AWS Identity and Access Management (IAM) | IAM User Management

Question 1

How do I get started with IAM?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 1

To start using IAM, you must subscribe to at least one of the AWS services that is integrated with IAM. You then can create and manage users, groups, and permissions via IAM APIs, the AWS CLI, or the IAM console, which gives you a point-and-click, web-based interface. You can also use the AWS Policy Generator to create policies.

Question 2

How are IAM users managed?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 2

IAM supports multiple methods to:

Create and manage IAM users.

Create and manage IAM groups.

Manage users’ security credentials.

Create and manage policies to grant access to AWS services and resources.

You can create and manage users, groups, and policies by using IAM APIs, the AWS CLI, or the IAM console. You also can use the visual editor and the IAM policy simulator to create and test policies.

Question 3

What is a group?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 3

A group is a collection of IAM users. Manage group membership as a simple list:

Add users to or remove them from a group.

A user can belong to multiple groups.

Groups cannot belong to other groups.

Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.

Groups do not have security credentials, and cannot access web services directly; they exist solely to make it easier to manage user permissions. For details, see Working with Groups and Users.

Question 4

What kinds of security credentials can IAM users have?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 4

IAM users can have any combination of credentials that AWS supports, such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device. This allows users to interact with AWS in any manner that makes sense for them. An employee might have both an AWS access key and a password; a software system might have only an AWS access key to make programmatic calls; IAM users might have a private SSH key to access AWS CodeCommit repositories; and an outside contractor might have only an X.509 certificate to use the EC2 command-line interface. For details, see Temporary Security Credentials in the IAM documentation.

Question 5

Which AWS services support IAM users?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 5

You can find the complete list of AWS services that support IAM users in the AWS Services That Work with IAM section of the IAM documentation. AWS plans to add support for other services over time.

Question 6

Can I enable and disable user access?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 6

Yes. You can enable and disable an IAM user’s access keys via the IAM APIs, AWS CLI, or IAM console. If you disable the access keys, the user cannot programmatically access AWS services.

Question 7

Who is able to manage users for an AWS account?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 7

The AWS account holder can manage users, groups, security credentials, and permissions. In addition, you may grant permissions to individual users to place calls to IAM APIs in order to manage other users. For example, an administrator user may be created to manage users for a corporation—a recommended practice. When you grant a user permission to manage other users, they can do this via the IAM APIs, AWS CLI, or IAM console.

Question 8

Can I structure a collection of users in a hierarchical way, such as in LDAP?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 8

Yes. You can organize users and groups under paths, similar to object paths in Amazon S3—for example /mycompany/division/project/joe.

Question 9

Can I define users regionally?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 9

Not initially. Users are global entities, like an AWS account is today. No region is required to be specified when you define user permissions. Users can use AWS services in any geographic region.

Question 10

How are MFA devices configured for IAM users?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 10

You (the AWS account holder) can order multiple MFA devices. You can then assign these devices to individual IAM users via the IAM APIs, AWS CLI, or IAM console.

Question 11

What kind of key rotation is supported for IAM users?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 11

User access keys and X.509 certificates can be rotated just as they are for an AWS account’s root access identifiers. You can manage and rotate programmatically a user’s access keys and X.509 certificates via the IAM APIs, AWS CLI, or IAM console.

Question 12

Can IAM users have individual EC2 SSH keys?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 12

Not in the initial release. IAM does not affect EC2 SSH keys or Windows RDP certificates. This means that although each user has separate credentials for accessing web service APIs, they must share SSH keys that are common across the AWS account under which users have been defined.

Question 13

Where can I use my SSH keys?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 13

Currently, IAM users can use their SSH keys only with AWS CodeCommit to access their repositories.

Question 14

Do IAM user names have to be email addresses?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 14

No, but they can be. User names are just ASCII strings that are unique within a given AWS account. You can assign names using any naming convention you choose, including email addresses.

Question 15

Which character sets can I use for IAM user names?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 15

You can only use ASCII characters for IAM entities.

Question 16

Are user attributes other than user name supported?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 16

Not at this time.

Question 17

How are user passwords set?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 17

You can set an initial password for an IAM user via the IAM console, AWS CLI, or IAM APIs. User passwords never appear in clear text after the initial provisioning, and are never displayed or returned via an API call. IAM users can manage their passwords via the My Password page in the IAM console. Users access this page by selecting the Security Credentials option from the drop-down list in the upper right corner of the AWS Management Console.

Question 18

Can I define a password policy for my user’s passwords?

IAM User Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 18

Yes, you can enforce strong passwords by requiring minimum length or at least one number. You can also enforce automatic password expiration, prevent re-use of old passwords, and require a password reset upon the next AWS sign-in. For details, see Setting an Account Policy Password for IAM Users.