# How IAM users sign in to AWS
<a name="id_users_sign-in"></a>

To sign in to the AWS Management Console as an IAM user, you must provide your account ID or account alias in addition to your user name and password. When your administrator created your IAM user in the console, they should have sent you your sign-in credentials, including your user name and the URL to your account sign-in page that includes your account ID or account alias. 

```
https://My_AWS_Account_ID.signin.aws.amazon.com/console/
```

**Tip**  
To create a bookmark for your account sign-in page in your web browser, you should manually type the sign-in URL for your account in the bookmark entry. Do not use your web browser bookmark feature because redirects can obscure the sign-in URL. 

You can also sign in at the following general sign-in endpoint and type your account ID or account alias manually:

```
[https://console.aws.amazon.com/](https://console.aws.amazon.com/)
```

For convenience, the AWS sign-in page uses a browser cookie to remember the IAM user name and account information. The next time the user goes to any page in the AWS Management Console, the console uses the cookie to redirect the user to the account sign-in page.

You have access only to the AWS resources that your administrator specifies in the policy that is attached to your IAM user identity. To work in the console, you must have permissions to perform the actions that the console performs, such as listing and creating AWS resources. For more information, see [Access management for AWS resources](access.md) and [Example IAM identity-based policies](access_policies_examples.md).

**Note**  
If your organization has an existing identity system, you might want to create a single sign-on (SSO) option. SSO gives users access to the AWS Management Console for your account without requiring them to have an IAM user identity. SSO also eliminates the need for users to sign in to your organization's site and to AWS separately. For more information, see [Enable custom identity broker access to the AWS console](id_roles_providers_enable-console-custom-url.md). 

**Logging sign-in details in CloudTrail**  
If you enable CloudTrail to log sign-in events to your logs, you need to be aware of how CloudTrail chooses where to log the events.
+ If your users sign-in directly to a console, they are redirected to either a global or a regional sign-in endpoint, based on whether the selected service console supports regions. For example, the main console home page supports regions, so if you sign in to the following URL:

  ```
  https://alias.signin.aws.amazon.com/console
  ```

  you are redirected to a regional sign-in endpoint such as `https://us-east-2.signin.aws.amazon.com`, resulting in a regional CloudTrail log entry in the user's region's log:

  On the other hand, the Amazon S3 console does not support regions, so if you sign in to the following URL

  ```
  https://alias.signin.aws.amazon.com/console/s3
  ```

  AWS redirects you to the global sign-in endpoint at `https://signin.aws.amazon.com`, resulting in a global CloudTrail log entry.
+ You can manually request a certain regional sign-in endpoint by signing in to the region-enabled main console home page using a URL syntax like the following:

  ```
  https://alias.signin.aws.amazon.com/console?region=ap-southeast-1
  ```

  AWS redirects you to the `ap-southeast-1` regional sign-in endpoint and results in a regional CloudTrail log event.

For more information about CloudTrail and IAM, see [Logging IAM events with CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html).

If users need programmatic access to work with your account, you can create an access key pair (an access key ID and a secret access key) for each user. However, there are more secure alternatives to consider before you create access keys for users. For more information, see [Considerations and alternatives for long-term access keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#alternatives-to-long-term-access-keys) in the *AWS General Reference*.

## Additional resources
<a name="id_users_sign-in-additional-resources"></a>

The following resources can help you learn more about AWS sign-in.
+ The [AWS Sign-In User Guide](https://docs.aws.amazon.com/signin/latest/userguide/what-is-sign-in.html) helps you understand the different ways that you can sign in to Amazon Web Services (AWS), depending on what type of user you are.
+ You can sign in up to five different identities simultaneously in a single web browser in the AWS Management Console. For details, see [Signing in to multiple accounts](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/multisession.html) in the *AWS Management Console Getting Started Guide*.

# MFA enabled sign-in
<a name="console_sign-in-mfa"></a>

Users who are configured with [multi-factor authentication (MFA)](id_credentials_mfa.md) devices must use their MFA devices to sign in to the AWS Management Console. After the user enters their sign-in credentials, AWS checks the user's account to see if MFA is required for that user. 

**Important**  
If you use access key and secret key credentials for direct AWS Management Console access with the AWS STS [https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html) API call, MFA will NOT be required. For more information, see [Using access keys and secret key credentials for console access](securing_access-keys.md#console-access-security-keys).

The following topics provide information on how users complete signing in when MFA is required. 

**Topics**
+ [Multiple MFA devices enabled](#console_sign-in-multiple-mfa)
+ [FIDO security key](#console_sign-in-mfa-fido)
+ [Virtual MFA device](#console_sign-in-mfa-virtual)
+ [Hardware TOTP token](#console_sign-in-mfa-hardware)

## Multiple MFA devices enabled
<a name="console_sign-in-multiple-mfa"></a>

If a user signs in to the AWS Management Console as an AWS account root user or IAM user with multiple MFA devices enabled for that account, they only need to use one MFA device to sign in. After the user authenticates with the user’s password, they select which MFA device type they would like to use to finish authenticating. Then the user is prompted to authenticate with the type of device that they selected. 

## FIDO security key
<a name="console_sign-in-mfa-fido"></a>

If MFA is required for the user, a second sign-in page appears. The user needs to tap the FIDO security key.

**Note**  
Google Chrome users should not choose any of the available options on the pop-up that asks to **Verify your identity with amazon.com**. You only need to tap on the security key.

Unlike other MFA devices, FIDO security keys do not go out of sync. Administrators can deactivate a FIDO security key if it's lost or broken. For more information, see [Deactivating MFA devices (console)](id_credentials_mfa_disable.md#deactive-mfa-console).

For information on browsers that support WebAuthn and FIDO-compliant devices that AWS supports, see [Supported configurations for using passkeys and security keys](id_credentials_mfa_fido_supported_configurations.md).

## Virtual MFA device
<a name="console_sign-in-mfa-virtual"></a>

If MFA is required for the user, a second sign-in page appears. In the **MFA code** box, the user must enter the numeric code provided by the MFA application.

If the MFA code is correct, the user can access the AWS Management Console. If the code is incorrect, the user can try again with another code. 

A virtual MFA device can go out of sync. If a user cannot sign in to the AWS Management Console after several tries, the user is prompted to synchronize the virtual MFA device. The user can follow the on-screen prompts to synchronize the virtual MFA device. For information about how you can synchronize a device on behalf of a user in your AWS account, see [Resynchronize virtual and hardware MFA devices](id_credentials_mfa_sync.md). 

## Hardware TOTP token
<a name="console_sign-in-mfa-hardware"></a>

If MFA is required for the user, a second sign-in page appears. In the **MFA code** box, the user must enter the numeric code provided by a hardware TOTP token. 

If the MFA code is correct, the user can access the AWS Management Console. If the code is incorrect, the user can try again with another code. 

A hardware TOTP token can go out of sync. If a user can't sign in to the AWS Management Console after several tries, the user is prompted to synchronize the MFA token device. The user can follow the on-screen prompts to synchronize the MFA token device. For information about how you can synchronize a device on behalf of a user in your AWS account, see [Resynchronize virtual and hardware MFA devices](id_credentials_mfa_sync.md).