DevDocsDev Docs
IAM

IAM Users

Create and manage individual identities for people and applications

An IAM user is an identity within your AWS account that has specific permissions. Users represent people or applications that need to interact with AWS resources.

When to Use IAM Users

Use IAM users for long-term credentials when you need individual identities for team members or service accounts. For temporary access, prefer IAM roles.

User Components

User Credentials

Each IAM user can have multiple types of credentials:

Credential TypeUse CaseBest Practice
Console PasswordAWS Management Console accessEnable MFA, enforce strong passwords
Access KeysAWS CLI and SDK accessRotate regularly, never share
SSH KeysCodeCommit accessUse per-user keys
HTTPS Git CredentialsCodeCommit HTTPS accessGenerate through IAM console

Access Keys

Access keys consist of two parts:

  • Access Key ID - Public identifier (e.g., AKIAIOSFODNN7EXAMPLE)
  • Secret Access Key - Private key (only shown once at creation)
Create Access Key
aws iam create-access-key --user-name developer

# Output
{
    "AccessKey": {
        "UserName": "developer",
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "Status": "Active",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    }
}

Security Warning

Never commit access keys to version control. Store them securely in environment variables or AWS credentials file.

Creating Users

Create the User

Create User
aws iam create-user --user-name developer

Response:

Response
{
    "User": {
        "UserName": "developer",
        "UserId": "AIDAEXAMPLEID",
        "Arn": "arn:aws:iam::123456789012:user/developer",
        "Path": "/",
        "CreateDate": "2024-01-15T10:30:00Z"
    }
}

Add to a Group

Add to Group
aws iam add-user-to-group \
  --user-name developer \
  --group-name Developers

Create Console Password (Optional)

Create Login Profile
aws iam create-login-profile \
  --user-name developer \
  --password "TempPassword123!" \
  --password-reset-required

Enable MFA

Enable Virtual MFA
# Create virtual MFA device
aws iam create-virtual-mfa-device \
  --virtual-mfa-device-name developer-mfa \
  --outfile /tmp/qrcode.png \
  --bootstrap-method QRCodePNG

# Enable MFA for user
aws iam enable-mfa-device \
  --user-name developer \
  --serial-number arn:aws:iam::123456789012:mfa/developer-mfa \
  --authentication-code1 123456 \
  --authentication-code2 789012

User Paths

Organize users with paths for easier management:

Create User with Path
aws iam create-user \
  --user-name developer \
  --path /engineering/backend/

Paths help with:

  • Organizing users by department or team
  • Applying policies to groups of users
  • Setting up permission boundaries
List Users by Path
aws iam list-users --path-prefix /engineering/

Permission Boundaries

Limit the maximum permissions a user can have:

Set Permission Boundary
aws iam put-user-permissions-boundary \
  --user-name developer \
  --permissions-boundary arn:aws:iam::123456789012:policy/DeveloperBoundary

Permission boundaries define the maximum permissions. The effective permissions are the intersection of identity-based policies and the permission boundary.

Managing User Credentials

Rotate Access Keys

Create New Access Key

Create New Key
aws iam create-access-key --user-name developer

Update Applications

Update all applications to use the new access key.

Deactivate Old Key

Deactivate Old Key
aws iam update-access-key \
  --user-name developer \
  --access-key-id AKIAIOSFODNN7EXAMPLE \
  --status Inactive

Delete Old Key

After confirming everything works:

Delete Old Key
aws iam delete-access-key \
  --user-name developer \
  --access-key-id AKIAIOSFODNN7EXAMPLE

Password Policy

Configure account-wide password requirements:

Set Password Policy
aws iam update-account-password-policy \
  --minimum-password-length 14 \
  --require-symbols \
  --require-numbers \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --allow-users-to-change-password \
  --max-password-age 90 \
  --password-reuse-prevention 24

User Tags

Add metadata to users for organization and cost allocation:

Tag User
aws iam tag-user \
  --user-name developer \
  --tags Key=Department,Value=Engineering Key=CostCenter,Value=12345

Best Practices

Security Best Practices

  1. Never use root account - Create IAM users instead
  2. Enable MFA - Especially for privileged users
  3. Use groups - Assign permissions via groups, not directly to users
  4. Rotate credentials - Regularly rotate access keys
  5. Apply least privilege - Grant only necessary permissions
  6. Use roles for applications - EC2 instances and Lambda should use roles, not user credentials

Auditing User Activity

Check Last Used Credentials

Get Credential Report
aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d

List Access Keys with Last Used

Access Key Last Used
aws iam get-access-key-last-used --access-key-id AKIAIOSFODNN7EXAMPLE

Next Steps

IAM Roles

Temporary credentials for services and cross-account access

IAM Policies

Define permissions with JSON documents

AWS IAM

Identity and Access Management - Control access to AWS services and resources

IAM Roles

Delegate access with temporary security credentials

On this page

User Components
User Credentials
Access Keys
Creating Users
Create the User
Add to a Group
Create Console Password (Optional)
Enable MFA
User Paths
Permission Boundaries
Managing User Credentials
Rotate Access Keys
Create New Access Key
Update Applications
Deactivate Old Key
Delete Old Key
Password Policy
User Tags
Best Practices
Auditing User Activity
Check Last Used Credentials
List Access Keys with Last Used
Next Steps