AWS Identity And Access Management User Guide
User Manual:
Open the PDF directly: View PDF
Page Count: 486 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- AWS Identity and Access Management
- Table of Contents
- What Is IAM?
- Getting Set Up
- Getting Started
- IAM Tutorials
- IAM Best Practices and Use Cases
- IAM Best Practices
- Lock away your AWS account (root) access keys
- Create individual IAM users
- Use groups to assign permissions to IAM users
- Grant least privilege
- Configure a strong password policy for your users
- Enable MFA for privileged users
- Use roles for applications that run on Amazon EC2 instances
- Delegate by using roles instead of by sharing credentials
- Rotate credentials regularly
- Remove unnecessary credentials
- Use policy conditions for extra security
- Monitor activity in your AWS account
- Video presentation about IAM best practices
- Business Use Cases
- IAM Best Practices
- The IAM Console and the Sign-in Page
- Identities (Users, Groups, and Roles)
- IAM Users
- IAM Groups
- IAM Roles
- Temporary Credentials
- The Account "Root" User
- When to create an IAM user
- When to Create an IAM Role
- IAM Users
- How AWS identifies an IAM user
- Users and credentials
- Users and permissions
- Users and accounts
- Users as service accounts
- Creating an IAM User in Your AWS Account
- How IAM Users Sign In to Your AWS Account
- Managing IAM Users
- Managing Passwords
- Managing Access Keys for IAM Users
- Using Multi-Factor Authentication (MFA) in AWS
- Enabling MFA Devices
- Checking MFA Status
- Synchronize MFA devices
- Deactivating MFA devices
- What If an MFA Device Is Lost or Stops Working?
- Configuring MFA-Protected API Access
- Sample Policies with MFA Conditions
- Sample Code: Requesting Credentials with Multi-factor Authentication
- Finding Unused Credentials
- Getting Credential Reports for Your AWS Account
- Using SSH Keys with AWS CodeCommit
- Working with Server Certificates
- IAM Groups
- IAM Roles
- Roles Terms and Concepts
- Common Scenarios for Roles: Users, Applications, and Services
- Identity Providers and Federation
- About Web Identity Federation
- About SAML 2.0-based Federation
- Creating IAM Identity Providers
- Creating OpenID Connect (OIDC) Identity Providers
- Creating SAML Identity Providers
- Creating and Managing a SAML Identity Provider (AWS Management Console)
- Managing a SAML Provider (AWS CLI, Tools for Windows PowerShell and AWS API)
- Configuring your SAML 2.0 IdP with Relying Party Trust and Adding Claims
- Integrating Third-Party SAML Solution Providers with AWS
- Configuring SAML Assertions for the Authentication Response
- Enabling SAML 2.0 Federated Users to Access the AWS Management Console
- Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker)
- Creating IAM Roles
- Creating a Role to Delegate Permissions to an IAM User
- Creating a Role to Delegate Permissions to an AWS Service
- Creating a Role for a Third-Party Identity Provider (Federation)
- Creating a Role for Federated Users (AWS Management Console)
- Creating a Role for Federated Access (AWS Command Line Interface)
- Creating a Role for Federated Access (Tools for Windows PowerShell)
- Creating a Role for Federated Access (IAM API)
- Creating a Role for Web Identity or OpenID Connect Federation (AWS Management Console)
- Creating a Role for SAML 2.0 Federation (AWS Management Console)
- Examples of Policies for Delegating Access
- Using Roles to Delegate Access to Another AWS Account's Resources
- Using a Policy to Delegate Access To Services
- Using a Resource-based Policy to Delegate Access to an Amazon S3 Bucket in Another Account
- Using a Resource-based Policy to Delegate Access to an Amazon SQS Queue in Another Account
- Cannot Delegate Access When the Account is Denied Access
- Using IAM Roles
- Granting a User Permissions to Switch Roles
- Granting a User Permissions to Pass a Role to an AWS Service
- Switching to a Role (AWS Management Console)
- Switching to an IAM Role (AWS Command Line Interface)
- Switching to an IAM Role (Tools for Windows PowerShell)
- Switching to an IAM Role (API)
- Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
- Revoking IAM Role Temporary Security Credentials
- Managing IAM Roles
- How IAM Roles Differ from Resource-based Policies
- Temporary Security Credentials
