To adhere to cloud security best practices, it is strongly recommended to use temporary credentials for authentication instead of long-term credentials. This approach helps minimize risks like accidental exposure, sharing, or theft of credentials. AWS recommends that human users access AWS cloud resources via IAM Identity Center using temporary credentials, rather than relying on IAM users with long-term credentials. For streamlined access management, you should use IAM Identity Center to manage user access and permissions across your AWS accounts. IAM Identity Center automatically issues short-term credentials to users for everyday cloud access. You can integrate Active Directory, an external identity provider (IdP), or the IAM Identity Center directory as your identity source to manage users and groups and assign AWS access. While IAM typically grants long-term credentials to IAM users, IAM roles provide temporary credentials. Federated users and those in IAM Identity Center assume IAM roles when signing in, receiving temporary credentials. As a recommended practice, human users, also known as human identities — including administrators, developers, operators, and application consumers — should always access AWS cloud using temporary credentials. Federated access can be granted by having users assume roles via an identity provider, ensuring they receive temporary credentials. For centralized management, AWS suggests using IAM Identity Center to control access and permissions. You can either manage identities directly within IAM Identity Center or manage permissions for identities stored in an external identity provider. IAM Identity Center simplifies the sign-in process for human users and allows centralized control over resource access. Additionally, it supports Multi-Factor Authentication (MFA) to enhance account security.
When managing access in AWS cloud, using IAM users is generally not ideal. While IAM users were historically used for long-term access in AWS, they're becoming increasingly outdated and should generally be avoided. There are several key reasons to avoid using IAM users in most cases. First, IAM users are tied to individual accounts, which makes them difficult to scale as your organization expands. Managing security and permissions for a large number of IAM users can quickly become tedious. Additionally, IAM users lack centralized visibility and auditing features available with other AWS identity management tools, making it harder to maintain security and comply with regulations. Furthermore, implementing security measures such as Multi-Factor Authentication (MFA), enforcing password policies, and separating roles is far more straightforward with modern, scalable identity management solutions. Instead of relying on IAM users, it's better to use more robust alternatives like AWS Organizations with IAM Identity Center or federated identities from external providers (IdPs). These options provide better control, security, and operational efficiency as your AWS environment grows. AWS recommends using IAM Identity Center users with temporary credentials rather than IAM users with long-term credentials for day-to-day cloud access. If you still need IAM users for programmatic access with long-term credentials, it's crucial to follow best practices by manually rotating access keys regularly, as outlined in this guide.
Audit
To determine if there are any IAM users available within your AWS cloud account, perform the following operations:
Remediation / Resolution
To ensure that human users access AWS cloud using temporary credentials, delete existing IAM users and configure user access with IAM Identity Center. Perform the following operations to remove IAM users and set up IAM Identity Center:
References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- What is IAM Identity Center?
- IAM users
- Use cases for IAM users
- View IAM users
- Delete or deactivate an IAM user
- Identity providers and federation
- Security best practices in IAM
- Compare IAM identities and credentials
- Get started with common tasks in IAM Identity Center
- Enabling AWS IAM Identity Center
- Confirm your identity sources in IAM Identity Center
- Configure user access with the default IAM Identity Center directory
- Configure user access with the default IAM Identity Center directory
- Assign user access to AWS accounts
- SEC02-BP02 Use temporary credentials
- Delete or deactivate an IAM user
- AWS Command Line Interface (CLI) Documentation
- list-users
- delete-user
- create-user
- create-group
- create-group-membership
- list-instances
- create-permission-set
- attach-managed-policy-to-permission-set
- create-account-assignment