Skip to main content

Identity and Access Management


Security best practices in IAM -

IAM Access Analyzer - - See some use cases at Security best practices in IAM.

A vault for securely storing and accessing AWS credentials in development environments -

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report -

A tool for quickly evaluating IAM permissions in AWS -

Refining permissions in AWS using last accessed information -

AWS Vault - - Stores IAM credentials in your operating system's secure keystore


  • User: an individual, system, or application requiring access to AWS services.
  • Group: collection of users. A user can be in many groups.
  • Role: set of permissions.
  • Policy: JSON file. Permissions assigned to a user, group or role.



  • Is an AWS identity with permissions that determine what can and can't do.
  • Can be assigned a policy for permissions.
  • Users, applications and services can assume roles.
  • Does not have long term credentials/passwords/access keys. Instead, if a user is assigned a role, access keys are created dynamically and provided to the user temporarily.
  • Can be used to delegate access to users, applications or services that don't normally have access to your AWS resources.
  • A user who assumes a role temporarily gives up his other own permissions and instead takes on the permissions of the role.
  • Eg we can give an EC2 instance a IAM role to temporarily access a S3 bucket using an instance profile.
  • Roles remove the need to modify a user's policy each time a change is required.

We recommend using IAM roles for human users and workloads that access your AWS resources so that they use temporary credentials (instead of IAM users) source

A role is an identity in AWS that doesn't have its own credentials (as a user does) source

Role vs Policy

A role is a type of IAM identity that can be authenticated and authorized to utilize an AWS resource, whereas a policy defines the permissions of the IAM identity.

An role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it. Policies determine what actions a user, role, or member of a user group can perform, on which AWS resources, and under what conditions.

You attach IAM policies (which contain a set of permissions) to an IAM Role. Therefore, a single IAM roles can have multiple IAM policies in it. Lastly, a user can "assume" an IAM Role, meaning it will inherit automatically the policy or policies attached to that Role.

A company with several departments that manage AWS

  1. Create an IAM group for each department.
  2. Create a policy and assign it to the group.
  3. Create IAM users for each person on each department and add them to their respective groups.

Finding your AWS account ID

aws sts get-caller-identity

aws sts get-caller-identity --query Account --output text

Multi-factor authentication

Supported MFA methods/devices -

Using multi-factor authentication (MFA) in AWS -

Root user

Has complete access to all AWS services and resources, including billing information. Is the most privileged user.

AWS account root user -

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. (...) For a tutorial on how to set up an administrator for daily use, see Creating your first IAM admin user and user group.

Best practices to protect your account's root user -

We strongly recommend that you use the root user only for two things:

You can transfer the root account - see

If you're the owner account, what's the point of using iam instead of root? -

Never use Root, only use it to create an IAM admin, that's it. Root can close the account, subscribe to Enterprise Support (costing you $$$$) and delete anything (even if it's denied by an IAM policy)

Resetting a lost or forgotten root user password

The root user has an associated email address that can be used to reset (ie change) the password, even it you have enabled MFA. Note that you can change the password, but MFA will still be required to login after changing the password, if it was enabled.


  • Choose 'Root user' and set the email at the field 'Root user email address'.
  • Click 'Forgot password?'.
  • At the email you'll receive, click the reset password link.
  • At the page that opens, set the new password at the fields 'New password' and 'Confirm new password'. Click 'Reset password'.
  • You'll receive an email saying 'Your Amazon Web Services Password Has Been Updated'.
  • A new password is set. Now you need to log in. If MFA was enabled, it will be required when logging in with the new password.

Note that this process was done with MFA enabled, and after changing the password MFA was still there.

