# Getting started with IAM
<a name="getting-started"></a>

AWS Identity and Access Management (IAM) helps you securely control access to Amazon Web Services (AWS) and your account resources. IAM can also keep your sign-in credentials private. You don't specifically sign up to use IAM. There is no charge to use IAM. 

Use IAM to give identities, such as users and roles, access to resources in your account. For example, you can use IAM with existing users in your corporate directory that you manage external to AWS or you can create users in AWS using AWS IAM Identity Center. Federated identities assume defined IAM roles to access the resources they need. For more information about IAM Identity Center, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide.*

**Note**  
IAM is integrated with several AWS products. For a list of services that support IAM, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md).

To learn about getting started with AWS, creating an administrative user, an AWS Organizations, and using multiple services to solve a problem such as building and launching your first project, see the [Getting Started Resource Center](https://aws.amazon.com/getting-started/). 

# Setting up your AWS account
<a name="getting-started-account-iam"></a>

Before you start working with IAM, make sure you have completed the initial set up of your AWS environment.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

When you signed up for the service, you created an AWS account using an email address and a password. Those are your AWS root user credentials. As a best practice, you don't use your root user credentials to access AWS for daily tasks. Only use your root user credentials to perform [tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html). Also, do not share your credentials with anyone else. Instead, add people to your directory and give them access to your AWS account.

**To secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Grant access to the billing console**

IAM users and roles in an AWS account can't access the Billing and Cost Management console by default. This is true even if they have IAM policies that grant access to certain Billing features. To grant access, the AWS account root user must first activate IAM access.
**Note**  
As a security best practice, we recommend that you provide access to your resources through identity federation with [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html). When you enable IAM Identity Center in conjunction with AWS Organizations, the Billing and Cost Management console is enabled by default with consolidated billing for all AWS accounts in your organization. For more information, see [Consolidating billing for AWS Organizations](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html) in the *Billing and Cost Management User Guide*.

1. Sign in to the AWS Management Console with your root user credentials (specifically, the email address and password that you used to create your AWS account).

1. On the navigation bar, select your account name, and then select [Account](https://console.aws.amazon.com/billing/home#/account).

1. Scroll down the page until you find the section **IAM User and Role Access to Billing Information**, then select **Edit**.

1. Select the **Activate IAM Access** check box to activate access to the Billing and Cost Management console pages.

1. Choose **Update**.

    The page displays the message **IAM user/role access to billing information is activated**.
**Important**  
Activating IAM access alone doesn't grant any permissions for users or roles to view the Billing and Cost Management console pages. You must also attach the required identity-based policies to IAM roles to grant access to the billing console. Roles provide temporary credentials that users can assume when needed.

1. Use the AWS Management Console to [create a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) that a user can assume to access the billing console.

1. On the **Add permissions** page for the role, add permissions to list and view details about the Billing resources in your AWS account.

   The AWS managed policy [Billing](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/managed-policies.html#security-iam-awsmanpol-Billing) grants users permission to view and edit the Billing and Cost Management console. This includes viewing account usage, modifying budgets and payment methods. For more policy examples that you can attach to IAM roles to control access to your account’s billing information, see [AWS Billing policy examples](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-example-policies.html) in the *Billing and Cost Management User Guide*.

# Viewing your AWS account ID
<a name="console-account-id"></a>

If you are signed into the console, you can view the account ID for your AWS account using the following methods.

## To view your AWS account ID
<a name="console-account-id-section-1"></a>

------
#### [ Console ]

The AWS account ID is displayed when you go to the IAM **Dashboard** in the AWS account section. You can also view your account ID in the navigation bar at the upper right. Choose your user name, and the account ID is displayed above your user name.

![\[Account information drop-down box with account ID highlighted\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/find-account-id.png)


------
#### [ AWS CLI ]

Use the following command to view your user ID, account ID, and your user ARN:
+ [aws sts get-caller-identity](https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html)

------
#### [ API ]

Use the following API to view your user ID, account ID, and your user ARN:
+ [GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) 

------

# Using an alias for your AWS account ID
<a name="console-account-alias"></a>

Your account ID is a 12-digit number that uniquely identifies your account. By default, IAM users in the account sign in using a web URL that includes the account ID. If they don't have the URL, they can provide the account ID on the AWS sign-in page when they sign-in.

Your sign-in page URL has the following format, by default.

```
https://Your_Account_ID.signin.aws.amazon.com/console/
```

Many people find words to be easier to remember than numbers, so creating an alias for your account ID can help your IAM users sign-in easier.

If you create an AWS account alias for your AWS account ID, your sign-in page URL looks like the following example.

```
https://Your_Account_Alias.signin.aws.amazon.com/console/
```

**Considerations before creating an account alias**
+ Your AWS account can have only one alias. If you create a new alias for your AWS account, the new alias overwrites the previous alias, and the URL containing the previous alias stops working.
+ The account alias must contain only digits, lowercase letters, and hyphens. For more information on limitations on AWS account entities, see [IAM and AWS STS quotas](reference_iam-quotas.md).
+ The account alias must be unique across all Amazon Web Services products within a given network *partition*.

  A *partition* is a group of AWS Regions. Each AWS account is scoped to one partition.

  The following are the supported partitions:
  + `aws` - AWS Regions
  + `aws-cn` - China Regions
  + `aws-us-gov` - AWS GovCloud (US) Regions

**Note**  
Account aliases are not secrets, and they will appear in your public-facing sign-in page URL. Do not include any sensitive information in your account alias.  
The original URL containing your AWS account ID remains active and can be used after you create your AWS account alias.

# Creating an account alias
<a name="account-alias-create"></a>

To perform the following steps, you must have at least the following IAM permissions:
+ `iam:ListAccountAliases`
+ `iam:CreateAccountAlias`

## To create an AWS account alias
<a name="console-account-alias-section-1"></a>

------
#### [ Console ]

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Dashboard**.

