I want to have multiple users working with the resources on a single AWS account, but I want to make sure each user only has access to features and resources they need. How can AWS Identity and Access Management (IAM) help me do that?

IAM allows you to limit a particular user’s access to perform actions or view information related to your account and resources. Each user has their own unique credentials they use to sign in, and they sign in to your account using a specialized URL that you designate. You define or select a set of permissions known as an IAM policy, which you can then associate with particular users or groups of users. For a more detailed explanation of what IAM can do, see What Is IAM?

When getting started with IAM, here are some things to think about:

  • Who are your users? If the group that needs to access your account is small, you might set policies for each individual; if that group is larger or might become larger in the future, consider defining a policy for groups (for example, “Engineering”, “Web Designers”, “Finance”, etc.), and then adding people to groups that match their needs.
  • Design your policies to be logically consistent, especially if you have multiple policies. The IAM evaluation logic determines whether a request from a particular user is allowed or denied. For example, if a user has two different policies, and one explicitly allows access to a particular resource while the other explicitly denies it, the user will not be able to access the resource. Whether this is intended depends on your use case, but understanding how the IAM evaluation logic works is key to making sure that users are only allowed to access services and resources you intend them to access.
  • Understand the difference between the root user and an IAM user. The root user of an AWS account can change, delete, or update any aspect of an AWS account and its resources, as well as administer IAM users. It’s best practice to minimize the necessity of interacting with an account or its resources through the root user or access keys associated with a root user, and instead create IAM users, groups, and roles that have least-privilege access policies. For a more detailed description of the difference between root and IAM users, see Root Account Credentials vs. IAM User Credentials.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-04-21