# Identity and access management for Infrastructure Performance
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Infrastructure Performance resources. IAM is an AWS service that you can use with no additional charge.
To use Infrastructure Performance, you'll need an AWS account and AWS credentials. To increase the security of your AWS account, we recommend that you use an IAM user to provide access credentials instead of using your AWS account credentials. For more information, see [AWS security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html) and [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
The following sections provide details on how an IAM administrator can use IAM to help secure your AWS resources, by controlling who can perform Infrastructure Performance actions.
**Topics**
+ [How Infrastructure Performance works with IAM](security_iam_service-with-iam.md)
+ [Allow IAM users or groups to access Infrastructure Performance](security_iam_create-iam-policy.md)
# How Infrastructure Performance works with IAM
The following sections describe how Infrastructure Performance works with IAM.
**Topics**
+ [Infrastructure Performance identity-based policies](#security_iam_service-with-iam-id-based-policies)
+ [Infrastructure Performance IAM roles](#security_iam_service-with-iam-roles)
## Infrastructure Performance identity-based policies
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Infrastructure Performance supports specific actions and resources. There are no Infrastructure Performance service-specific condition keys that can be used in the `Condition` element of policy statements. To learn about all of the elements that you use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
Infrastructure Performance shares its API namespace with Amazon EC2. Policy actions in Infrastructure Performance use the following prefix before the action: `ec2`:. For example, to grant someone permission to create a path with the `GetAwsNetworkPerformanceData` API operation, you include the `ec2:GetAwsNetworkPerformanceData` action in their policy. Policy statements must include either an `Action` or `NotAction` element.
To specify multiple actions in a single statement, separate them with commas as shown in the following example.
```
"Action": [
"ec2:action1",
"ec2:action2"
]
```
You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action.
```
"Action": "ec2:Describe*"
```
The following actions are supported by Infrastructure Performance:
+ `DescribeAwsNetworkPerformanceMetricSubscriptions`
+ `DisableAwsNetworkPerformanceMetricSubscription`
+ `EnableAwsNetworkPerformanceMetricSubscription`
+ `GetAwsNetworkPerformanceData`
### Resources
Infrastructure Performance does not support resource-level permissions.
For actions that don't support resource-level permissions, such as listing operations, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
### Condition keys
The `Condition` element (or `Condition` *block*) lets you specify conditions in which a statement is in effect. For example, you might want a policy to be applied only after a specific date. To express conditions, use predefined condition keys.
Infrastructure Performance does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
All Amazon EC2 actions support the `aws:RequestedRegion` and `ec2:Region` condition keys. For more information, see [Example: Restricting Access to a Specific Region](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region).
The `Condition` element is optional.
## Infrastructure Performance IAM roles
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions.
### Using temporary credentials with Infrastructure Performance
You can use temporary credentials to sign in with federation, to assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).
Infrastructure Performance supports using temporary credentials.
### Service-linked roles
Infrastructure Performance has no service-linked roles.
### Service roles
Infrastructure Performance has no service roles.
# Allow IAM users or groups to access Infrastructure Performance
Any user user that signs in to the AWS Management Console or AWS Command Line Interface (AWS CLI) must have permissions to access specific resources. You provide those permissions by using AWS Identity and Access Management (IAM), through policies.
The following procedure shows you how to attach an IAM policy to a user or group that allows full access to Infrastructure Performance.
**Note**
We recommend creating a new IAM policy that grants only the permissions necessary to use Infrastructure Performance.
## Create an IAM policy
Create a policy that provides users full access to Infrastructure Performance. Then attach the policy to a user or group.
**To create and attach an IAM policy using the console**
1. Sign in to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/) with administrator credentials.
1. In the navigation pane, choose **Policies**.
1. In the content pane, choose **Create policy**.
1. Choose the **JSON** tab.
1. Paste the following JSON policy document in the text field.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DisableAwsNetworkPerformanceMetricSubscription",
"ec2:DescribeAwsNetworkPerformanceMetricSubscriptions",
"ec2:EnableAwsNetworkPerformanceMetricSubscription",
"ec2:GetAwsNetworkPerformanceData"
],
"Resource": "*"
}
]
}
```
------
When you are finished, choose **Review policy**.
1. On the **Review** page, enter a name for the policy, for example, `InfrastructurePerformancePolicy`. Optionally, enter a description for **Description**.
1. In **Summary**, review the policy to see the permissions that it grants, and then choose **Create policy**.
1. Attach the new policy to your user or group.
For information on attaching a policy to a user, see [Changing permissions for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html) in the *IAM User Guide*. For information on attaching a policy to a group, see [Attaching a policy to an IAM Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html) in the *IAM User Guide*.