If you loose access to the MFA you need to have access to the email and the primary contact phone as explained at Recovering a root user MFA device. See steps at

Root user monitoring

AWS Management Console sign-in events - Monitor root user activity with AWS CloudTrail at no additional cost -

How can I create an EventBridge event rule to notify me that my AWS root user account was used? -

Tasks that require root user credentials

Don't use the root user for everyday tasks

We strongly recommend that you do not use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. source

Don't generate access keys for the root user

We don't recommend generating access keys for your root user, because they allow full access to all your resources for all AWS services. source

One of the best ways to protect your account is to not have access keys for your AWS account root user. Unless you must have root user access keys (which is rare), it is best not to generate them. source

If you do have an access key for your root user, delete it. source

Deleting access keys for the root user

At the navigation bar, click your name and then 'Security credentials'. At the section 'Access keys (access key ID and secret access key)' there should not be any item.

Note that at the top of the IAM dashboard there is a 'Security recommendations' section that tells you if the Root user has MFA and access keys.

Root user email


Tip: For Root user email address, use a corporate email distribution list (for example, or email box if your account is a professional AWS account. Avoid using an individual's corporate email address (for example, With this practice, your company can retain access to the AWS account even when an employee changes positions or leaves the company. The email address can be used to reset account credentials. Be sure that you protect access to these distribution lists.

Root user multi-factor authentication (MFA)

It's a best practice to enable multi-factor authentication (MFA) on the root account to secure your AWS resources. source

How to:

  • At the top right menu, go to 'Security credentials'. You'll see a warning 'You don't have MFA assigned'. Click 'Assign MFA'.
  • Alternatively, go to the IAM Dashboard and you'll see a warning 'Add MFA for root user' (and 'Add MFA for yourself' if you are not root) on the 'Security recommendations' box. Click 'Add MFA'.


Recovering a root user MFA device - - See steps at

Add MFA to other users

(This works for yourself too if you are not the root user, since it doesn't appear on the list.)

Go to the IAM Dashboard → Users and select a user. Click the 'Security credentials' tab and do 'Assign MFA device'.

Create the first IAM admin user

We recommend that you not use the root level credentials for anything other than initial setup of the account and the creation of the IAM user account with administrator permissions attached via policy source

There are 2 guides/tutorials that explain how to set up the admin user:


  • Sign in to the console as Root user.
  • Click your name at the top navbar → Account. At the section 'IAM User and Role Access to Billing Information' click 'Edit' and enable 'Activate IAM Access'.
  • Go to the IAM console → Users and click 'Create user'.
  • On the 'Set user details' page do:
    • Set 'User name' to 'Administrator'.
    • Check 'Provide user access to the AWS Management Console'.
    • Select 'I want to create an IAM user'.
    • Set a password at 'Custom password' and save it.
    • Uncheck 'Users must create a new password at next sign-in'.
    • Click 'Next'.
  • On the 'Set permissions' page do:
    • Click 'Add user to group' and then 'Create group'.
    • Set 'Group name' to 'Administrators'.
    • Check the policy 'AdministratorAccess'.
    • Click 'Create group'.
    • Click 'Next'.
  • On the 'Review and create' page optionally add tags.
    • Click 'Create user'.

Enforce MFA to users

Prevent users to perform actions unless they've set up MFA with a policy - - -

Password policy

Go to IAM → Account settings and on the Password policy box click the 'Edit' button.


JSON file. Permissions assigned to a user, group or role.




AWS IAM Policies in a Nutshell -

"Sid": "AllowManageOwnSSHPublicKeys", // Who/what is authorized
"Effect": "Allow", // Or "Deny"
"Action": [
// Which task(s) are allowed
"Condition": {
// Which condition(s) need to be met for authorization
"Resource": "arn:aws:iam::*:user/${aws:username}" // Resources to which authorized tasks are performed


aws iam list-users

aws iam list-users --profile <profile-name>

Create role

Example of trust relationship policy document trust.json:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
"Action": "sts:AssumeRole"

Attach a Policy to a IAM role

Example of policy document iam-role-policy.json:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": ["eks:Describe*", "ssm:GetParameters"],
"Resource": "*"

Delete role

Permission boundaries

(Documentation) Permissions boundaries for IAM entities -

When and where to use IAM permissions boundaries -

How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation? -

How can I resolve access denied issues caused by permissions boundaries? -

Prevent privilege escalation with AWS IAM permission boundaries - -

AWS Permission Boundaries for Dummies -