docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.76
Public Scan
Submitted URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Submission: On June 14 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Submission: On June 14 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Identity and Access Management
5. User Guide
Feedback
Preferences
AWS IDENTITY AND ACCESS MANAGEMENT
USER GUIDE
* What is IAM?
* When do I use IAM
* How IAM works
* Users in AWS
* Permissions and policies in IAM
* What is ABAC?
* Security features outside IAM
* Quick links to common tasks
* IAM console search
* Working with AWS SDKs
* Getting set up
* Your AWS account ID and its alias
* Find your AWS account ID
* About account aliases
* Creating, deleting, and listing an AWS account alias
* Getting started
* Tutorials
* Grant access to the billing console
* Delegate access across AWS accounts using roles
* Create a customer managed policy
* Use attribute-based access control (ABAC)
* Use SAML session tags for ABAC
* Permit users to manage their credentials and MFA settings
* Identities
* Users
* Adding a user
* Controlling user access to the console
* How IAM users sign in to AWS
* Using MFA devices with your IAM sign-in page
* Managing users
* Changing permissions for a user
* Managing passwords
* Changing the root user password
* Setting a password policy
* Managing user passwords
* Permitting IAM users to change their own passwords
* How an IAM user changes their own password
* Access keys
* Retrieving lost passwords or access keys
* Multi-factor authentication (MFA)
* Enabling MFA devices
* Enabling a virtual MFA device (console)
* Enabling a FIDO security key (console)
* Supported configurations for using FIDO security keys
* Enabling a hardware TOTP token (console)
* Enabling and managing virtual MFA devices (AWS CLI or AWS API)
* Checking MFA status
* Resynchronizing virtual and hardware MFA devices
* Deactivating MFA devices
* What if an MFA device is lost or stops working?
* Configuring MFA-protected API access
* Sample code: MFA
* Finding unused credentials
* Getting credential reports
* Using IAM with CodeCommit
* Using IAM with Amazon Keyspaces
* Managing server certificates
* User groups
* Creating user groups
* Managing user groups
* Listing IAM user groups
* Adding and removing users in an IAM user group
* Attaching a policy to an IAM user group
* Renaming an IAM user group
* Deleting a user group
* Roles
* Terms and concepts
* Common scenarios
* Providing access across AWS accounts
* Providing access for non AWS workloads
* Providing access to third-party AWS accounts
* Using an external ID for third-party access
* Providing access to AWS services
* The confused deputy problem
* Providing access through identity federation
* Identity providers and federation
* About web identity federation
* Using Amazon Cognito for mobile apps
* Using web identity federation API operations for mobile apps
* Identifying users with web identity federation
* Additional resources for web identity federation
* About SAML 2.0 federation
* Creating IAM identity providers
* Creating OIDC identity providers
* Obtaining the thumbprint for an OIDC Identity Provider
* Creating IAM SAML identity providers
* Configuring relying party trust and claims
* Integrating third-party SAML solution providers with AWS
* Configuring SAML assertions for the authentication response
* Enable SAML 2.0 federated users to access the AWS console
* Enabling custom identity broker access to the AWS console
* Service-linked roles
* Creating roles
* Creating a role for an IAM user
* Creating a role for an AWS service
* Creating a role for identity federation
* Creating a role for web Identity/OIDC federation
* Creating a role for SAML 2.0 federation
* Creating a role using custom trust policies
* Examples of policies for delegating access
* Using roles
* Granting a user permissions to switch roles
* Granting permissions to pass a role to a service
* Switching roles (console)
* Switching roles (AWS CLI)
* Switching roles (Tools for Windows PowerShell)
* Switching roles (AWS API)
* Using roles for applications on Amazon EC2
* Using instance profiles
* Revoking role temporary credentials
* Managing roles
* Modifying a role
* Modifying a role (console)
* Modifying a role (AWS CLI)
* Modifying a role (AWS API)
* Deleting roles or instance profiles
