Enhanced security

IAM enables security best practices by allowing you to grant unique security credentials to users and groups to specify which AWS service APIs and resources they can access. IAM is secure by default; users have no access to AWS resources until permissions are explicitly granted.

Learn more about managing users »

Granular control

IAM provides the granularity to control a user’s access to specific AWS services and resources using permissions. For example, terminating EC2 instances or reading the contents of an Amazon S3 bucket.

Learn more about managing permissions »

Temporary credentials

In addition to defining access permissions directly to users and groups, IAM lets you create roles. Roles allow you to define a set of permissions and then let authenticated users or EC2 instances assume them, increasing your secuity posture by granting temporary access to the resources you define.

Learn more about managing roles »

Analyze access

IAM helps you analyze access across your AWS environment. Your security teams and administrators can use IAM Access Analyzer to identify resources that can be accessed from outside an AWS account. For example, you can validate public or cross-account permissions granted using policies for Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, IAM roles, and AWS Lambda functions. In addition, IAM helps you easily identify and remove unused permissions by providing you a timestamp of when an IAM entity last used a service.

Learn more about analyzing access »

Flexible security credential management

IAM allows you to authenticate users in several ways, depending on how they want to use AWS services. You can assign a range of security credentials including passwords, key pairs, and X.509 certificates. You can also enforce multi-factor authentication (MFA) on users who access the AWS Management Console or use APIs.

Learn more about managing user credentials »

Leverage external identity systems

You can use IAM to grant your employees and applications access to the AWS Management Console and to AWS service APIs, using your existing identity systems. AWS supports federation from corporate systems like Microsoft Active Directory as well as standards-based identity providers.

Seamlessly integrated into AWS services

IAM is integrated into most AWS services. This provides the ability to define access controls from one place in the AWS Management Console that will take effect throughout your AWS environment.

Learn more about access control for AWS services »

Intended usage & restrictions

Your use of this service is subject to the Amazon Web Services Customer Agreement.

Get started with AWS IAM

Visit the getting started page
Ready to build?
Get started with AWS IAM
Have more questions?
Contact us