Securely control access to AWS services and resources for your users with identity and access management services. AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users. Use fine-grained access control, integrate with your corporate directory, and require MFA for highly privileged users. Access control to AWS resources. IAM enables your users to control access to AWS service APIs and to specific resources. AWS Identity and Access Management supports identity federation for delegated access to the AWS Management Console or AWS APIs.
AWS Identity and Access Management also enables you to add specific conditions such as time of day to control how a user can use AWS, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi-factor authentication device. Permissions let you specify access to AWS resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. In addition, you can specify any conditions that must be set for access to be allowed or denied.
AWS Identity And Access Management Roles And Their Permissions
You can create roles in AWS Identity and Access Management and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role. IAM roles allow you to delegate access to users or services that normally don’t have access to your organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don’t have to share long-term credentials or define permissions for each entity that requires access to a resource. Permissions let you specify access to AWS Identity And Access Management resources. Permissions are granted to IAM entities and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions.
Integration With Corporate Directory
AWS Identity and Access Management can be used to grant your employees and applications federated access to the AWS Management Console and AWS service APIs, using your existing identity systems such as Active Directory. You can use any identity management solution that supports SAML 2.0, or feel free to use one of our federation samples (Amazon AWS Console SSO or API federation). AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities (federated users) are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider such as Microsoft AD or from the AWS Directory Service or from a web identity provider, such as AWS Cognito, login with AWS or any OpenID Connect compatible provider.
Protect your AWS environment by using AWS MFA, a security feature available at no extra cost that augments user name and password credentials. AWS MFA requires users to prove physical possession of a hardware AWS MFA token or MFA enabled mobile device by providing a valid AWS MFA code. With AWS MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor — what they know), as well as for an authentication code from their AWS MFA device (the second factor — what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources. You can enable AWS MFA for your AWS account and for individual IAM users you have created under your account. AWS MFA can be also be used to control access to AWS service APIs. After you’ve obtained a supported hardware or virtual AWS MFA device, AWS does not charge any additional fees for using AWS MFA.
Amazon AWS Identity And Access Management