* Roles vs. resource-based policies
* Tagging IAM resources
* Tagging IAM users
* Tagging IAM roles
* Tagging customer managed policies
* Tagging IAM identity providers
* Tagging OpenID Connect (OIDC) identity providers
* Tagging IAM SAML identity providers
* Tagging instance profiles
* Tagging server certificates
* Tagging virtual MFA devices
* Session tags
* Temporary security credentials
* Requesting temporary security credentials
* Using temporary credentials with AWS resources
* Controlling permissions for temporary security credentials
* Permissions for AssumeRole API operations
* Monitor and control actions taken with assumed roles
* Permissions for GetFederationToken
* Permissions for GetSessionToken
* Disabling permissions
* Granting permissions to create credentials
* Managing AWS STS in an AWS Region
* Using AWS STS interface VPC endpoints
* Using bearer tokens
* Sample applications that use temporary credentials
* Additional resources for temporary credentials
* AWS account root user
* Log events with CloudTrail
* Access management
* Policies and permissions
* Managed policies and inline policies
* Choosing managed or inline
* Getting started with managed policies
* Converting inline policy to managed
* Deprecated AWS managed policies
* Permissions boundaries
* Identity vs resource
* Controlling access using policies
* Control access to IAM users and roles using tags
* Control access to AWS resources using tags
* Example policies
* AWS: Specific access during a date range
* AWS: Enable or disable AWS Regions
* AWS: Self-manage credentials with MFA (My security credentials)
* AWS: Specific access with MFA during a date range
* AWS: Self-manage credentials no MFA (My security credentials)
* AWS: Self-manage MFA device (My security credentials)
* AWS: Self-manage console password (My security credentials)
* AWS: Self-manage password, access keys, & SSH public keys (My
security credentials)
* AWS: Deny access based on requested Region
* AWS: Deny access based on source IP
* AWS: Deny access to Amazon S3 resources outside your account except
AWS Data Exchange
* Data Pipeline: Deny access to pipelines not created by user
* DynamoDB: Access specific table
* DynamoDB: Allow access to specific attributes
* DynamoDB: Allow item access based on a Amazon Cognito ID
* EC2: Attach or detach volumes to an EC2 instance
* EC2: Attach or detach tagged EBS volumes
* EC2: Launch instances in a subnet (includes console)
* EC2: Manage security groups with the same tags (includes console)
* EC2: Start or stop instances a user has tagged (includes console)
* EC2: Start or stop instances based on tags
* EC2: Start or stop for matching tags
* EC2: Full access within a Region (includes console)
* EC2: Start or stop an instance, modify security group (includes
console)
* EC2: Requires MFA (GetSessionToken) for operations
* EC2: Limit terminating instances to IP range
* IAM: Access the policy simulator API
* IAM: Access the policy simulator console
* IAM: Assume tagged roles
* IAM: Allows and denies multiple services (includes console)
* IAM: Add specific tag to tagged user
* IAM: Add a specific tag
* IAM: Create only tagged users
* IAM: Generate credential reports
* IAM: Manage group membership (includes console)
* IAM: Manage a tag
* IAM: Pass a role to a service
* IAM: Read-only console access (no reporting)
* IAM: Read-only console access
* IAM: Specific users manage group (includes console)
* IAM: Setting account password requirements (includes console)
* IAM: Access the policy simulator API based on user path
* IAM: Access the policy simulator console based on user path
(includes console)
* IAM: MFA self-management
* IAM: Rotate credentials (includes console)
* IAM: View Organizations service last accessed information for a
policy
* IAM: Apply limited managed policies
* AWS: Deny access to resources outside your account except AWS
managed IAM policies
* Lambda: Service access to DynamoDB
* RDS: Full access within a Region
* RDS: Restore databases (includes console)
* RDS: Full access for tag owners
* S3: Access bucket if cognito
* S3: Access federated user home directory (includes console)
* S3: Full access with recent MFA
* S3: Access IAM user home directory (includes console)
* S3: Restrict management to a specific bucket
* S3: Read and write objects to a specific bucket
* S3: Read and write to a specific bucket (includes console)
