# Users Every IAM user receives Amazon Resource Name (ARN). It is similar to object id in Active Directory and is of the format: * arn:aws:iam::\:root * arn:aws:iam::\:user/iam-username More details about ARN are already explained [here](/aws/aws-identity-and-access-management.md#arn). ### Console Access When logging into AWS, using root account, one can simply navigate to , which will redirect to domain [signin.aws.amazon.com](https://signin.aws.amazon.com)

However, when logging using IAM account, one can simply use the 2nd option as mentioned in the above screenshot and simply provide the options as mentioned in the below screenshot:

Now one can either provide account ID (which is 12 digit numerical id) created when one sign-up for AWS or simply provide an account alias (as its difficult to remember the 12 digit number) in place of account id to access further and lastly provide the IAM user and password to login, provided the IAM user has console access.

Now, one can understand the steps can be referred to see how to create an IAM user and provide the user console access in IAM console. If its the first IAM user, then one has to use root account privileges. To be specific, the following account that is created is the administrator account which can be used to manage day to day operations in AWS.

Instead of creating user with administrator access individually, a group has been created with administrator privileges as shown [here](/aws/aws-identity-and-access-management/groups-and-roles.md).

{% hint style="info" %} Every IAM user access resources based on assigned permissions. {% endhint %}

{% hint style="info" %} Note, one can also access AWS console via https\://\.signin.aws.amazon.com for AWS IAM Users to login {% endhint %} ### Forgot Password

As said above, IAM users would have to go to their IAM administrators for password reset. This is particularly useful to prevent SSPR (Self Service Password Reset) abuse in phishing attacks. ### Programmatic Access Next, one can also create access keys to let the user access AWS programmatically or using cli. It is like **user-id (Access Key ID)** and **password (Secret Access Key)** for programmatic access. Moreover, the best practices for them are as follows: * Rotate access keys every 90 days * Store access keys in secure manner **Note**: Refer [here ](https://guides.radifine.com/how-to-securely-access-and-transfer-file-to-an-ec2-instance-in-private-subnet-of-vpc-in-aws#heading-step-24-for-access-via-awscli-more-work-is-necessary)on how to use access keys and MFA to create[ short term credentials](https://notes.radifine.com/aws/aws-iam/federation#aws-sts) for best practices. This is particularly useful to avert the risk of long term damage in case the user's system is compromised. **Note**, if the access key is for an application, then one can create a different user with only cli access that has access to particular resource in AWS, store it in AWS secrets manager and then give EC2 IAM instance profile to fetch only that particular AWS key from AWS secrets manager as security best practice * Delete unused keys * Monitor usage of access keys It can be created as shown below:

{% hint style="info" %} Note: If the primary use case of access keys is going to be to use it to perform operations across AWS service to do repetitive tasks or save time to do something over cli for better productivity, then **CloudShell** can also be used as shown below. It is simply better because there is no requirement to ever store access keys locally in user's system in this case. {% endhint %}

Note that Access Key ID starts with AKIA for long term credentials and ASIA for short term credentials ### Password Policy It is basically used to configure the following: * Character requirement like small alphabets, capital alphabets etc. * Minimum Password Length. * Validity of the password in terms of its expiration. * Number of times it is allowed to do attempt entering password for users. * Reusability of Passwords Password Policy can be managed as shown below:

### Setting up MFA This is used to setup extra layer of security. Login to AWS console and go to Security Credentials

For demo, lets configure using Software based Authenticator app. OneAuth, Microsoft Authenticator, Google Authenticator, Orange Authenticator etc are supported. We can also configure using browser extension from authenticator.cc

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.radifine.com/aws/aws-identity-and-access-management/users.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.