# What is AWS Sign-In?
This guide helps you understand the different ways that you can sign in to Amazon Web Services (AWS), depending on what type of user you are. For more information about how to sign in based on your user type and the AWS resources that you want to access, see one of the following tutorials.
+ [Sign in to the AWS Management Console](how-to-sign-in.md)
+ [Sign in to your AWS access portal](iam-id-center-sign-in-tutorial.md)
+ [Sign in as a federated identity](federated-identity-overview.md)
+ [Sign in through the AWS Command Line Interface](command-line-sign-in.md)
+ [Sign in with AWS Builder ID](sign-in-builder-id.md)
If you're having issues signing in to your AWS account, see [Troubleshooting AWS account sign-in issues](troubleshooting-sign-in-issues.md). For help with your AWS Builder ID see [Troubleshooting AWS Builder ID issues](troubleshooting-builder-id-issues.md). Looking to create an AWS account? [Sign up for AWS](https://portal.aws.amazon.com/billing/signup#/start/email). For more information about how signing up for AWS can help you or your organization, see [Contact Us](https://aws.amazon.com/contact-us/sales-support-1v/).
**Topics**
+ [Terminology](#terminology)
+ [Region availability for AWS Sign-In](#sign-in-regions)
+ [Sign-in event logging](#sign-in-events)
+ [Determine your user type](user-types-list.md)
+ [Determine your sign-in URL](sign-in-urls-defined.md)
+ [Domains to add to your allow list](allowlist-domains.md)
+ [Security best practices for AWS account administrators](best-practices-admin.md)
## Terminology
Amazon Web Services (AWS) uses [common terminology](https://docs.aws.amazon.com//general/latest/gr/glos-chap.html) to describe the sign in process. We recommend you read and understand these terms.
### Administrator
Also referred to as an AWS account administrator or IAM administrator. The administrator, typically Information Technology (IT) personnel, is an individual who oversees an AWS account. Administrators have a higher level of permissions to the AWS account than other members of their organization. Administrators establish and implement settings for the AWS account. They also create IAM or IAM Identity Center users. The administrator provides these users with their access credentials and a sign-in URL to sign in to AWS.
### Account
A standard AWS account contains both your AWS resources and the identities that can access those resources. Accounts are associated with the account owner’s email address and password.
### Credentials
Also referred to as access credentials or security credentials. In authentication and authorization, a system uses credentials to identify who is making a call and whether to allow the requested access. Credentials are the information that users provide to AWS to sign in and gain access to AWS resources. Credentials for human users can include an email address, a user name, a user defined password, an account ID or alias, a verification code, and a single use multi-factor authentication (MFA) code. For programmatic access, you can also use access keys. We recommend using short-term access keys when possible.
For more information about credentials, see [AWS security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html).
**Note**
The type of credentials a user must submit depends on their user type.
### Corporate credentials
The credentials that users provide when accessing their corporate network and resources. Your corporate administrator can set up your AWS account to use the same credentials that you use to access your corporate network and resources. These credentials are provided to you by your administrator or help desk employee.
### Profile
When you sign up for an AWS Builder ID, you create a profile. Your profile includes the contact information you provided and the ability to manage multi-factor authentication (MFA) devices and active sessions. You can also learn more about privacy and how we handle your data in your profile. For more information about your profile and how it relates to an AWS account, see [AWS Builder ID and other AWS credentials](differences-builder-id.md).
### Root user credentials
The root user credentials are the email address and password used to create the AWS account. We strongly recommend that MFA be added to the root user credentials for additional security. Root user credentials provide complete access to all AWS services and resources in the account. For more information on the root user, see [Root user](user-types-list.md#account-root-user-type).
### User
A user is a person or application that has permissions to make API calls to AWS products or to access AWS resources. Each user has a unique set of security credentials that aren't shared with other users. These credentials are separate from the security credentials for the AWS account. For more information, see [Determine your user type](user-types-list.md).
### Verification code
A verification code verifies your identity during the sign-in process [using multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html). The delivery methods for verification codes varies. They can be sent via text message or email. Check with your administrator for more information.
## Region availability for AWS Sign-In
AWS Sign-in is available in several commonly used AWS Regions. This availability makes it easier for you to access AWS services and business applications. For a full list of the Regions that Sign-in supports, see [AWS Sign-In endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/signin-service.html).
## Sign-in event logging
CloudTrail is automatically enabled on your AWS account and records events when activity occurs. The following resources can help you learn more about logging and monitoring sign-in events.
+ CloudTrail logs attempts to sign in to the AWS Management Console. All IAM user, root user, and federated user sign-in events generate records in CloudTrail log files. For more information, see [AWS Management Console sign-in events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html) in the *AWS CloudTrail User Guide*.
+ If you use a Regional endpoint to sign in to the AWS Management Console, CloudTrail records the `ConsoleLogin` event in the appropriate Region for the endpoint. For more information about AWS Sign-In endpoints, see [AWS Sign-In endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/signin-service.html) in the *AWS General Reference Guide*.