* Managing IAM policies
* Creating IAM policies
* Creating IAM policies (console)
* Creating IAM policies (CLI)
* Creating IAM policies (API)
* Validating policies
* Generating policies
* Testing IAM policies
* Add or remove identity permissions
* Versioning IAM policies
* Editing IAM policies
* Deleting IAM policies
* Refining permissions using access information
* View IAM access information
* View access information for Organizations
* Example scenarios
* Understanding policies
* Policy summary (list of services)
* Access levels in policy summaries
* Service summary (list of actions)
* Action summary (list of resources)
* Example policy summaries
* Permissions required
* Example policies for IAM
* Code examples
* IAM examples
* Actions
* Add a user to a group
* Attach a policy to a role
* Attach a policy to a user
* Attach an inline policy to a role
* Create a SAML provider
* Create a group
* Create a policy
* Create a policy version
* Create a role
* Create a service-linked role
* Create a user
* Create an access key
* Create an alias for an account
* Create an inline policy for a group
* Create an inline policy for a user
* Delete SAML provider
* Delete a group
* Delete a group policy
* Delete a policy
* Delete a role
* Delete a role policy
* Delete a server certificate
* Delete a service-linked role
* Delete a user
* Delete an access key
* Delete an account alias
* Delete an inline policy from a user
* Detach a policy from a role
* Detach a policy from a user
* Generate a credential report
* Get a credential report
* Get a detailed authorization report for your account
* Get a policy
* Get a policy version
* Get a role
* Get a server certificate
* Get a service-linked role's deletion status
* Get a summary of account usage
* Get a user
* Get data about the last use of an access key
* Get the account password policy
* List SAML providers
* List a user's access keys
* List account aliases
* List groups
* List inline policies for a role
* List inline policies for a user
* List policies
* List policies attached to a role
* List roles
* List server certificates
* List users
* Remove a user from a group
* Update a server certificate
* Update a user
* Update an access key
* Upload a server certificate
* Scenarios
* Create a group and add a user
* Create a user and assume a role
* Create read-only and read-write users
* Manage access keys
* Manage policies
* Manage roles
* Manage your account
* Roll back a policy version
* AWS STS examples
* Actions
* Assume a role
* Get a session token
* Scenarios
* Assume an IAM role that requires an MFA token
* Construct a URL for federated users
* Get a session token that requires an MFA token
* Security
* AWS security credentials
* AWS security audit guidelines
* Data protection
* Logging and monitoring
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* Security best practices and use cases
* Security best practices
* Business use cases
* AWS managed policies
* IAM Access Analyzer
* Findings for public and cross-account access
* How IAM Access Analyzer findings work
* Getting started with IAM Access Analyzer findings
* Working with findings
* Reviewing findings
* Filtering findings
* Archiving findings
* Resolving findings
* Supported resource types
* Settings
* Archive rules
* Monitoring with EventBridge
* Security Hub integration
* Logging with CloudTrail
* IAM Access Analyzer filter keys
* Using service-linked roles
* Preview access
* Previewing access in Amazon S3 console
* Previewing access with IAM Access Analyzer APIs
* IAM Access Analyzer policy validation
* Policy check reference
* IAM Access Analyzer policy generation
* IAM Access Analyzer policy generation and action last accessed support
* IAM Access Analyzer quotas
* Troubleshooting IAM
* General issues
* Access denied error messages
* IAM policies
* FIDO security keys
* IAM roles
* IAM and Amazon EC2
* IAM and Amazon S3
* SAML 2.0 federation
* Viewing a SAML response in your browser
* Reference
* Amazon Resource Names (ARNs)
* IAM identifiers
* IAM and AWS STS quotas
* Services that work with IAM
* Signing AWS API requests
* Signature Version 4 request elements
* Create a signed request
* Troubleshoot
* Policy reference
* JSON element reference
* Version
* Id
* Statement
* Sid
* Effect
* Principal
* NotPrincipal
* Action
* NotAction
* Resource
* NotResource
* Condition