- AWS STS and AWS Regions
- Common Scenarios for Temporary Credentials
- Requesting Temporary Security Credentials
- Using AWS STS with AWS Regions
- AssumeRole—Cross-Account Delegation and Federation Through a Custom Identity Broker
- AssumeRoleWithWebIdentity—Federation Through a Web-based Identity Provider
- AssumeRoleWithSAML—Federation Through an Enterprise Identity Provider Compatible with SAML 2.0
- GetFederationToken—Federation Through a Custom Identity Broker
- GetSessionToken—Temporary Credentials for Users in Untrusted Environments
- Comparing the AWS STS APIs
- Using Temporary Security Credentials to Request Access to AWS Resources
- Controlling Permissions for Temporary Security Credentials
- Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
- Permissions for GetFederationToken
- Permissions for GetSessionToken
- Disabling Permissions for Temporary Security Credentials
- Granting Permissions to Create Temporary Security Credentials
- Activating and Deactivating AWS STS in an AWS Region
- Sample Applications That Use Temporary Credentials
- Additional Resources for Temporary Security Credentials
- The Account Root User
- Access Management
- Overview of AWS IAM Permissions
- Identity-Based (IAM) Permissions and Resource-Based Permissions
- Resource Creators Do Not Automatically Have Permissions
- Granting Permissions Across AWS Accounts
- Permissions For One Service to Access Another
- Delegating Permissions to Administer IAM Users, Groups, and Credentials
- Overview
- Permissions for Working in the AWS Management Console
- Example Policies for Administering IAM Resources
- Allow Users to Manage Their Own Passwords (from the My Password Page)
- Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys
- Allow a User to List the Account's Groups, Users, Policies, and More for Reporting Purposes
- Allow a User to Manage a Group's Membership
- Allow a User to Manage IAM Users
- Allow Users to Set Account Password Policy
- Allow Users to Generate and Retrieve IAM Credential Reports
- Allow Users to Manage Only Their Own Virtual MFA Devices
- Allow All IAM Actions (Admin Access)
- Overview of IAM Policies
- Managed Policies and Inline Policies
- Versioning for Managed Policies
- Deprecated AWS Managed Policies
- Controlling Access to Managed Policies
- Creating a New Policy
- Working with Policies
- Testing IAM Policies with the IAM Policy Simulator
- Using Policy Validator
- Service Last Accessed Data
- Example Policies for Administering AWS Resources
- Allow Users to Access a Specific Bucket in Amazon S3
- Allow Users to Access a Personal "Home Directory" in Amazon S3
- Allow Users Signed In with Amazon Cognito to Access their Own Amazon S3 Folder
- Allow Users to Access All Actions on a DynamoDB Table Whose Name Matches the User Name
- Allow Users to Manage Amazon EBS Volumes and Amazon EC2 Instances That Have the Specified Tag
- Allow only a specific Amazon EC2 Instance to Run Certain AWS Commands
- Use Conditions to Restrict When Permissions Are Allowed
- Deny All Access Except to a Specific Set of AWS Products and Resources
- Block Requests That Don't Come From an Approved IP Address or Range
- Restrict Access to the Policy Simulator APIs
- Enable Users to Upload Server Certificates and Use them with Elastic Load Balancing
- Resources for Learning About Permissions and Policies
- Overview of AWS IAM Permissions
- Logging IAM Events with AWS CloudTrail
- Troubleshooting IAM
- Troubleshooting General Issues
- Troubleshoot IAM Policies
- Troubleshooting IAM Roles
- Troubleshooting Amazon EC2 and IAM
- When attempting to launch an instance, I don't see the role I expected to see in the Amazon EC2 console IAM role list.
- The credentials on my instance are for the wrong role.
- When I attempt to call the AddRoleToInstanceProfile, I get an AccessDenied error.
- Amazon EC2: When I attempt to launch an instance with a role, I get an AccessDenied error.
- I can't access the temporary security credentials on my EC2 instance.
- What do the errors from the info document in the IAM subtree mean?
- Troubleshooting Amazon S3 and IAM
- Troubleshooting SAML 2.0 Federation with AWS
- How to View a SAML Response in Your Browser for Troubleshooting
- Error: Your request included an invalid SAML response. To logout, click here.