1. In the **AWS Account** section, next to **Account Alias**, choose **Create**. If an alias already exists, then choose **Edit**.

1. In the dialog box, enter the name you want to use for your alias, then choose **Save changes**.

------
#### [ AWS CLI ]

Run the following command:
+ `[aws iam create-account-alias](https://docs.aws.amazon.com/cli/latest/reference/iam/create-account-alias.html)`

------
#### [ API ]

To create an alias for your AWS Management Console sign-in page URL, call the following operation:
+ `[CreateAccountAlias](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccountAlias.html)` 

------

# Deleting an account alias
<a name="account-alias-delete"></a>

To perform the following steps, you must have at least the following IAM permissions:
+ `iam:ListAccountAliases`
+ `iam:DeleteAccountAlias`

## To delete an account alias
<a name="console-account-alias-section-2"></a>

------
#### [ Console ]

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Dashboard**.

1. In the **AWS Account** section, next to **Account Alias**, choose **Delete**. 

------
#### [ AWS CLI ]

To delete an AWS account ID alias, run the following command:
+ `[aws iam delete-account-alias](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-account-alias.html)`

To confirm that the account alias is deleted, attempt to display your AWS account ID alias, by running the following command: 
+ `[aws iam list-account-aliases](https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html)`

------
#### [ API ]

To delete an AWS account ID alias, call the following operation:
+ `[DeleteAccountAlias](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountAlias.html)` 

To confirm that the account alias is deleted attempt to display your AWS account ID alias, by calling the following operation:
+ `[ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html)` 

------

**Note**  
After deleting your account alias, the only sign-in URL for your account is based off your account ID. Any attempts to connect to the alias URL will fail and are not redirected.

# Plan access to your AWS account
<a name="gs-identities"></a>

When setting up AWS, plan how you intend people to access your AWS account and resources to set up a well-designed and secure identity management solution. 

**Identity sources**

According to IAM best practices human users and workloads should use temporary credentials when they access your AWS resources. Temporary credentials are granted to identities who access your resources using an IAM role. Both users federated into IAM and user in IAM Identity Center (either federated or created in the IAM Identity Center directory) use IAM roles to access resources.

Before you get started using AWS, plan how to set up your identities either by:
+ Enabling IAM Identity Center with AWS Organizations and adding users in IAM Identity Center directly to the organizational directory.

  To learn how to add users directly to the IAM Identity Center organizational directory, see [Add users](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html)
+ Federating your existing external identity provider with either IAM Identity Center or IAM.

  To learn how to federate an external identity provider to the IAM Identity Center organizational directory, use the appropriate [Getting started tutorial](https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html).

**Access management**

Identify the AWS resources and services that your users will access and define the access permissions and policies required for each user, group, or role.
+ If you use IAM Identity Center, an IAM identity provider as well as IAM roles and permissions policies are automatically created in each AWS account in your organization. These roles and permissions align with the permissions you specify when you assign people or groups to specific applications or AWS accounts.

  For more information, see [Assign user access](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-assign-account-access-user.html) and [Set up single sign-on access to your applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/set-up-single-sign-on-access-to-applications.html).
+ If you federate your identity provider directly with IAM in your AWS account, you have to create a role for your users to assume and two policies; a trust policy that specifies who can assume the role, and a permissions policy that specifies the AWS actions and resources that the person assuming the role is allowed or denied access to.

  For more information, see [Identity providers and federation into AWS](id_roles_providers.md)

# Use cases for IAM users
<a name="gs-identities-iam-users"></a>

IAM users that you create in your AWS account have long-term credentials that you manage directly.

When it comes to managing access in AWS, IAM users are generally not the best choice. There are a few key reasons why you should avoid relying on IAM users for most of your use cases.

First, IAM users are designed for individual accounts, so they don't scale well as your organization grows. Managing permissions and security for a large number of IAM users can quickly become a challenge.

IAM users also lack the centralized visibility and auditing capabilities that you get with other AWS identity management solutions. This can make it more challenging to maintain security and regulatory compliance.

Finally, implementing security best practices like multi-factor authentication, password policies, and role separation is much easier with more scalable identity management approaches.

Instead of relying on IAM users, we recommend using more robust solutions like IAM Identity Center with AWS Organizations, or federated identities from external providers. These options will give you better control, security, and operational efficiency as your AWS environment grows.

As a result, we recommend that you only use IAM users for [use cases not supported by federated users](https://docs.aws.amazon.com//IAM/latest/UserGuide/id.html#id_which-to-choose). 

The following list identifies the specific use cases that require long-term credentials with IAM users in AWS. You can use IAM to create these IAM users under the umbrella of your AWS account, and use IAM to manage their permissions. 
+ Emergency access to your AWS account
+ Workloads that can't use IAM roles
  + AWS CodeCommit access
  + Amazon Keyspaces (for Apache Cassandra) access
+ Third-party AWS clients
+ AWS IAM Identity Center isn't available for your account and you have no other identity provider



# Create an IAM user for emergency access
<a name="getting-started-emergency-iam-user"></a>

An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity within your AWS account that has specific permissions for a single person or application. 

Having an IAM user for emergency access is one of the recommended reasons to create an IAM user so that you can access your AWS account if your identity provider isn't accessible.

**Note**  
As a security [best practice](best-practices.md), we recommend that you provide access to your resources through identity federation instead of creating IAM users. For information about specific situations where an IAM user is required, see [When to create an IAM user (instead of a role)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html#id_which-to-choose).

## To create an IAM user for emergency access
<a name="getting-started-emergency-iam-user-section-1"></a>

**Minimum permissions**  
To perform the following steps, you must have at least the following IAM permissions:  
`access-analyzer:ValidatePolicy`
`iam:AddUserToGroup`
`iam:AttachGroupPolicy`
`iam:CreateGroup`
`iam:CreateLoginProfile`
`iam:CreateUser`
`iam:GetAccountPasswordPolicy`
`iam:GetLoginProfile`
`iam:GetUser`
`iam:ListAttachedGroupPolicies`
`iam:ListAttachedUserPolicies`
`iam:ListGroupPolicies`
`iam:ListGroups`
`iam:ListGroupsForUser`
`iam:ListPolicies`
`iam:ListUserPolicies`
`iam:ListUsers`

------
#### [ Console ]<a name="gs-proc-iam-user-user"></a>

1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.