* Condition operators
* Conditions with multiple keys or values
* Single-valued vs. multivalued condition keys
* Variables and tags
* Supported data types
* Policy evaluation logic
* Cross-account policy evaluation logic
* Policy grammar
* AWS managed policies for job functions
* Creating roles and attaching policies (console)
* Global condition keys
* IAM condition keys
* Actions, resources, and condition keys
* Resources
* Making HTTP query requests
* Document history
Security best practices in IAM - AWS Identity and Access Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
Require human users to use federation with an identity provider to access AWS
using temporary credentialsRequire workloads to use temporary credentials with
IAM roles to access AWSRequire multi-factor authentication (MFA)Rotate access
keys regularly for use cases that require long-term credentialsSafeguard your
root user credentials and don't use them for everyday tasksApply least-privilege
permissionsGet started with AWS managed policies and move toward least-privilege
permissionsUse IAM Access Analyzer to generate least-privilege policies based on
access activityRegularly review and remove unused users, roles, permissions,
policies, and credentialsUse conditions in IAM policies to further restrict
accessVerify public and cross-account access to resources with IAM Access
AnalyzerUse IAM Access Analyzer to validate your IAM policies to ensure secure
and functional permissionsEstablish permissions guardrails across multiple
accountsUse permissions boundaries to delegate permissions management within an
account
SECURITY BEST PRACTICES IN IAM
PDFRSS
The AWS Identity and Access Management best practices were updated on July 14,
2022.
To help secure your AWS resources, follow these best practices for AWS Identity
and Access Management (IAM).
TOPICS
* Require human users to use federation with an identity provider to access AWS
using temporary credentials
* Require workloads to use temporary credentials with IAM roles to access AWS
* Require multi-factor authentication (MFA)
* Rotate access keys regularly for use cases that require long-term credentials
* Safeguard your root user credentials and don't use them for everyday tasks
* Apply least-privilege permissions
* Get started with AWS managed policies and move toward least-privilege
permissions
* Use IAM Access Analyzer to generate least-privilege policies based on access
activity
* Regularly review and remove unused users, roles, permissions, policies, and
credentials
* Use conditions in IAM policies to further restrict access
* Verify public and cross-account access to resources with IAM Access Analyzer
* Use IAM Access Analyzer to validate your IAM policies to ensure secure and
functional permissions
* Establish permissions guardrails across multiple accounts
* Use permissions boundaries to delegate permissions management within an
account
REQUIRE HUMAN USERS TO USE FEDERATION WITH AN IDENTITY PROVIDER TO ACCESS AWS
USING TEMPORARY CREDENTIALS
Human users, also known as human identities, are the people, administrators,
developers, operators, and consumers of your applications. They must have an
identity to access your AWS environments and applications. Human users that are
members of your organization are also known as workforce identities. Human users
can also be external users with whom you collaborate, and who interact with your
AWS resources. They can do this via a web browser, client application, mobile
app, or interactive command-line tools.
Require your human users to use temporary credentials when accessing AWS. You
can use an identity provider for your human users to provide federated access to
AWS accounts by assuming roles, which provide temporary credentials. For
centralized access management, we recommend that you use AWS IAM Identity Center
(successor to AWS Single Sign-On) (IAM Identity Center) to manage access to your
accounts and permissions within those accounts. You can manage your user
identities with IAM Identity Center, or manage access permissions for user
identities in IAM Identity Center from an external identity provider. For more
information, see What is AWS IAM Identity Center (successor to AWS Single
Sign-On) in the AWS IAM Identity Center (successor to AWS Single Sign-On) User
Guide.
For more information about roles, see Roles terms and concepts.
