Amazon AWS Identity and Access Management
Cloud Services — Platforms And Solutions — Amazon AWS Identity And Access Management

Securely control access to AWS services and resources for your users with identity and access management services. Amazon AWS Identity And Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users. Use fine—grained access control, integrate with your corporate directory, and require MFA for highly privileged users. Access control to AWS resources. IAM enables your users to control access to AWS service APIs and to specific resources. Amazon AWS Identity And Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs.

Amazon AWS Identity and Access Management also enables you to add specific conditions such as time of day to control how a user can use AWS, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi—factor authentication device. Permissions let you specify access to AWS resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. In addition, you can specify any conditions that must be set for access to be allowed or denied. AWS MFA requires users to prove physical possession of a hardware AWS MFA token or MFA enabled mobile device by providing a valid AWS MFA code.

Amazon AWS Identity And Access Management Roles And Their Permissions

You can create roles in Amazon AWS Identity and Access Management and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role. IAM roles allow you to delegate access to users or services that normally don’t have access to your organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don’t have to share long—term credentials or define permissions for each entity that requires access to a resource. Permissions let you specify access to Amazon AWS Identity And Access Management resources. Permissions are granted to IAM entities and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions.

Integration With Corporate Directory

Amazon AWS Identity and Access Management can be used to grant your employees and applications federated access to the AWS Management Console and AWS service APIs, using your existing identity systems such as Microsoft Active Directory. You can use any identity management solution that supports SAML 2.0, or feel free to use one of our federation samples  (AWS Console SSO or API federation). Amazon AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities (federated users) are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider such as Microsoft AD or from the AWS Directory Service or from a web identity provider, such as AWS Cognito, Login with AWS or any OpenID Connect compatible provider.

Multi Factor Authentication

Protect your AWS environment by using AWS MFA, a security feature available at no extra cost that augments user name and password credentials. AWS MFA requires users to prove physical possession of a hardware AWS MFA token or MFA enabled mobile device by providing a valid Amazon AWS MFA code. With AWS MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor — what they know), as well as for an authentication code from their AWS MFA device (the second factor — what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources. You can enable AWS MFA for your AWS account and for individual IAM users you have created under your account. AWS MFA can be also be used to control access to AWS service APIs.

Amazon AWS Identity And Access Management

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users. IAM enables your users to control access to AWS service APIs and to specific resources. IAM also enables you to add specific conditions such as time of day to control how a user can use AWS, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi—factor authentication device. Protect your AWS environment by using AWS MFA, a security feature available at no extra cost that augments user name and password credentials.

MFA requires users to prove physical possession of a hardware MFA token or MFA—enabled mobile device by providing a valid MFA code. You can enable your mobile and browser—based applications to securely access AWS resources by requesting temporary security credentials that grant access only to specific AWS resources for a configurable period of time. IAM can be used to grant your employees and applications federated access to the AWS Management Console and AWS service APIs, using your existing identity systems such as Active Directory. You can use any identity management solution that supports SAML 2.0, or feel free to use one of our federation samples (AWS Console SSO or API federation).

IAM allows you to authenticate users in several ways, depending on how they want to use AWS services. You can assign a range of security credentials including passwords, key pairs, and X.509 certificates. You can also enforce multi-factor authentication (MFA) on users who access the AWS Management Console or use APIs. AWS Identity and Access Management (IAM) lets you manage several types of long-term security credentials for IAM users.

  • Passwords — used to sign in to secure AWS pages, such as the AWS Management Console and the AWS Discussion Forums.
  • Access keys — used to make programmatic calls to AWS from the AWS APIs, AWS CLI, AWS SDKs, or AWS Tools for Windows PowerShell.
  • Amazon CloudFront key pairs — used for CloudFront to create signed URLs.
  • SSH public keys — used to authenticate to AWS CodeCommit repositories.
  • X.509 certificates — used to make secure SOAP — protocol requests to some AWS services.

You can assign AWS security credentials to your IAM users by using the API, CLI, or AWS Management Console. You can rotate or revoke these credentials whenever you want. In addition to managing these user credentials, you can further enhance the security of IAM user access to AWS by enforcing the use of multi—factor authentication (MFA).

You can enable identity federation to allow existing identities in your enterprise to access the AWS Management Console, call AWS APIs, and access resources, without the need to create an IAM user for each identity. Amazon AWS Identity and Access Management supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities are granted secure access to resources in your AWS account without having to create IAM users.

These external identities can come from your corporate identity provider such as Active Directory or from the AWS Directory Service or from a web identity provider, such as AWS Cognito, Login with AWS, Facebook, Google or any OpenID Connect compatible provider. You can create users in IAM, assign them individual security credentials, or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform.

Manage IAM users and their access — you can create users in IAM, assign them individual security credentials (in other words, access keys, passwords, and multi—factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform. Manage IAM roles and their permissions — you can create roles in IAM and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role. In addition, you can use service—linked roles to delegate permissions to AWS services that create and manage AWS resources on your behalf. Manage federated users and their permissions — you can enable identity federation to allow existing identities (users, groups, and roles) in your enterprise to access the AWS Management Console, call AWS APIs, and access resources, without the need to create an IAM user for each identity.

AWS has a list of best practices to help IT professionals and developers. To get a full explanation of IAM best practices, watch the recorded session from re: Invent 2015. AWS Multi—Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor — what they know), as well as for an authentication code from their AWS MFA device (the second factor — what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

Permissions let you specify access to AWS resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. In addition, you can specify any conditions that must be set for access to be allowed or denied. To assign permissions to a user, group, role, or resource, you create a policy that lets you specify: Actions — which AWS actions you allow. For example, you might allow a user to call the AWS S3 ListBucket action. Any actions that you don't explicitly allow are denied. Resources — which AWS resources you allow the action on.

For example, what Amazon S3 buckets will you allow the user to perform the ListBucket action on? Users cannot access any resources that you do not explicitly grant permissions to. Effect — whether to allow or deny access. Because access is denied by default, you typically write policies where the effect is to allow. Conditions — which conditions must be present for the policy to take effect. For example, you might allow access only to the specific S3 buckets if the user is connecting from a specific IP range or has used multi—factor authentication at login. Policies are created using JSON. A policy consists of one or more statements, each of which describes one set of permissions. To learn more about the policy language, see AWS IAM Policy Reference.