AWS Identity and Access Management Using IAM API Version 2010-05-08 AWS Identity and Access Management Using IAM AWS Identity and Access Management: Using IAM Copyright © 2015 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. The following are trademarks of Amazon Web Services, Inc.: Amazon, Amazon Web Services Design, AWS, Amazon CloudFront, AWS CloudTrail, AWS CodeDeploy, Amazon Cognito, Amazon DevPay, DynamoDB, ElastiCache, Amazon EC2, Amazon Elastic Compute Cloud, Amazon Glacier, Amazon Kinesis, Kindle, Kindle Fire, AWS Marketplace Design, Mechanical Turk, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon VPC, and Amazon WorkDocs. In addition, Amazon.com graphics, logos, page headers, button icons, scripts, and service names are trademarks, or trade dress of Amazon in the U.S. and/or other countries. Amazon©s trademarks and trade dress may not be used in connection with any product or service that is not Amazon©s, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region. AWS Identity and Access Management Using IAM Table of Contents What Is IAM? ................................................................................................................................ 1 Video Introduction to IAM ........................................................................................................ 1 Pricing of IAM ....................................................................................................................... 2 Features of IAM .................................................................................................................... 2 Supported AWS Products ....................................................................................................... 2 Migration to IAM .................................................................................................................... 2 No Change to Basic AWS Account Functions ..................................................................... 3 Security Credentials ............................................................................................................... 3 How Do I Get Credentials? .............................................................................................. 3 IAM and Consolidated Billing ................................................................................................... 4 IAM Concepts ....................................................................................................................... 5 Concepts Related to AWS Account Entities ........................................................................ 5 Concepts Related to Permissions ..................................................................................... 6 Accessing IAM ...................................................................................................................... 7 About IAM Entities ................................................................................................................. 8 IAM Identifiers .............................................................................................................. 8 Limitations on IAM Entities ............................................................................................ 13 Getting Set Up ............................................................................................................................ 16 Using IAM to Give Users Access to Your AWS Resources ........................................................... 16 Do I Need to Sign Up for IAM? ............................................................................................... 17 Additional Resources ........................................................................................................... 17 Getting Started ............................................................................................................................ 19 Creating an Administrators Group Using the Console ................................................................. 20 Creating an Administrators Group Using the AWS CLI ................................................................ 21 Creating a Group ......................................................................................................... 21 Attaching a Policy to the Group ...................................................................................... 22 How Users Sign In to Your Account ......................................................................................... 23 Where to Go Next ................................................................................................................ 24 Learn More About IAM ................................................................................................. 24 Learn About Policies and Permissions ............................................................................. 24 Other Ways to Access IAM ............................................................................................ 24 IAM Resources ........................................................................................................... 25 Best Practices and Use Cases ....................................................................................................... 26 Best Practices ..................................................................................................................... 26 Lock away your AWS account access keys ....................................................................... 26 Create individual IAM users ........................................................................................... 27 Use groups to assign permissions to IAM users ................................................................ 27 Grant least privilege ..................................................................................................... 28 Configure a strong password policy for your users ............................................................. 28 Enable MFA for privileged users ..................................................................................... 28 Use roles for applications that run on Amazon EC2 instances .............................................. 29 Delegate by using roles instead of by sharing credentials .................................................... 29 Rotate credentials regularly ........................................................................................... 29 Remove unnecessary credentials ................................................................................... 29 Use policy conditions for extra security ............................................................................ 30 Keep a history of activity in your AWS account .................................................................. 30 Video presentation about IAM best practices .................................................................... 30 Business Use Cases ............................................................................................................ 30 Initial Setup of Example Corp. ........................................................................................ 31 Use Case for IAM with Amazon EC2 ............................................................................... 31 Use Case for IAM with Amazon S3 ................................................................................. 32 IAM and the AWS Management Console ......................................................................................... 34 The AWS Management Console Sign-in Page .......................................................................... 34 Using AWS Account Credentials to Sign In to the AWS Management Console ........................ 35 Controlling User Access to the AWS Management Console ......................................................... 35 API Version 2010-05-08 iii AWS Identity and Access Management Using IAM Your AWS Account ID and Its Alias ......................................................................................... 36 Finding Your AWS Account ID ........................................................................................ 36 About Account Aliases .................................................................................................. 36 Creating, Deleting, and Listing an AWS Account Alias ........................................................ 37 MFA Devices and Your IAM-Enabled Sign-in Page ..................................................................... 38 Users and Groups ........................................................................................................................ 39 Users ................................................................................................................................ 39 IAM Users Aren©t Necessarily People .............................................................................. 40 Scenarios for Creating IAM Users ................................................................................... 40 IAM User Tasks ..........................................................................................................