REQUIRE WORKLOADS TO USE TEMPORARY CREDENTIALS WITH IAM ROLES TO ACCESS AWS
A workload is a collection of resources and code that delivers business value,
such as an application or backend process. Your workload can have applications,
operational tools, and components that require an identity to make requests to
AWS services, such as requests to read data. These identities include machines
running in your AWS environments, such as Amazon EC2 instances or AWS Lambda
functions.
You can also manage machine identities for external parties who need access. To
give access to machine identities, you can use IAM roles. IAM roles have
specific permissions and provide a way to access AWS by relying on temporary
security credentials with a role session. Additionally, you might have machines
outside of AWS that need access to your AWS environments. For machines that run
outside of AWS you can use AWS Identity and Access Management Roles Anywhere.
For more information about roles, see IAM roles. For details about how to use
roles to delegate access across AWS accounts, see IAM tutorial: Delegate access
across AWS accounts using IAM roles.
REQUIRE MULTI-FACTOR AUTHENTICATION (MFA)
We recommend using IAM roles for human users and workloads that access your AWS
resources so that they use temporary credentials. However, for scenarios in
which you need an IAM user or root user in your account, require MFA for
additional security. With MFA, users have a device that generates a response to
an authentication challenge. Each user's credentials and device-generated
response are required to complete the sign-in process. For more information, see
Using multi-factor authentication (MFA) in AWS.
If you use IAM Identity Center for centralized access management for human
users, you can use the IAM Identity Center MFA capabilities when your identity
source is configured with the IAM Identity Center identity store, AWS Managed
Microsoft AD, or AD Connector. For more information about MFA in IAM Identity
Center see Multi-factor authentication in the AWS IAM Identity Center (successor
to AWS Single Sign-On) User Guide.
ROTATE ACCESS KEYS REGULARLY FOR USE CASES THAT REQUIRE LONG-TERM CREDENTIALS
Where possible, we recommend relying on temporary credentials instead of
creating long-term credentials such as access keys. However, for scenarios in
which you need IAM users with programmatic access and long-term credentials, we
recommend that you rotate access keys. Regularly rotating long-term credentials
helps you familiarize yourself with the process. This is useful in case you are
ever in a situation where you must rotate credentials, such as when an employee
leaves your company. We recommend that you use IAM access last used information
to rotate and remove access keys safely. For more information, see Rotating
access keys.
There are specific use cases that require long-term credentials with IAM users
in AWS. Some of the use cases include the following:
* Workloads that cannot use IAM roles – You might run a workload from a
location that needs to access AWS. In some situations, you can't use IAM
roles to provide temporary credentials, such as for WordPress plugins. In
these situations, use IAM user long-term access keys for that workload to
authenticate to AWS.
* Third-party AWS clients – If you are using tools that don’t support access
with IAM Identity Center, such as third-party AWS clients or vendors that are
not hosted on AWS, use IAM user long-term access keys.
* AWS CodeCommit access – If you are using CodeCommit to store your code, you
can use an IAM user with either SSH keys or service-specific credentials for
CodeCommit to authenticate to your repositories. We recommend that you do
this in addition to using a user in IAM Identity Center for normal
authentication. Users in IAM Identity Center are the people in your workforce
who need access to your AWS accounts or to your cloud applications. To give
users access to your CodeCommit repositories without configuring IAM users,
you can configure the git-remote-codecommit utility. For more information
about IAM and CodeCommit, see Using IAM with CodeCommit: Git credentials, SSH
keys, and AWS access keys. For more information about configuring the
git-remote-codecommit utility, see Connecting to AWS CodeCommit repositories
with rotating credentials in the AWS CodeCommit User Guide.