+ To learn more about how CloudTrail logs sign-in events for IAM Identity Center, see [Understanding IAM Identity Center sign-in events](https://docs.aws.amazon.com/singlesignon/latest/userguide/understanding-sign-in-events.html) in the *IAM Identity Center User Guide*.
+ To learn more about how CloudTrail logs different user identity information in IAM, see [Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) in the *AWS Identity and Access Management User Guide*.
# Determine your user type
How you sign in depends on what type of AWS user you are. You can manage an AWS account as a root user, an IAM user, a user in IAM Identity Center, or a federated identity. You can use an AWS Builder ID profile to access certain AWS services and tools. The different user types are listed below.
**Topics**
+ [Root user](#account-root-user-type)
+ [IAM user](#iam-user-type)
+ [IAM Identity Center user](#sso-user-type)
+ [Federated identity](#federated-identity-type)
+ [AWS Builder ID user](#builder-id-type)
## Root user
Also referred to as the account owner or account root user. As the root user, you have complete access to all AWS services and resources in your AWS account. When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account. Root users sign in with the [AWS Management Console](https://console.aws.amazon.com/). For step by step instructions on how to sign in, see [Sign in to the AWS Management Console as the root user](introduction-to-root-user-sign-in-tutorial.md).
**Important**
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
For more information about IAM identities including the root user, see [IAM Identities (users, user groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html).
## IAM user
An IAM user is an entity you create in AWS. This user is an identity within your AWS account that's granted specific custom permissions. Your IAM user credentials consist of a name and password used to sign in to the [AWS Management Console](https://console.aws.amazon.com/). For step by step instructions on how to sign in, see [Sign in to the AWS Management Console as an IAM user](introduction-to-iam-user-sign-in-tutorial.md).
For more information about IAM identities including the IAM user, see [IAM Identities (users, user groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html).
## IAM Identity Center user
An IAM Identity Center user is a member of AWS Organizations and can be granted access to multiple AWS accounts and applications through your AWS access portal. If their company has integrated Active Directory or another identity provider with IAM Identity Center, users in IAM Identity Center can use their corporate credentials to sign-in. IAM Identity Center can also be an identity provider where an administrator can create users. Regardless of the identity provider, users in IAM Identity Center sign in using your AWS access portal, which is a specific sign-in URL for their organization. IAM Identity Center users **can't** sign in through the AWS Management Console URL.
Human users in IAM Identity Center can get your AWS access portal URL from either:
+ A message from their administrator or help desk employee
+ An email from AWS with an invitation to join IAM Identity Center
**Tip**
All emails sent by the IAM Identity Center service originate from either the address **no-reply@signin.aws** or **no-reply@login.awsapps.com**. We recommend that you configure your email system so that it accepts emails from these sender email addresses and doesn't handle them as junk or spam.
For step by step instructions on how to sign in, see [Sign in to your AWS access portal](iam-id-center-sign-in-tutorial.md).
**Note**
We recommend you bookmark your organization's specific sign-in URL for your AWS access portal so that you can access it later.
For more information about IAM Identity Center, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
## Federated identity
A federated identity is a user who can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other [OpenID Connect (OIDC)](https://openid.net/connect/)-compatible IdP. With web identity federation, you can receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. You don't sign in with the AWS Management Console or AWS access portal. Instead, the external identity in use determines how you sign in.
For more information, see [Sign in as a federated identity](federated-identity-overview.md).
## AWS Builder ID user
As an AWS Builder ID user, you specifically sign in to the AWS service or tool that you want to access. An AWS Builder ID user complements any AWS account you already have or want to create. An AWS Builder ID represents you as a person, and you can use it to access AWS services and tools without an AWS account. You also have a profile where you can see and update your information. For more information, see [Sign in with AWS Builder ID](sign-in-builder-id.md).
AWS Builder ID is separate from your AWS Skill Builder subscription, an online learning center where you can learn from AWS experts and build cloud skills online. For more information about AWS Skill Builder, see [AWS Skill Builder](https://skillbuilder.aws/).
# Determine your sign-in URL
Use one of the following URLs to access AWS depending on what kind of AWS user you are. For more information, see [Determine your user type](user-types-list.md).
**Topics**
+ [AWS account root user sign-in URL](#root-user-url)
+ [AWS access portal](#access-portal-url)
+ [IAM user sign-in URL](#IAM-user-url)
+ [Federated identity URL](#federated-identities-url)
+ [AWS Builder ID URL](#builder-id-url)
## AWS account root user sign-in URL
The root user accesses the AWS Management Console from the AWS sign-in page: `[https://console.aws.amazon.com/](https://console.aws.amazon.com/)`.
This sign-in page also has the option of signing in as an IAM user.
## AWS access portal
The AWS access portal is a specific sign-in URL for users in IAM Identity Center to sign in and access your account. When an administrator creates the user in IAM Identity Center the administrator chooses whether the user receives either an email invitation to join IAM Identity Center or a message from the administrator or help desk employee that contains a one-time password and AWS access portal URL. The format of specific sign-in URL is like the following examples:
```
https://d-xxxxxxxxxx.awsapps.com/start
```
or
```
https://your_subdomain.awsapps.com/start
```
The specific sign-in URL varies because your administrator can customize it. The specific sign-in URL might begin with the letter D followed by 10 randomized numbers and letters. Your subdomain might also be used in the sign-in URL and may include your company name like the following example:
![\[AWS access portal URL example.\]](http://docs.aws.amazon.com/signin/latest/userguide/images/URL-example-aws-access-portal-AnyCompany.png)
**Note**
We recommend that you bookmark the specific sign-in URL for your AWS access portal so that you can access it later.
