more individual statements

Each statement includes the core information about a single permission. If a policy includes multiple statements, AWS applies a logical OR across the statements at evaluation time. If multiple policies are applicable to a request, AWS applies a logical OR across the policies at evaluation time.

The information in a statement is contained within a series of elements. For information about these elements, see IAM Policy Elements Reference.

Example Policy with Multiple Statements

Policies often include multiple statements, where each statement grants permissions to a different set of resources or grants permissions under a specific condition. For example, the following policy has three statements, each of which grants a separate set of permissions. Assume that the user or group that the policy is attached to is in AWS account123456789012. (Policies can't reference resources in other accounts.) The statements do the following:

• The first statement, with a Sid (Statement ID) element set to FirstStatement, lets users manage their own passwords. The Resource element in this statement is "*" (which means "all resources"), but in practice, the ChangePassword API (or equivalentchange-password CLI command) affects only the password for the user who makes the request.
• The second statement ("Sid": "SecondStatement") lets the user list all the Amazon S3 buckets in their AWS account. The Resource element in this statement is "*" (which means "all resources"), but because policies don't grant access to resources in other accounts, the user can list only the buckets in their own AWS account. (This permission is necessary for the user to access a bucket from the AWS Management Console.)
• The third statement ("Sid": "ThirdStatement") lets the user list and retrieve any object that is in a bucket called confidential-data, but only when the user is authenticated with short term credentials validated by a multi-factor authentication (MFA) device. The Condition element in the policy checks whether the user is MFA-authenticated, and if so, the user can list and retrieve objects in the bucket.
  When a policy statement contains a Condition element, the statement is only in effect when the Condition element evaluates to true. In this case, the Condition evaluates to true when the user is MFA-authenticated. If the user is not MFA-authenticated, this Condition evaluates to false. In that case, the third statement in this policy will not take effect, so the user will not have access to the confidential-data bucket.

Copy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FirstStatement",
      "Effect": "Allow",
      "Action": ["iam:ChangePassword"],
      "Resource": "*"
    },
    {
      "Sid": "SecondStatement",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    },
    {
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/*"
      ],
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}