* Amazon Keyspaces (for Apache Cassandra) access – In a situation where you are
unable to use users in IAM Identity Center, such as for testing purposes for
Cassandra compatibility, you can use an IAM user with service-specific
credentials to authenticate with Amazon Keyspaces. Users in IAM Identity
Center are the people in your workforce who need access to your AWS accounts
or to your cloud applications. You can also connect to Amazon Keyspaces using
temporary credentials. For more information, see Using temporary credentials
to connect to Amazon Keyspaces using an IAM role and the SigV4 plugin in the
Amazon Keyspaces (for Apache Cassandra) Developer Guide.
SAFEGUARD YOUR ROOT USER CREDENTIALS AND DON'T USE THEM FOR EVERYDAY TASKS
When you create an AWS account you establish a root user name and password to
sign in to the AWS Management Console. Safeguard your root user credentials the
same way you would protect other sensitive personal information. You can do this
by configuring MFA for your root user credentials. We don't recommend generating
access keys for your root user, because they allow full access to all your
resources for all AWS services, including your billing information. Don’t use
your root user for everyday tasks. Use the root user to complete the tasks that
only the root user can perform. For the complete list of tasks that require you
to sign in as the root user, see Tasks that require root user credentials in the
AWS Account Management Reference Guide.
For additional best practices, see Best practices to protect your account's root
user in the AWS Account Management User Guide.
APPLY LEAST-PRIVILEGE PERMISSIONS
When you set permissions with IAM policies, grant only the permissions required
to perform a task. You do this by defining the actions that can be taken on
specific resources under specific conditions, also known as least-privilege
permissions. You might start with broad permissions while you explore the
permissions that are required for your workload or use case. As your use case
matures, you can work to reduce the permissions that you grant to work toward
least privilege. For more information about using IAM to apply permissions, see
Policies and permissions in IAM.
GET STARTED WITH AWS MANAGED POLICIES AND MOVE TOWARD LEAST-PRIVILEGE
PERMISSIONS
To get started granting permissions to your users and workloads, use the AWS
managed policies that grant permissions for many common use cases. They are
available in your AWS account. Keep in mind that AWS managed policies might not
grant least-privilege permissions for your specific use cases because they are
available for use by all AWS customers. As a result, we recommend that you
reduce permissions further by defining customer managed policies that are
specific to your use cases. For more information, see AWS managed policies. For
more information about AWS managed policies that are designed for specific job
functions, see AWS managed policies for job functions.
USE IAM ACCESS ANALYZER TO GENERATE LEAST-PRIVILEGE POLICIES BASED ON ACCESS
ACTIVITY
To grant only the permissions required to perform a task, you can generate
policies based on your access activity that is logged in AWS CloudTrail. IAM
Access Analyzer analyzes the services and actions that your IAM roles use, and
then generates a fine-grained policy that you can use. After you test each
generated policy, you can deploy the policy to your production environment. This
ensures that you grant only the required permissions to your workloads. For more
information about policy generation, see IAM Access Analyzer policy generation.
REGULARLY REVIEW AND REMOVE UNUSED USERS, ROLES, PERMISSIONS, POLICIES, AND
CREDENTIALS
You might have IAM users, roles, permissions, policies, or credentials that you
no longer need in your AWS account. IAM provides last accessed information to
help you identify the users, roles, permissions, policies, and credentials that
you no longer need so that you can remove them. This helps you reduce the number
of users, roles, permissions, policies, and credentials that you have to
monitor. You can also use this information to refine your IAM policies to better
adhere to least-privilege permissions. For more information, see Refining
permissions in AWS using last accessed information.
USE CONDITIONS IN IAM POLICIES TO FURTHER RESTRICT ACCESS
You can specify conditions under which a policy statement is in effect. That
way, you can grant access to actions and resources, but only if the access
request meets specific conditions. For example, you can write a policy condition
to specify that all requests must be sent using SSL. You can also use conditions
to grant access to service actions, but only if they are used through a specific
AWS service, such as AWS CloudFormation. For more information, see IAM JSON
policy elements: Condition.
