End of support notice: On September 10, 2025, AWS
will discontinue support for AWS RoboMaker. After September 10, 2025, you will
no longer be able to access the AWS RoboMaker console or AWS RoboMaker resources.
For more information on transitioning to AWS Batch to help run containerized
simulations, visit this blog
post
Getting started with IAM
AWS Identity and Access Management (IAM) is an AWS service that allows you manage access to services and resources securely. IAM is a feature of your AWS account offered at no additional charge.
Note
Before you start with IAM, review the introductory information on Authentication and access control for AWS RoboMaker.
When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide.
Create your IAM Admin user
To create an administrator user, choose one of the following options.
| Choose one way to manage your administrator | To | By | You can also |
|---|---|---|---|
| In IAM Identity Center (Recommended) |
Use short-term credentials to access AWS. This aligns with the security best practices. For information about best practices, see Security best practices in IAM in the IAM User Guide. |
Following the instructions in Getting started in the AWS IAM Identity Center User Guide. | Configure programmatic access by Configuring the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide. |
| In IAM (Not recommended) |
Use long-term credentials to access AWS. | Following the instructions in Create an IAM user for emergency access in the IAM User Guide. | Configure programmatic access by Manage access keys for IAM users in the IAM User Guide. |
Create delegated users for AWS RoboMaker
To support multiple users in your AWS account, you must delegate permission to allow other people to perform only the actions you want to allow. To do this, create an IAM group with the permissions those people need and then add IAM users to the necessary groups as you create them. You can use this process to set up the groups, users, and permissions for your entire AWS account. This solution is best used by small and medium organizations where an AWS administrator can manually manage the users and groups. For large organizations, you can use custom IAM roles, federation, or single sign-on.
See Creating a role to delegate permissions to an IAM user in the IAM User Guide for examples and more information on delegated users.
Allow users to self-manage their credentials
You must have physical access to the hardware that will host the user's virtual MFA device in order to configure MFA. For example, you might configure MFA for a user who will use a virtual MFA device running on a smartphone. In that case, you must have the smartphone available in order to finish the wizard. Because of this, you might want to let users configure and manage their own virtual MFA devices. In that case, you must grant users the permissions to perform the necessary IAM actions.
See IAM: Allows IAM users to self-manage an MFA device in the IAM User Guide for an example policy to grant necessary permissions.
Enable MFA for your IAM user
For increased security, we recommend that all IAM users configure multi-factor authentication (MFA) to help protect your AWS RoboMaker resources. MFA adds extra security because it requires users to provide unique authentication from an AWS-supported MFA device in addition to their regular sign-in credentials. See Enabling MFA devices for users in AWS in the IAM User Guide for set up instructions and more information on MFA options.
Note
You must have physical access to the mobile device that will host the user's virtual MFA device in order to configure MFA for an IAM user.
