AWS Identity and Access Management (IAM) enables you to control access and permissions to your AWS services and resources. IAM lets you manage permissions for your users and applications, use identity federation to manage access to an AWS account, and analyze access to resources and services.
IAM enables security best practices by allowing you to grant unique security credentials to users and groups to specify which AWS service APIs and resources they can access. IAM is secure by default; users have no access to AWS resources until permissions are explicitly granted.
IAM provides the granularity to control a user’s access to specific AWS services and resources using permissions. For example, terminating EC2 instances or reading the contents of an Amazon S3 bucket.
In addition to defining access permissions directly to users and groups, IAM lets you create roles. Roles allow you to define a set of permissions and then let authenticated users or EC2 instances assume them, increasing your security posture by granting temporary access to the resources you define.
IAM helps you analyze access and guides you along your least privilege journey. As you author new policies, IAM Access Analyzer checks your policies and reports actionable recommendations that guide you to set secure and functional policies. IAM Access Analyzer also enables you to validate public and cross-account access to resources before deploying permissions. As you review existing permissions, IAM Access Analyzer helps you identify and resolve unintended public or cross-account access with comprehensive policy analysis and automated reasoning. Additionally, IAM helps you identify and remove unused permissions with last accessed information.
Flexible security credential management
IAM allows you to authenticate users in several ways, depending on how they want to use AWS services. You can assign a range of security credentials including passwords, key pairs, and X.509 certificates. You can also enforce multi-factor authentication (MFA) on users who access the AWS Management Console or use APIs.
Leverage external identity systems
You can use IAM to grant your employees and applications access to the AWS Management Console and to AWS service APIs, using your existing identity systems. AWS supports federation from corporate systems like Microsoft Active Directory as well as standards-based identity providers.
Seamlessly integrated into AWS services
IAM is integrated into most AWS services. This provides the ability to define access controls from one place in the AWS Management Console that will take effect throughout your AWS environment.
Intended usage & restrictions
Your use of this service is subject to the Amazon Web Services Customer Agreement.