1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.

1. In the navigation pane, select **Users** and then select **Create user**.
**Note**  
If you have IAM Identity Center enabled, the AWS Management Console displays a reminder that it's best to manage users' access in IAM Identity Center. In this procedure, the IAM user you create is specifically for use only when your identity provider is unavailable.

1. On the **Specify user details** page, under **User details**, in **User name**, enter the name for the new user. This is their sign-in name for AWS. For this example, enter **EmergencyAccess**.
**Note**  
User names can be a combination of up to 64 letters, digits, and these characters: plus (\$1), equal (=), comma (,), period (.), at sign (@), underscore (\$1), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser. When a user name is used in a policy or as part of an ARN, the name is case sensitive. When a user name appears to customers in the console, such as during the sign-in process, the user name is case insensitive.

1. Choose the checkbox next to **Provide user access to the AWS Management Console– *optional*** and then choose **I want to create an IAM user**.

1. Under **Console password**, select **Autogenerated password**.

1. Clear the checkbox next to **User must create a new password at next sign-in (recommended)**. Because this IAM user is for emergency access, a trusted administrator retains the password and only provides it when needed.

1. On the **Set permissions** page, under **Permissions options**, select **Add user to group**. Then, under **User groups**, select **Create group**.

1. On the **Create user group** page, in **User group name**, enter **EmergencyAccessGroup**. Then, under **Permissions policies**, select **AdministratorAccess**.

1. Choose **Create user group** to return to the **Set permissions** page. 

1. Under **User groups**, select the name of the **EmergencyAccessGroup** you created previously.

1. Choose **Next** to proceed to the **Review and create** page.

1. On the **Review and create** page, review the list of user group memberships to be added to the new user. When you are ready to proceed, select **Create user**.

1. On the **Retrieve password** page, select **Download .csv file** to save a .csv file with the user credential information (Connection URL, username, and password).

1. Save this file to use if you need to sign-in to IAM and don't have access to your identity provider.

The new IAM user is displayed in the **Users** list. Select the **User name** link to view the user details. 

------
#### [ AWS CLI ]

1. Create a user named **EmergencyAccess**.
   + [aws iam create-user](https://docs.aws.amazon.com/cli/latest/reference/iam/create-user.html)

   ```
   aws iam create-user \
      --user-name EmergencyAccess
   ```

1. (Optional) Give the user access to the AWS Management Console. This requires a password. To create a password for an IAM user you can use the `--cli-input-json` parameter to pass a JSON file that contains the password.You must also give the user the [URL of your account's sign-in page.](id_users_sign-in.md)
   +  [aws iam create-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/create-login-profile.html)

     ```
      
     aws iam create-login-profile \
        --generate-cli-skeleton > create-login-profile.json
     ```
   + Open the `create-login-profile.json` file in a text editor and enter a password that complies with your password policy, then save the file. For example: 

     ```
     {
      "UserName": "EmergencyAccess",
      "Password": "Ex@3dRA0djs",
      "PasswordResetRequired": false
     }
     ```
   + Use the `aws iam create-login-profile` command again, passing the `--cli-input-json` parameter to specify your JSON file.

     ```
     aws iam create-login-profile \
        --cli-input-json file://create-login-profile.json
     ```
**Note**  
If the password you provided in the JSON file violates your account's password policy, you will receive a `PasswordPolicyViolation` error. If this happens, review the [password policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#default-policy-details) for your account and update the password in the JSON file to comply with the requirements.

1. Create the **EmergencyAccessGroup**, attach the AWS managed policy `AdministratorAccess` to the group, and add the **EmergencyAccess** user to the group. 
**Note**  
An *AWS managed policy* is a standalone policy that is created and administered by AWS. Each policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, `arn:aws:iam::aws:policy/IAMReadOnlyAccess` is an AWS managed policy. For more information about ARNs, see [IAM ARNs](reference_identifiers.md#identifiers-arns). For a list of AWS managed policies for AWS services, see [AWS managed policies](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/policy-list.html).
   + [aws iam create-group](https://docs.aws.amazon.com/cli/latest/reference/iam/create-group.html) 

     ```
     aws iam create-group \
        --group-name EmergencyAccessGroup
     ```
   + [aws iam attach-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html)

     ```
     aws iam attach-group-policy \
        --policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
        --group-name >EmergencyAccessGroup
     ```
   + [aws iam add-user-to-group](https://docs.aws.amazon.com/cli/latest/reference/iam/add-user-to-group.html) 

     ```
     aws iam add-user-to-group \
        --user-name EmergencyAccess \
        --group-name EmergencyAccessGroup
     ```
   + Run the [aws iam get-group](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group.html) command to list the**EmergencyAccessGroup** and its members.

     ```
     aws iam get-group \
        --group-name EmergencyAccessGroup
     ```

------

# Create an IAM user for workloads that can't use IAM roles
<a name="getting-started-workloads"></a>

**Important**  
As a [best practice](best-practices.md#lock-away-credentials), we recommend you require your human users to use [temporary credentials](id_credentials_temp.md) when accessing AWS.  
Alternatively, you can manage your user identities, including your administrative user, with [AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/getting-started.html). We recommend you use IAM Identity Center to manage access to your accounts and permissions within those accounts. If you are using an external identity provider, you can also configure the access permissions for user identities in IAM Identity Center.

If your use case requires IAM users with programmatic access and long-term credentials, we recommend that you establish procedures to update access keys when needed. For more information, see [Update access keys](id-credentials-access-keys-update.md).

To perform some account and service management tasks, you must sign in using root user credentials. To view the tasks that require you to sign in as the root user, see [Tasks that require root user credentials](id_root-user.md#root-user-tasks).