For more information about your AWS access portal, see [Using the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html).
## IAM user sign-in URL
IAM users can access the AWS Management Console with a specific IAM user sign-in URL. The IAM user sign-in URL combines your AWS account ID or alias and `signin.aws.amazon.com/console`
An example of what an IAM user sign-in URL looks like:
```
https://account_alias_or_id.signin.aws.amazon.com/console/
```
If your account ID is 111122223333, your sign-in URL would be:
![\[IAM user sign-in URL example.\]](http://docs.aws.amazon.com/signin/latest/userguide/images/URL-example-IAM-user-sign-in.png)
If you're experiencing issues accessing your AWS account with your IAM user sign-in URL, see [Resilience in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/disaster-recovery-resiliency.html) for more information.
## Federated identity URL
The sign-in URL for a federated identity varies. The external identity or external Identity Provider (IdP) determines the sign-in URL for federated identities. The external identity could be Windows Active Directory, Login with Amazon, Facebook, or Google. Contact your administrator for more details on how to sign in as a federated identity.
For more information about federated identities, see [About web identity federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html).
## AWS Builder ID URL
The URL for your AWS Builder ID profile is [https://profile.aws.amazon.com/](https://profile.aws.amazon.com/). When using your AWS Builder ID, the sign-in URL depends on what service you want to access. For example, to sign in to Amazon CodeCatalyst, go to [https://codecatalyst.aws/login](https://codecatalyst.aws/login).
# Domains to add to your allow list
If you filter access to specific AWS domains or URL endpoints by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must add the following domains or URL endpoints to your web-content filtering solution allowlists.
## AWS Sign-In domains to allowlist
If you or your organization implement IP or domain filtering, you may need to allowlist domains to use the AWS Management Console. The following domains must be accessible on the network from which you are trying to access the AWS Management Console.
+ `[Region].signin.aws`
+ `[Region].signin.aws.amazon.com`
+ `signin.aws.amazon.com`
+ `*.cloudfront.net`
+ `opfcaptcha-prod.s3.amazonaws.com`
## AWS access portal domains to allowlist
If you filter access to specific AWS domains or URL endpoints by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must add the following domains or URL endpoints to your web-content filtering solution allowlists. Doing so enables you to access your AWS access portal.
+ `[Directory ID or alias].awsapps.com`
+ `*.aws.dev`
+ `*.awsstatic.com`
+ `*.console.aws.a2z.com`
+ `oidc.[Region].amazonaws.com`
+ `*.sso.amazonaws.com`
+ `*.sso.[Region].amazonaws.com `
+ `*.sso-portal.[Region].amazonaws.com`
## AWS Builder ID domains to allowlist
If you or your organization implement IP or domain filtering, you may need to allowlist domains to create and use an AWS Builder ID. The following domains must be accessible on the network from which you are trying to access AWS Builder ID.
+ `view.awsapps.com/start`
+ `*.aws.dev`
+ `*.uis.awsstatic.com`
+ `*.console.aws.a2z.com`
+ `oidc.*.amazonaws.com`
+ `*.sso.amazonaws.com`
+ `*.sso.*.amazonaws.com `
+ `*.sso-portal.*.amazonaws.com`
+ `*.signin.aws`
+ `*.cloudfront.net`
+ `opfcaptcha-prod.s3.amazonaws.com`
+ `profile.aws.amazon.com`
# Security best practices for AWS account administrators
If you’re an account administrator who has created a new AWS account, we recommend the following steps to help your users follow AWS security best practices when they sign in.
1. Sign in as the root user to [ Enable multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa) and [ create an AWS administrative user](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) in IAM Identity Center if you haven't already done so. Then, [ safeguard your root credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) and don't use them for everyday tasks.
1. Sign in as the AWS account administrator and set up the following identities:
+ Create [ least-privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) users for other [ humans](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp).
+ Set up [ temporary credentials for workloads](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles).
+ Create access keys only for [use cases that require long-term credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials).
1. Add permissions to grant access to those identities. You can [ get started with AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies) and move towards [least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
+ [ Add permission sets to AWS IAM Identity Center (successor to AWS Single Sign-On) users](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html).
+ [ Add identity-based policies to IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console) used for workloads.
+ [ Add identity-based polices for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console) for use cases that require long-term credentials.
+ For more information about IAM users, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).
1. Save and share information about [Sign in to the AWS Management Console](how-to-sign-in.md). This information varies, depending on the type of identity you created.
1. Keep your root user email address and primary account contact phone number up to date to ensure that you can receive important account and security-related notifications.
+ [Modify the account name email address, or password for the AWS account root user](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html).
+ [Access or update the primary account contact](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-primary.html).
1. Review [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) to learn about additional identity and access management best practices.