- Error: RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)
- Error: Not authorized to perform sts:AssumeRoleWithSAML (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)
- Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,64} (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)
- Error: Response signature invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)
- Error: Failed to assume role: Issuer not present in specified provider (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException)
- Reference Information for AWS Identity and Access Management
- IAM Identifiers
- Limitations on IAM Entities and Objects
- AWS Services That Work with IAM
- AWS IAM Policy Reference
- IAM Policy Elements Reference
- IAM Policy Variables Overview
- Creating a Condition That Tests Multiple Key Values (Set Operations)
- IAM Policy Evaluation Logic
- Grammar of the IAM Policy Language
- AWS Service Actions and Condition Context Keys for Use in IAM Policies
- Actions and Condition Context Keys for Amazon API Gateway
- Actions and Condition Context Keys for Application Auto Scaling
- Actions and Condition Context Keys for AWS Application Discovery Service
- Actions and Condition Context Keys for Amazon AppStream
- Actions and Condition Context Keys for Auto Scaling
- Actions and Condition Context Keys for AWS Billing
- Actions and Condition Context Keys for AWS Certificate Manager
- Actions and Condition Context Keys for AWS CloudFormation
- Actions and Condition Context Keys for Amazon CloudFront
- Actions and Condition Context Keys for AWS CloudHSM
- Actions and Condition Context Keys for Amazon CloudSearch
- Actions and Condition Context Keys for AWS CloudTrail
- Actions and Condition Context Keys for Amazon CloudWatch
- Actions and Condition Context Keys for Amazon CloudWatch Events
- Actions and Condition Context Keys for Amazon CloudWatch Logs
- Actions and Condition Context Keys for AWS CodeCommit
- Actions and Condition Context Keys for AWS CodeDeploy
- Actions and Condition Context Keys for AWS CodePipeline
- Actions and Condition Context Keys for Amazon Cognito Identity
- Actions and Condition Context Keys for Amazon Cognito Sync
- Actions and Condition Context Keys for AWS Config
- Actions and Condition Context Keys for Data Pipeline
- Actions and Condition Context Keys for AWS Database Migration Service
- Actions and Condition Context Keys for AWS Device Farm
- Actions and Condition Context Keys for AWS Direct Connect
- Actions and Condition Context Keys for AWS Directory Service
- Actions and Condition Context Keys for Amazon DynamoDB
- Actions and Condition Context Keys for Amazon EC2
- Actions and Condition Context Keys for Amazon EC2 Container Registry
- Actions and Condition Context Keys for Amazon EC2 Container Service
- Actions and Condition Context Keys for AWS Elastic Beanstalk
- Actions and Condition Context Keys for Amazon Elastic File System
- Actions and Condition Context Keys for Elastic Load Balancing
- Actions and Condition Context Keys for Amazon Elastic MapReduce
- Actions and Condition Context Keys for Amazon Elastic Transcoder
- Actions and Condition Context Keys for Amazon ElastiCache
- Actions and Condition Context Keys for Amazon Elasticsearch Service
- Actions and Condition Context Keys for Amazon GameLift
- Actions and Condition Context Keys for Amazon Glacier
- Actions and Condition Context Keys for AWS Identity and Access Management
- Actions and Condition Context Keys for AWS Import Export
- Actions and Condition Context Keys for Amazon Inspector
- Actions and Condition Context Keys for AWS IoT
- Actions and Condition Context Keys for AWS Key Management Service
- Actions and Condition Context Keys for Amazon Kinesis
- Actions and Condition Context Keys for Amazon Kinesis Analytics
- Actions and Condition Context Keys for Amazon Kinesis Firehose
- Actions and Condition Context Keys for AWS Lambda
- Actions and Condition Context Keys for Amazon Machine Learning
- Actions and Condition Context Keys for Manage - Amazon API Gateway
- Actions and Condition Context Keys for AWS Marketplace
- Actions and Condition Context Keys for AWS Marketplace Management Portal
- Actions and Condition Context Keys for Amazon Mechanical Turk
- Actions and Condition Context Keys for Amazon Mobile Analytics
- Actions and Condition Context Keys for AWS Mobile Hub
- Actions and Condition Context Keys for AWS OpsWorks
- Actions and Condition Context Keys for Amazon RDS
- Actions and Condition Context Keys for Amazon Redshift
- Actions and Condition Context Keys for Amazon Route 53
- Actions and Condition Context Keys for Amazon Route53 Domains
- Actions and Condition Context Keys for Amazon S3
- Actions and Condition Context Keys for AWS Security Token Service
- Actions and Condition Context Keys for Amazon SES
- Actions and Condition Context Keys for Amazon Simple Systems Manager
- Actions and Condition Context Keys for Amazon Simple Workflow Service
- Actions and Condition Context Keys for Amazon SimpleDB
- Actions and Condition Context Keys for Amazon SNS
- Actions and Condition Context Keys for Amazon SQS
- Actions and Condition Context Keys for Amazon Storage Gateway
- Actions and Condition Context Keys for AWS Trusted Advisor
- Actions and Condition Context Keys for AWS WAF
- Actions and Condition Context Keys for Amazon WorkDocs
- Actions and Condition Context Keys for Amazon WorkMail
- Actions and Condition Context Keys for Amazon WorkSpaces
- Resources
- Calling the API by Making HTTP Query Requests
- AWS Glossary
- Document History