## To create an IAM user for workloads that can't use IAM roles
<a name="getting-started-workloads-section-1"></a>

**Minimum permissions**  
To perform the following steps, you must have at least the following IAM permissions:  
`iam:AddUserToGroup`
`iam:AttachGroupPolicy`
`iam:CreateAccessKey`
`iam:CreateGroup`
`iam:CreateServiceSpecificCredential`
`iam:CreateUser`
`iam:GetAccessKeyLastUsed`
`iam:GetAccountPasswordPolicy`
`iam:GetAccountSummary`
`iam:GetGroup`
`iam:GetLoginProfile`
`iam:GetPolicy`
`iam:GetRole`
`iam:GetUser`
`iam:ListAccessKeys`
`iam:ListAttachedGroupPolicies`
`iam:ListAttachedUserPolicies`
`iam:ListGroupPolicies`
`iam:ListGroups`
`iam:ListGroupsForUser`
`iam:ListInstanceProfilesForRole`
`iam:ListMFADevices`
`iam:ListPolicies`
`iam:ListRoles`
`iam:ListRoleTags`
`iam:ListSSHPublicKeys`
`iam:ListServiceSpecificCredentials`
`iam:ListSigningCertificates`
`iam:ListUserPolicies`
`iam:ListUserTags`
`iam:ListUsers`
`iam:UploadSSHPublicKey`
`iam:UploadSigningCertificate`

------
#### [ Console ]

1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.

1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.

1. In the navigation pane, choose **Users** and then choose **Create users**.

1. On the **Specify user details** page, do the following:

   1. For **User name**, type ***WorkloadName***. Replace ***WorkloadName*** with the name of the workload that will be using the account.

   1. Choose **Next**.

1. (Optional) On the **Set Permissions** page, do the following:

   1. Choose **Add user to group**.

   1. Choose **Create group**.

   1. In the **Create user group** dialog box, for **User group name** type a name that represents the use of the workloads in the group. For this example, use the name **Automation**.

   1. Under **Permissions policies** select the checkbox for the **PowerUserAccess** managed policy.
**Tip**  
Enter *Power* into the **Permissions policies** search box to quickly find the managed policy.

   1. Choose **Create user group**.

   1. Back on the page with the list of IAM groups, select the checkbox for your new user group. Choose **Refresh** if you don't see the new user group in the list.

   1. Choose **Next**.

1. (Optional) In the **Tags** section, add metadata to the user by attaching tags as key-value pairs. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).

1. Verify the user group memberships for the new user. When you are ready to proceed, choose **Create user**.

1. A status notification appears informing you that the user was created successfully. Select **View user** to go to the user details page

1. Select the **Security credentials** tab. Then create the credentials needed for the workload.
   + **Access keys**–Select **Create access key** to generate and download access keys for the user.
**Important**  
This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. **You will not have access to the secret keys again after this step.** 
   + **SSH public keys for AWS CodeCommit**–Select **Upload SSH public key** to upload an SSH public key so that the user can communicate with CodeCommit repositories over SSH.
   + **HTTPS Git credentials for AWS CodeCommit**–Select **Generate credentials** to generate a unique set of user credentials to use with Git repositories. Select **Download credentials** to save the user name and password to a .csv file. This is the only time that information is available. If you forget or lose the password you will need to reset it.
   + **Credentials for Amazon Keyspaces (for Apache Cassandra)**–Select **Generate credentials** to generate a service-specific user credentials to use with Amazon Keyspaces. Select **Download credentials** to save the user name and password to a .csv file. This is the only time that information is available. If you forget or lose the password you will need to reset it.
**Important**  
Service-specific credentials are long-term credentials associated with a specific IAM user and can only be used for the service they were created for. To give IAM roles or federated identities permissions to access all your AWS resources using temporary credentials, use AWS authentication with the SigV4 authentication plugin for Amazon Keyspaces. For more information see, [Using temporary credentials to connect to Amazon Keyspaces (for Apache Cassandra) using an IAM role and the SigV4 plugin](https://docs.aws.amazon.com/keyspaces/latest/devguide/access.credentials.html#temporary.credentials.IAM) in the *Amazon Keyspaces (for Apache Cassandra) Developer Guide*. 
   + **X.509 Signing certificates**–Select **Create X.509 Certificate** if you need to make secure SOAP-protocol requests and are in a Region that's not supported by AWS Certificate Manager. ACM is the preferred tool to provision, manage, and deploy your server certificates. For more information about using ACM, see the [https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html).

You have created a user with programmatic access and configured it with the **PowerUserAccess** job function. This user's permissions policy grants full access to every service except for IAM and AWS Organizations.

You can use this same process to give additional workloads programmatic access to your AWS account resources, if the workloads are unable to assume IAM roles. This procedure used the **PowerUserAccess** managed policy to assign permissions. To follow the best practice of least privilege, consider using a more restrictive policy or creating a custom policy that restricts access to only resources required by the program. To learn about using policies that restrict user permissions to specific AWS resources, see [Access management for AWS resources](access.md) and [Example IAM identity-based policies](access_policies_examples.md). To add additional users to the user group after it's created, see [Edit users in IAM groups](id_groups_manage_add-remove-users.md).

------
#### [ AWS CLI ]

1. Create a user named **Automation**.
   + [aws iam create-user](https://docs.aws.amazon.com/cli/latest/reference/iam/create-user.html)

   ```
                 aws iam create-user \
                     --user-name Automation
   ```

1. Create an IAM user group named **AutomationGroup**, attach the AWS managed policy `PowerUserAccess` to the group, and then add the **Automation** user to the group. 
**Note**  
An *AWS managed policy* is a standalone policy that is created and administered by AWS. Each policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, `arn:aws:iam::aws:policy/IAMReadOnlyAccess` is an AWS managed policy. For more information about ARNs, see [IAM ARNs](reference_identifiers.md#identifiers-arns). For a list of AWS managed policies for AWS services, see [AWS managed policies](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/policy-list.html).
   + [aws iam create-group](https://docs.aws.amazon.com/cli/latest/reference/iam/create-group.html) 

     ```
                       aws iam create-group \
                           --group-name AutomationGroup
     ```
   + [aws iam attach-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html)

     ```
                       aws iam attach-group-policy \
                           --policy-arn arn:aws:iam::aws:policy/PowerUserAccess \
                           --group-name AutomationGroup
     ```
   + [aws iam add-user-to-group](https://docs.aws.amazon.com/cli/latest/reference/iam/add-user-to-group.html) 

     ```
                      aws iam add-user-to-group \
                          --user-name Automation \
                          --group-name AutomationGroup
     ```
   + Run the [aws iam get-group](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group.html) command to list the **AutomationGroup** and its members.

     ```
                     aws iam get-group \
                          --group-name AutomationGroup
     ```

1. Create the security credentials needed for the workload.
   + **Create access keys for testing**–[aws iam create-access-key](https://docs.aws.amazon.com/cli/latest/reference/iam/create-access-key.html)

     ```
                            aws iam create-access-key \
                                --user-name Automation
     ```

     The output of this command displays the secret access key and the access key ID. Record and store this information in a secure location. If these credentials are lost, they can't be recovered, and you must create a new access key.
**Important**  
These IAM user access keys are long-term credentials that present a security-risk to your account. After you have completed testing, we recommend that you delete these access keys. If you have scenarios in which you are considering access keys, investigate whether you can enable MFA for your workload IAM user and use [aws sts get-session-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) to obtain temporary credentials for the session instead of using IAM access keys.
   + **Upload SSH public keys for AWS CodeCommit**–[aws iam upload-ssh-public-key](https://docs.aws.amazon.com/cli/latest/reference/iam/upload-ssh-public-key.html)

     The following example assumes that you have your SSH public keys stored in the file `sshkey.pub`.

     ```
                            aws upload-ssh-public-key \
                                --user-name Automation \
                                --ssh-public-key-body file://sshkey.pub
     ```
   + **Upload an X.509 signing certificate**–[aws iam upload-signing-certificate](https://docs.aws.amazon.com/cli/latest/reference/iam/upload-signing-certificate.html)

     Upload an X.509 certificate if you need to make secure SOAP-protocol requests and are in a Region that's not supported by AWS Certificate Manager. ACM is the preferred tool to provision, manage, and deploy your server certificates. For more information about using ACM, see the [https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html).

     The following example assumes that you have your X.509 signing certificate stored in the file `certificate.pem`.

     ```
                           aws iam upload-signing-certificate \
                           --user-name Automation \
                           --certificate-body file://certificate.pem
     ```

You can use this same process to give additional workloads programmatic access to your AWS account resources, if the workloads are unable to assume IAM roles. This procedure used the **PowerUserAccess** managed policy to assign permissions. To follow the best practice of least privilege, consider using a more restrictive policy or creating a custom policy that restricts access to only resources required by the program. To learn about using policies that restrict user permissions to specific AWS resources, see [Access management for AWS resources](access.md) and [Example IAM identity-based policies](access_policies_examples.md). To add additional users to the user group after it's created, see [Edit users in IAM groups](id_groups_manage_add-remove-users.md).

------

# Use multi-factor authentication with your identities
<a name="gs-identities-mfa"></a>

Using multi-factor authentication (MFA) with your identities is another IAM best practice. MFA is an additional security layer that requires users to provide additional authentication factors after providing their username and password to verify their identity. It significantly enhances security by making it much harder for attackers to gain unauthorized access, even if a user's password is compromised. MFA is widely adopted as a best practice for securing access to online accounts, cloud services, and other sensitive resources. AWS supports MFA for root user, IAM users, users in IAM Identity Center, Builder ID, and federated users. For additional security, you can create policies that require MFA be configured before allowing a user to access resources or take specific actions and attach these policies to your IAM roles. IAM Identity Center comes preconfigured with MFA turned on by default so that all users in IAM Identity Center must sign in with MFA in addition to their user name and password.

**Note**  
All AWS account types (standalone, management, and members accounts) require MFA to be configured for their root user. Users must register MFA within 35 days of their first sign-in attempt to access the AWS Management Console if MFA is not already enabled.

For more information, see [Configure MFA in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-getting-started.html) and [AWS Multi-factor authentication in IAM](id_credentials_mfa.md).

# Prepare for least-privilege permissions
<a name="getting-started-reduce-permissions"></a>

Using *least-privilege permissions* is an IAM best practice recommendation. The concept of least-privilege permissions is to grant users the permissions required to perform a task and no additional permissions. As you get set up, consider how you are going to support least-privilege permissions. The root user, the administrative user, and the emergency access IAM user have powerful permissions that aren't required for everyday tasks. While you are learning about AWS and testing out different services we recommend that you create at least one additional user in IAM Identity Center with lesser permissions that you can use in different scenarios. You can use IAM policies to define the actions that can be taken on specific resources under specific conditions and then connect to those resources with your lesser privileged account.

If you are using IAM Identity Center, consider using IAM Identity Center permissions sets to get started. To learn more, see [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *IAM Identity Center User Guide*. 

If you aren't using IAM Identity Center, use IAM roles to define the permissions for different IAM entities. To learn more, see [IAM role creation](id_roles_create.md).

Both IAM roles and IAM Identity Center permissions sets can use AWS managed policies based on job functions. For details on the permissions granted by these policies, see [AWS managed policies for job functions](access_policies_job-functions.md). 

**Important**  
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for use by all AWS customers. After getting set up, we recommend that you use IAM Access Analyzer to generate least-privilege policies based on your access activity that's logged in AWS CloudTrail. For more information about policy generation, see [IAM Access Analyzer policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html).

When you are getting started, we recommend that you use AWS managed policies to grant permissions. After a predefined sample period of activity (such as 90 days) has passed, you can review the services that people and workloads have accessed. Then you can create a new customer managed policy with reduced permissions to replace the AWS managed policy. The new policy should include only the services that were accessed during the sample period. Update your permissions to remove the AWS managed policy and attach the new customer managed policy you created. 

# Reviewing last accessed information for your AWS account
<a name="getting-started-reduce-permissions-last-accessed"></a>

You can view service last accessed information for IAM using the IAM console, AWS CLI, or AWS API. For important information about the data, permissions required, troubleshooting, and supported Regions, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).

You can view information for the following resource types in IAM. In each case, the information includes allowed services for the given reporting period:
+ **IAM user** – View the last time that the user attempted to access each allowed service.
+ **IAM group** – View information about the last time that an IAM group member attempted to access each allowed service. This report also includes the total number of members that attempted access.
+ **IAM role** – View the last time that someone used the role in an attempt to access each allowed service.
+ **Policy** – View information about the last time that a user or role attempted to access each allowed service. This report also includes the total number of entities that attempted access.

**Note**  
Before you view the access information for a resource in IAM, make sure you understand the reporting period, reported entities, and the evaluated policy types for your information. For more details, see [Things to know about last accessed information](access_policies_last-accessed.md#access_policies_last-accessed-know).

For more information about the last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).

## To review last accessed information for an AWS account
<a name="getting-started-reduce-permissions-last-accessed-proc"></a>

------
#### [ Console ]

1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.

1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.

1. In the navigation pane, choose either **User groups**, **Users**, **Roles**, or **Policies**.

1. Choose any user, user group, role, or policy name to open its **Summary** page and choose the **Last Accessed** tab. View the following information, based on the resource that you chose:
   + **User group** – View the list of services that user group members can access. You can also view when a member last accessed the service, what user group policies they used, and which user group member made the request. Choose the name of the policy to learn whether it is a managed policy or an inline user group policy. Choose the name of the user group member to see all of the members of the user group and when they last accessed the service.
   + **User** – View the list of services that the user can access. You can also view when they last accessed the service, and what policies are currently associated with the user. Choose the name of the policy to learn whether it is a managed policy, an inline user policy, or an inline policy for the user group.
   + **Role** – View the list of services that the role can access, when the role last accessed the service, and what policies were used. Choose the name of the policy to learn whether it is a managed policy or an inline role policy.
   + **Policy** – View the list of services with allowed actions in the policy. You can also view when the policy was last used to access the service, and which entity (user or role) used the policy. The **Last accessed** date also includes when access is granted to this policy through another policy. Choose the name of the entity to learn which entities have this policy attached and when they last accessed the service.

1. In the **Service** column of the table, choose the name of [one of the services that includes action last accessed information](access_policies_last-accessed-action-last-accessed.md) to view a list of management actions that IAM entities have attempted to access. You can view the AWS Region and a timestamp that shows when someone last attempted to perform the action.

1. The **Last accessed** column is displayed for services and management actions of [the services that include action last accessed information](access_policies_last-accessed-action-last-accessed.md). Review the following possible results that are returned in this column. These results vary depending on whether a service or action is allowed, was accessed, and whether it is tracked by AWS for last accessed information.   
**<number of> days ago**  
The number of days since the service or action was used in the tracking period. The tracking period for services is for the last 400 days. The tracking period for Amazon S3 actions started on April 12, 2020. The tracking period for Amazon EC2, IAM, and Lambda actions started on April 7, 2021. The tracking period for all other services began on May 23, 2023. To learn more about the tracking start dates for each AWS Region, see [Where AWS tracks last accessed information](access_policies_last-accessed.md#last-accessed_tracking-period).  
**Not accessed in the tracking period**  
The tracked service or action has not been used by an entity in the tracking period.

   It is possible for you to have permissions for an action that doesn't appear in the list. This can happen if the tracking information for the action is not currently included by AWS. You should not make permissions decisions based solely on the absence of tracking information. Instead, we recommend that you use this information to inform and support your overall strategy of granting least privilege. Check your policies to confirm that the level of access is appropriate.

------
#### [ AWS CLI ]

You can use the AWS CLI to retrieve information about the last time that an IAM resource in your AWS account was used to attempt to access AWS services and Amazon S3, Amazon EC2, IAM, and Lambda actions. An IAM resource can be a user, user group, role, or policy.
+ Generate a report for IAM resources in an AWS account. The request must include the ARN of the IAM resource (user, user group, role, or policy) for which you want a report. You can specify the level of granularity that you want to generate in the report to view access details for either services or both services and actions. The request returns a `job-id` that you can then use in the `get-service-last-accessed-details` and `get-service-last-accessed-details-with-entities` operations to monitor the `job-status` until the job is complete.
  + [aws iam generate-service-last-accessed-details](https://docs.aws.amazon.com/cli/latest/reference/iam/generate-service-last-accessed-details.html)

  1. Retrieve details about the report using the `job-id` parameter from the previous step.
     + [aws iam get-service-last-accessed-details](https://docs.aws.amazon.com/cli/latest/reference/iam/get-service-last-accessed-details.html)

     This operation returns the following information, based on the type of resource and level of granularity that you requested in the `generate-service-last-accessed-details` operation:
     + **User** – Returns a list of services that the specified user can access. For each service, the operation returns the date and time of the user's last attempt and the ARN of the user.
     + **User group** – Returns a list of services that members of the specified user group can access using the policies attached to the user group. For each service, the operation returns the date and time of the last attempt made by any user group member. It also returns the ARN of that user and the total number of user group members that have attempted to access the service. Use the [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html) operation to retrieve a list of all of the members.
     + **Role** – Returns a list of services that the specified role can access. For each service, the operation returns the date and time of the role's last attempt and the ARN of the role.
     + **Policy** – Returns a list of services for which the specified policy allows access. For each service, the operation returns the date and time that an entity (user or role) last attempted to access the service using the policy. It also returns the ARN of that entity and the total number of entities that attempted access.

  1. Learn more about the entities that used user group or policy permissions in an attempt to access a specific service. This operation returns a list of entities with each entity's ARN, ID, name, path, type (user or role), and when they last attempted to access the service. You can also use this operation for users and roles, but it only returns information about that entity.
     + [aws iam get-service-last-accessed-details-with-entities](https://docs.aws.amazon.com/cli/latest/reference/iam/get-service-last-accessed-details-with-entities.html)

  1. Learn more about the identity-based policies that an identity (user, user group, or role) used in an attempt to access a specific service. When you specify an identity and service, this operation returns a list of permissions policies that the identity can use to access the specified service. This operation gives the current state of policies and does not depend on the generated report. It also does not return other policy types, such as resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, or session policies. For more information, see [Policy types](access_policies.md#access_policy-types) or [Policy evaluation for requests within a single account](reference_policies_evaluation-logic_policy-eval-basics.md).
     + [aws iam list-policies-granting-service-access](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies-granting-service-access.html)

------
#### [ API ]

You can use the AWS API to retrieve information about the last time that an IAM resource was used to attempt to access AWS services and Amazon S3, Amazon EC2, IAM, and Lambda actions. An IAM resource can be a user, user group, role, or policy. You can specify the level of granularity to generate in the report to view details for either services or both services and actions. 

1. Generate a report. The request must include the ARN of the IAM resource (user, user group, role, or policy) for which you want a report. It returns a `JobId` that you can then use in the `GetServiceLastAccessedDetails` and `GetServiceLastAccessedDetailsWithEntities` operations to monitor the `JobStatus` until the job is complete.
   + [GenerateServiceLastAccessedDetails](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateServiceLastAccessedDetails.html)

1. Retrieve details about the report using the `JobId` parameter from the previous step.
   + [GetServiceLastAccessedDetails](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetails.html)

   This operation returns the following information, based on the type of resource and level of granularity that you requested in the `GenerateServiceLastAccessedDetails` operation:
   + **User** – Returns a list of services that the specified user can access. For each service, the operation returns the date and time of the user's last attempt and the ARN of the user.
   + **User group** – Returns a list of services that members of the specified user group can access using the policies attached to the user group. For each service, the operation returns the date and time of the last attempt made by any user group member. It also returns the ARN of that user and the total number of user group members that have attempted to access the service. Use the [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html) operation to retrieve a list of all of the members.
   + **Role** – Returns a list of services that the specified role can access. For each service, the operation returns the date and time of the role's last attempt and the ARN of the role.
   + **Policy** – Returns a list of services for which the specified policy allows access. For each service, the operation returns the date and time that an entity (user or role) last attempted to access the service using the policy. It also returns the ARN of that entity and the total number of entities that attempted access.

1. Learn more about the entities that used user group or policy permissions in an attempt to access a specific service. This operation returns a list of entities with each entity's ARN, ID, name, path, type (user or role), and when they last attempted to access the service. You can also use this operation for users and roles, but it only returns information about that entity.
   + [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html)

1. Learn more about the identity-based policies that an identity (user, user group, or role) used in an attempt to access a specific service. When you specify an identity and service, this operation returns a list of permissions policies that the identity can use to access the specified service. This operation gives the current state of policies and does not depend on the generated report. It also does not return other policy types, such as resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, or session policies. For more information, see [Policy types](access_policies.md#access_policy-types) or [Policy evaluation for requests within a single account](reference_policies_evaluation-logic_policy-eval-basics.md).
   + [ListPoliciesGrantingServiceAccess](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPoliciesGrantingServiceAccess.html)

------

# Generating a policy based on access activity
<a name="getting-started_reduce-permissions-edit-policy"></a>

You can use the access activity recorded in AWS CloudTrail for an IAM user or IAM role to have IAM Access Analyzer generate a customer managed policy to allow access to only the services that specific users and roles need. 

When IAM Access Analyzer generates an IAM policy, information is returned to help you to further customize the policy. Two categories of information can be returned when a policy is generated:
+ **Policy with action-level information –** For some AWS services, such as Amazon EC2, IAM Access Analyzer can identify the actions found in your CloudTrail events and lists the actions used in the policy it generates. For a list of supported services, see [IAM Access Analyzer policy generation services](access-analyzer-policy-generation-action-last-accessed-support.md). For some services, IAM Access Analyzer prompts you to add actions for the services to the generated policy.
+ **Policy with service-level information –** IAM Access Analyzer uses [last accessed](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_last-accessed.html) information to create a policy template with all of the recently used services. When using the AWS Management Console, we prompt you to review the services and add actions to complete the policy.

## To generate a policy based on access activity
<a name="getting-started_reduce-permissions-edit-policy-section-1"></a>

In the following procedure we are going to reduce the permissions given to a role to match the usage of a user. When you choose a user, choose a user whose usage exemplifies the role. Many customers set up test user accounts with **PowerUser** permissions and then have them do a specific set of tasks for a short time period to determine what access is necessary to perform those tasks,

------
#### [ Console ]

1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.

1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.

1. In the navigation pane, choose **Users** and then choose the user name to go to the user details page.

1. On **Permissions** tab, under Generate policy based on CloudTrail events, choose **Generate policy**. 

1. On the **Generate policy** page, configure the following items:
   + For **Select time period**, choose **Last 7 days**.
   + For **CloudTrail trail to be analyzed**, select the Region and trail where this user's activity is recorded.
   + Choose **Create and use a new service role**.

1. Choose **Generate policy** then wait until the role is created. Don't refresh or navigate away from the console page until the **Policy generation in progress** notification message appears.

1. After the policy is generated, you must review and customize it as needed with the account IDs and ARNs for resources. In addition, the automatically generated policy might not include the action-level information need to complete the policy. For more information see, [IAM Access Analyzer policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html).

   For example, you might edit the first statement that includes the `Allow` effect and the `NotAction` element to allow only Amazon EC2 and Amazon S3 actions. To do this, replace it with the statement with the `FullAccessToSomeServices` ID. Your new policy could look like the following example policy.