VERIFY PUBLIC AND CROSS-ACCOUNT ACCESS TO RESOURCES WITH IAM ACCESS ANALYZER
Before you grant permissions for public or cross-account access in AWS, we
recommend that you verify if such access is required. You can use IAM Access
Analyzer to help you preview and analyze public and cross-account access for
supported resource types. You do this by reviewing the findings that IAM Access
Analyzer generates. These findings help you verify that your resource access
controls grant the access that you expect. Additionally, as you update public
and cross-account permissions, you can verify the effect of your changes before
deploying new access controls to your resources. IAM Access Analyzer also
monitors supported resource types continuously and generates a finding for
resources that allow public or cross-account access. For more information, see
Previewing access with IAM Access Analyzer APIs.
USE IAM ACCESS ANALYZER TO VALIDATE YOUR IAM POLICIES TO ENSURE SECURE AND
FUNCTIONAL PERMISSIONS
Validate the policies you create to ensure that they adhere to the IAM policy
language (JSON) and IAM best practices. You can validate your policies by using
IAM Access Analyzer policy validation. IAM Access Analyzer provides more than
100 policy checks and actionable recommendations to help you author secure and
functional policies. As you author new policies or edit existing policies in the
console, IAM Access Analyzer provides recommendations to help you refine and
validate your policies before you save them. Additionally, we recommend that you
review and validate all of your existing policies. For more information, see IAM
Access Analyzer policy validation. For more information about policy checks
provided by IAM Access Analyzer, see IAM Access Analyzer policy check reference.
ESTABLISH PERMISSIONS GUARDRAILS ACROSS MULTIPLE ACCOUNTS
As you scale your workloads, separate them by using multiple accounts that are
managed with AWS Organizations. We recommend that you use Organizations service
control policies (SCPs) to establish permissions guardrails to control access
for all IAM users and roles across your accounts. SCPs are a type of
organization policy that you can use to manage permissions in your organization
at the AWS organization, OU, or account level. The permissions guardrails that
you establish apply to all users and roles within the covered accounts. However,
SCPs alone are insufficient to grant permissions to the accounts in your
organization. To do this, your administrator must attach identity-based or
resource-based policies to IAM users, IAM roles, or the resources in your
accounts. For more information, see AWS Organizations, accounts, and IAM
guardrails.
USE PERMISSIONS BOUNDARIES TO DELEGATE PERMISSIONS MANAGEMENT WITHIN AN ACCOUNT
In some scenarios, you might want to delegate permissions management within an
account to others. For example, you could allow developers to create and manage
roles for their workloads. When you delegate permissions to others, use
permissions boundaries to set the maximum permissions that you delegate. A
permissions boundary is an advanced feature for using a managed policy to set
the maximum permissions that an identity-based policy can grant to an IAM role.
A permissions boundary does not grant permissions on its own. For more
information, see Permissions boundaries for IAM entities.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Security best practices and use cases
Business use cases
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Did this page help you?
Yes
No
Provide feedback
Next topic:Business use cases
Previous topic:Security best practices and use cases
Need help?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
--------------------------------------------------------------------------------
* Require human users to use federation with an identity provider to access AWS
using temporary credentials
* Require workloads to use temporary credentials with IAM roles to access AWS
* Require multi-factor authentication (MFA)
* Rotate access keys regularly for use cases that require long-term credentials
* Safeguard your root user credentials and don't use them for everyday tasks
* Apply least-privilege permissions
* Get started with AWS managed policies and move toward least-privilege
permissions
* Use IAM Access Analyzer to generate least-privilege policies based on access
activity
* Regularly review and remove unused users, roles, permissions, policies, and
credentials
* Use conditions in IAM policies to further restrict access
* Verify public and cross-account access to resources with IAM Access Analyzer
* Use IAM Access Analyzer to validate your IAM policies to ensure secure and
functional permissions
* Establish permissions guardrails across multiple accounts
* Use permissions boundaries to delegate permissions management within an
account
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback