Fine-grained access control

Permissions let you specify and control access to AWS services and resources. To grant permissions to IAM roles, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed.

Using IAM policies, you grant access to specific AWS service APIs and resources. You also can define specific conditions in which access is granted, such as granting access to identities from a specific AWS organization or access through a specific AWS service. 

Learn more about fine-grained access control »

Delegate access by using IAM roles

With IAM roles you delegate access to users or AWS services to operate within your AWS account. Users from your identity provider or AWS services can assume a role to obtain temporary security credentials that can be used to make an AWS request in the account of the IAM role. Consequently, IAM roles provide a way to rely on short-term credentials for users, workloads, and AWS services that need to perform actions in your AWS accounts.

Learn more about delegating access by using IAM roles »

IAM Roles Anywhere

Use IAM Roles Anywhere to allow workloads that run outside of AWS, such as on-premises, hybrid, and multicloud environments, to access AWS resources by using X.509 digital certificates issued by your registered certificate authorities. With IAM Roles Anywhere, you can obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.

Learn more about IAM Roles Anywhere »

IAM Access Analyzer

Achieving least privilege is a continuous cycle to grant the right fine-grained permissions as your requirements evolve. IAM Access Analyzer helps you streamline permissions management as you set, verify, and refine permissions.

Learn more about Access Analyzer »

Permissions guardrails

With AWS Organizations, you can use service control policies (SCPs) to establish permissions guardrails that all IAM users and roles in an organization’s accounts adhere to. Whether you’re just getting started with SCPs or have existing SCPs, you can use IAM access advisor to help you restrict permissions confidently across your AWS organization.

Learn more about permissions guardrails »

Attribute-based access control

Attribute-based access control (ABAC) is an authorization strategy you can use to create fine-grained permissions based on user attributes, such as department, job role, and team name. Using ABAC, you can reduce the number of distinct permissions that you need for creating fine-grained controls in your AWS account.

Learn more about ABAC »

Ready to build?
Get started with IAM
Have more questions?
Contact us