IAM Fine-Grained Access Control

AWS Identity and Access Management (IAM) provides you with fine-grained access control to help you establish permissions that determine who can access which AWS resources under which conditions. Use fine-grained access control to help secure your AWS resources on your journey to achieve least privilege

IAM fine-grained access control icons

How it works: In IAM, you define who can access your AWS resources by using policies. You attach policies to IAM roles in your AWS accounts and to your AWS resources. For each request to AWS, IAM authorizes the request by comparing it to your policies, and it allows or denies the request. For more information, see the Understanding how IAM works section of the IAM User Guide.

The IAM policy language: The IAM policy language, called JSON, allows you to express your access requirements with granularity by using actions, resources, and condition elements in policies. For more information, see IAM JSON policy reference.

Policy types to grant access: IAM gives you flexibility to attach policies to both your IAM roles and AWS resources that support resource-based policies. Identity-based policies and resource-based policies work together to define access control. For more information about policy types, see the Policies and permissions in IAM section of the IAM User Guide.

Preventive guardrails: Preventive guardrails help you establish boundaries of the maximum permissions available to your IAM roles. You can use service control policies, permissions boundaries, and session policies to limit the permissions that can be granted to an IAM role. To learn more about establishing preventive guardrails, see Data perimeters on AWS.

How data perimeters work

Attribute-based access control (ABAC): Use ABAC to define fine-grained permissions based on the attributes attached to IAM roles, such as departments and job roles. By granting access to individual resources based on attributes, you don't have to update policies for each new resource that you add in the future. For more information, see ABAC for AWS.

ABAC in AWS

To learn about streamlining permissions management, see IAM Access Analyzer Guides You Toward Least-Privilege Permissions. Also, watch AWS identity: Next-generation permissions management to learn more about fine-grained access control in IAM.

Learn how to manage IAM credentials

Visit the credential management page
Ready to build?
Get started with IAM
Have more questions?
Contact us