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
         {
             "Sid": "FullAccessToSomeServices",
             "Effect": "Allow",
             "Action": [
                 "ec2:*",
                 "s3:*"
             ],
             "Resource": "*"
         },
         {
             "Effect": "Allow",
             "Action": [
                 "iam:CreateServiceLinkedRole",
                 "iam:DeleteServiceLinkedRole",
                 "iam:ListRoles",
                 "organizations:DescribeOrganization"
             ],
             "Resource": "*"
         }
     ]
   }
   ```

------

1. To support the best practice of [granting least privilege](best-practices.md#grant-least-privilege), review and correct any errors, warnings, or suggestions returned during [policy validation](access_policies_policy-validator.md).

1. To further reduce your policies' permissions to specific actions and resources, view your events in CloudTrail **Event history**. There you can view detailed information about the specific actions and resources that your user has accessed. For more information, see [Viewing CloudTrail Events in the CloudTrail Console](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html) in the *AWS CloudTrail User Guide*.

1. After reviewing and validating your policy, save it with a descriptive name. 

1. Navigate to the **Roles** page and choose the role that people will assume when they perform the tasks permitted by your new policy.

1. Select the **Permissions** tab, and then choose **Add permissions** and select **Attach policies**.

1. On the **Attach permission policies **page, in the **Other permissions policies** list, select the policy you created, then choose **Attach policies**.

1. You are returned to the **Role** details page. There are two policies attached to the role, your previous AWS managed policy, such as **PowerUserAccess**, and your new policy. Select the checkbox for the AWS managed policy and then choose **Remove**. When asked to confirm removal, choose **Remove**.

IAM users, SAML and OIDC federated principals, and workloads who assume this role now have reduced access according to the new policy you created.

------
#### [ AWS CLI ]

You can use the following commands to generate a policy using the AWS CLI. 

**To generate a policy**
+ [aws accessanalyzer start-policy-generation](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/start-policy-generation.html)

**To view a generated policy**
+ [aws accessanalyzer get-generated-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-generated-policy.html)

**To cancel a policy generation request**
+ [aws accessanalyzer cancel-policy-generation](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/cancel-policy-generation.html)

**To view a list of policy generation requests**
+ [aws accessanalyzer list-policy-generations](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/list-policy-generations.html)

------
#### [ API ]

You can use the following operations to generate a policy using the AWS API.

**To generate a policy**
+ [StartPolicyGeneration](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_StartPolicyGeneration.html)

**To view a generated policy**
+ [GetGeneratedPolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetGeneratedPolicy.html)

**To cancel a policy generation request**
+ [CancelPolicyGeneration](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CancelPolicyGeneration.html)

**To view a list of policy generation requests**
+ [ListPolicyGenerations](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListPolicyGenerations.html)

------

# Using search to find IAM resources
<a name="console_search"></a>

As you work through your access findings, you can use the IAM console search page as a faster option for finding IAM resources. You can search for resources using partial resource names or ARNs.

------
#### [ Console ]

The IAM console search feature can locate any of the following:
+ IAM entity names that match your search keywords (for users, groups, roles, identity providers, and policies)
+ Tasks that match your search keywords

The IAM console search feature does not return information about IAM Access Analyzer.

Every line in the search result is an active link. For example, you can choose the user name in the search result, which takes you to that user's detail page. Or you can choose an action link, for example **Create user**, to go to the **Create User** page.

**Note**  
Access key search requires you to type the full access key ID in the search box. The search result shows the user associated with that key. From there you can navigate directly to that user's page, where you can manage the access key.

Use the **Search** page in the IAM console to find items related to that account. 

**To search for items in the IAM console**

1. Follow the sign-in procedure appropriate to your user type as described in the topic [How to sign in to AWS](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.

1. On the **IAM Console Home** page, in the left navigation pane, enter your query in the **Search IAM** text box.

1. In the navigation pane, choose **Search**. 

1. In the **Search** box, type your search keywords.

1. Choose a link in the search results list to navigate to the corresponding part of the console. 

The following icons identify the types of items that are found by a search:


****  

| Icon | Description | 
| --- | --- | 
|  ![\[a portrait outline on gray background\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/search_user.png)  | IAM users | 
|  ![\[multiple portrait outlines on a blue background\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/search_group.png)  | IAM groups | 
|  ![\[a magic wand icon on a navy background\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/search_role.png)  | IAM roles | 
|  ![\[a document icon on an organe background\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/search_policy.png)  | IAM policies | 
|  ![\[a white start on an organe background\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/search_action.png)  | Tasks such as "create user" or "attach policy" | 
|  ![\[a white X on a red background\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/search_delete.png)  | Results from the keyword delete | 

**Sample search phrases**

You can use the following phrases in the IAM search. Replace terms in italics with the names of the actual IAM users, groups, roles, access keys, policies, or identity providers that you want to locate.
+ ***user\$1name*** or ***group\$1name* ** or ***role\$1name*** or ***policy\$1name*** or ***identity\$1provider\$1name***
+ ***access\$1key***
+ **add user *user\$1name* to groups** or **add users to group *group\$1name***
+ **remove user *user\$1name* from groups**
+ **delete *user\$1name*** or **delete *group\$1name*** or **delete *role\$1name***, or **delete *policy\$1name***, or **delete *identity\$1provider\$1name***
+ **manage access keys *user\$1name***
+ **manage signing certificates *user\$1name***
+ **users**
+ **manage MFA for *user\$1name***
+ **manage password for *user\$1name***
+ **create role**
+ **password policy**
+ **edit trust policy for role *role\$1name***
+ **show policy document for role *role\$1name***
+ **attach policy to *role\$1name***
+ **create managed policy**
+ **create user**
+ **create group**
+ **attach policy to *group\$1name***
+ **attach entities to *policy\$1name***
+ **detach entities from *policy\$1name***

------