AWS IAM

Manage AWS IAM users, roles, policies, and groups

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM lets you manage permissions that control which AWS resources users, groups, and roles can access.

With AWS IAM, you can:

  • Manage users: Create and manage IAM users, assign them individual security credentials, and grant them permissions to access AWS services and resources
  • Create roles: Define IAM roles with specific permissions that can be assumed by users, services, or applications for temporary access
  • Attach policies: Assign managed policies to users and roles to define what actions they can perform on which resources
  • Organize with groups: Create IAM groups to manage permissions for collections of users, simplifying access management at scale
  • Control access keys: Generate and manage programmatic access key pairs for API and CLI access to AWS services

In Sim, the AWS IAM integration allows your workflows to automate identity management tasks such as provisioning new users, assigning roles and permissions, managing group memberships, and rotating access keys. This is particularly useful for onboarding automation, security compliance workflows, access reviews, and incident response — enabling your agents to manage AWS access control programmatically.

Usage Instructions

Integrate AWS Identity and Access Management into your workflow. Create and manage users, roles, policies, groups, and access keys.

Tools

iam_list_users

List IAM users in your AWS account

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
pathPrefixstringNoPath prefix to filter users (e.g., /division_abc/)
maxItemsnumberNoMaximum number of users to return (1-1000, default 100)
markerstringNoPagination marker from a previous request

Output

ParameterTypeDescription
usersjsonList of IAM users with userName, userId, arn, path, and dates
isTruncatedbooleanWhether there are more results available
markerstringPagination marker for the next page of results
countnumberNumber of users returned

iam_get_user

Get detailed information about an IAM user

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringYesThe name of the IAM user to retrieve

Output

ParameterTypeDescription
userNamestringThe name of the user
userIdstringThe unique ID of the user
arnstringThe ARN of the user
pathstringThe path to the user
createDatestringDate the user was created
passwordLastUsedstringDate the password was last used
permissionsBoundaryArnstringARN of the permissions boundary policy
tagsjsonTags attached to the user (key, value pairs)

iam_create_user

Create a new IAM user

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringYesName for the new IAM user (1-64 characters)
pathstringNoPath for the user (e.g., /division_abc/), defaults to /

Output

ParameterTypeDescription
messagestringOperation status message
userNamestringThe name of the created user
userIdstringThe unique ID of the created user
arnstringThe ARN of the created user
pathstringThe path of the created user
createDatestringDate the user was created

iam_delete_user

Delete an IAM user

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringYesThe name of the IAM user to delete

Output

ParameterTypeDescription
messagestringOperation status message

iam_list_roles

List IAM roles in your AWS account

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
pathPrefixstringNoPath prefix to filter roles (e.g., /application/)
maxItemsnumberNoMaximum number of roles to return (1-1000, default 100)
markerstringNoPagination marker from a previous request

Output

ParameterTypeDescription
rolesjsonList of IAM roles with roleName, roleId, arn, path, and dates
isTruncatedbooleanWhether there are more results available
markerstringPagination marker for the next page of results
countnumberNumber of roles returned

iam_get_role

Get detailed information about an IAM role

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
roleNamestringYesThe name of the IAM role to retrieve

Output

ParameterTypeDescription
roleNamestringThe name of the role
roleIdstringThe unique ID of the role
arnstringThe ARN of the role
pathstringThe path to the role
createDatestringDate the role was created
descriptionstringDescription of the role
maxSessionDurationnumberMaximum session duration in seconds
assumeRolePolicyDocumentstringThe trust policy document (JSON)
roleLastUsedDatestringDate the role was last used
roleLastUsedRegionstringAWS region where the role was last used

iam_create_role

Create a new IAM role with a trust policy

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
roleNamestringYesName for the new IAM role (1-64 characters)
assumeRolePolicyDocumentstringYesTrust policy JSON specifying who can assume this role
descriptionstringNoDescription of the role
pathstringNoPath for the role (e.g., /application/), defaults to /
maxSessionDurationnumberNoMaximum session duration in seconds (3600-43200, default 3600)

