AWS Identity and Access Management (IAM) Features

Page Topics

Key Features

Key Features

Permissions let you specify and control access to AWS services and resources. To grant permissions to IAM roles, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed.

Using IAM policies, you grant access to specific AWS service APIs and resources. You also can define specific conditions in which access is granted, such as granting access to identities from a specific AWS organization or access through a specific AWS service. 

Learn more about fine-grained access control

With IAM roles you delegate access to users or AWS services to operate within your AWS account. Users from your identity provider or AWS services can assume a role to obtain temporary security credentials that can be used to make an AWS request in the account of the IAM role. Consequently, IAM roles provide a way to rely on short-term credentials for users, workloads, and AWS services that need to perform actions in your AWS accounts. 

Learn more about delegating access by using IAM roles

Use IAM Roles Anywhere to allow workloads that run outside of AWS, such as on-premises, hybrid, and multicloud environments, to access AWS resources by using X.509 digital certificates issued by your registered certificate authorities. With IAM Roles Anywhere, you can obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.

Learn more about IAM Roles Anywhere

Achieving least privilege is a continuous cycle to grant the right fine-grained permissions as your requirements evolve. IAM Access Analyzer helps you streamline permissions management as you set, verify, and refine permissions.

Learn more about IAM Access Analyzer

With AWS Organizations, you can use service control policies (SCPs) to establish permissions guardrails that all IAM users and roles in an organization’s accounts adhere to. Whether you’re just getting started with SCPs or have existing SCPs, you can use IAM access analysis to help you restrict permissions confidently across your AWS organization.

Learn more about permissions guardrails

Attribute-based access control (ABAC) is an authorization strategy you can use to create fine-grained permissions based on user attributes, such as department, job role, and team name. Using ABAC, you can reduce the number of distinct permissions that you need for creating fine-grained controls in your AWS account.

Learn more about ABAC