Output

ParameterTypeDescription
messagestringOperation status message
roleNamestringThe name of the created role
roleIdstringThe unique ID of the created role
arnstringThe ARN of the created role
pathstringThe path of the created role
createDatestringDate the role was created

iam_delete_role

Delete an IAM role

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
roleNamestringYesThe name of the IAM role to delete

Output

ParameterTypeDescription
messagestringOperation status message

iam_attach_user_policy

Attach a managed policy to an IAM user

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringYesThe name of the IAM user
policyArnstringYesThe ARN of the managed policy to attach

Output

ParameterTypeDescription
messagestringOperation status message

iam_detach_user_policy

Remove a managed policy from an IAM user

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringYesThe name of the IAM user
policyArnstringYesThe ARN of the managed policy to detach

Output

ParameterTypeDescription
messagestringOperation status message

iam_attach_role_policy

Attach a managed policy to an IAM role

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
roleNamestringYesThe name of the IAM role
policyArnstringYesThe ARN of the managed policy to attach

Output

ParameterTypeDescription
messagestringOperation status message

iam_detach_role_policy

Remove a managed policy from an IAM role

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
roleNamestringYesThe name of the IAM role
policyArnstringYesThe ARN of the managed policy to detach

Output

ParameterTypeDescription
messagestringOperation status message

iam_list_policies

List managed IAM policies

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
scopestringNoFilter by scope: All, AWS (AWS-managed), or Local (customer-managed)
onlyAttachedbooleanNoIf true, only return policies attached to an entity
pathPrefixstringNoPath prefix to filter policies
maxItemsnumberNoMaximum number of policies to return (1-1000, default 100)
markerstringNoPagination marker from a previous request

Output

ParameterTypeDescription
policiesjsonList of policies with policyName, arn, attachmentCount, and dates
isTruncatedbooleanWhether there are more results available
markerstringPagination marker for the next page of results
countnumberNumber of policies returned

iam_create_access_key

Create a new access key pair for an IAM user

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringNoThe IAM user to create the key for (defaults to current user)

Output

ParameterTypeDescription
messagestringOperation status message
accessKeyIdstringThe new access key ID
secretAccessKeystringThe new secret access key (only shown once)
userNamestringThe user the key was created for
statusstringStatus of the access key (Active)
createDatestringDate the key was created

iam_delete_access_key

Delete an access key pair for an IAM user

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
accessKeyIdToDeletestringYesThe access key ID to delete
userNamestringNoThe IAM user whose key to delete (defaults to current user)

Output

ParameterTypeDescription
messagestringOperation status message

iam_list_groups

List IAM groups in your AWS account

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
pathPrefixstringNoPath prefix to filter groups
maxItemsnumberNoMaximum number of groups to return (1-1000, default 100)
markerstringNoPagination marker from a previous request

Output

ParameterTypeDescription
groupsjsonList of IAM groups with groupName, groupId, arn, and path
isTruncatedbooleanWhether there are more results available
markerstringPagination marker for the next page of results
countnumberNumber of groups returned

iam_add_user_to_group

Add an IAM user to a group

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringYesThe name of the IAM user
groupNamestringYesThe name of the IAM group

Output

ParameterTypeDescription
messagestringOperation status message

iam_remove_user_from_group

Remove an IAM user from a group

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
userNamestringYesThe name of the IAM user
groupNamestringYesThe name of the IAM group

Output

ParameterTypeDescription
messagestringOperation status message

On this page

Usage Instructions
Tools
iam_list_users
Input
Output
iam_get_user
Input
Output
iam_create_user
Input
Output
iam_delete_user
Input
Output
iam_list_roles
Input
Output
iam_get_role
Input
Output
iam_create_role
Input
Output
iam_delete_role
Input
Output
iam_attach_user_policy
Input
Output
iam_detach_user_policy
Input
Output
iam_attach_role_policy
Input
Output
iam_detach_role_policy
Input
Output
iam_list_policies
Input
Output
iam_create_access_key
Input
Output
iam_delete_access_key
Input
Output
iam_list_groups
Input
Output
iam_add_user_to_group
Input
Output
iam_remove_user_from_group
Input
Output