Security Services And Solutions—Identity and Access Management Services
Security Services And Solutions—Amazon AWS Identity And Access Management

Securely control access to Amazon AWS™ services and resources for your users with identity and access management services. Amazon AWS™ Identity and Access Management (IAM) enables you to securely control access to Amazon AWS™ services and resources for your users. Using IAM, you can create and manage Amazon AWS™ users and groups, and use permissions to allow and deny their access to Amazon AWS™ resources. IAM is a feature of your Amazon AWS™ account offered at no additional charge. You will be charged only for use of other Amazon AWS™ services by your users. Use fine—grained access control, integrate with your corporate directory, and require MFA for highly privileged users. Access control to Amazon AWS™ resources. IAM enables your users to control access to Amazon AWS™ service APIs and to specific resources. Amazon AWS Identity and Access Management™ (IAM) supports identity federation for delegated access to the Amazon AWS Management Console™ or Amazon AWS™ APIs. With identity federation, external identities (federated users) are granted secure access to resources in your Amazon AWS™ account without having to create IAM users.

IAM also enables you to add specific conditions such as time of day to control how a user can use AWS, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi—factor authentication device. Permissions let you specify access to Amazon AWS™ resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in Amazon AWS™ until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. In addition, you can specify any conditions that must be set for access to be allowed or denied. Amazon AWS MFA™ requires users to prove physical possession of a hardware Amazon AWS MFA™ token or MFA enabled mobile device by providing a valid Amazon AWS MFA™ code. You can enable Amazon AWS MFA™ for your Amazon AWS™ account and for individual IAM users you have created under your account. Amazon AWS MFA™ can be also be used to control access to Amazon AWS™ service APIs.

Manage IAM Roles And Their Permissions

You can create roles in IAM and manage permissions to control which operations can be performed by the entity, or Amazon AWS™ service, that assumes the role. You can also define which entity is allowed to assume the role. IAM roles allow you to delegate access to users or services that normally don’t have access to your organization’s Amazon AWS™ resources. IAM users or Amazon AWS™ services can assume a role to obtain temporary security credentials that can be used to make Amazon AWS™ API calls. Consequently, you don’t have to share long—term credentials or define permissions for each entity that requires access to a resource. Permissions let you specify access to Amazon AWS™ resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in Amazon AWS™ until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. You can specify any conditions that must be set for access to be allowed or denied.

Integration With Corporate Directory

IAM can be used to grant your employees and applications federated access to the Amazon AWS Management Console™ and Amazon AWS™ service APIs, using your existing identity systems such as Microsoft Active Directory™. You can use any identity management solution that supports SAML 2.0, or feel free to use one of our federation samples (Amazon AWS Console SSO or API federation). Amazon AWS Identity and Access Management™ (IAM) supports identity federation for delegated access to the Amazon AWS Management Console™ or Amazon AWS™ APIs. With identity federation, external identities (federated users) are granted secure access to resources in your Amazon AWS™ account without having to create IAM users. These external identities can come from your corporate identity provider such as Microsoft Active Directory™ or from the Amazon AWS Directory Service™ or from a web identity provider, such as Amazon AWS Cognito™, Login with Amazon AWS™, Facebook™, Google™ or any OpenID Connect™ (OIDC) compatible provider. AWS Multi Factor Authentication™ (MFA) adds a layer of protection on top of your user name and password.

Multi Factor Authentication

Protect your Amazon AWS™ environment by using Amazon AWS MFA™, a security feature available at no extra cost that augments user name and password credentials. Amazon AWS MFA™ requires users to prove physical possession of a hardware Amazon AWS MFA™ token or MFA enabled mobile device by providing a valid Amazon AWS MFA™ code.  With Amazon AWS MFA™ enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their Amazon AWS MFA™ device (the second factor—what they have). Taken together, these multiple factors provide increased security for your Amazon AWS™ account settings and resources. You can enable Amazon AWS MFA™ for your Amazon AWS™ account and for individual IAM users you have created under your account. Amazon AWS MFA™ can be also be used to control access to Amazon AWS™ service APIs. After you’ve obtained a supported hardware or virtual Amazon AWS MFA™ device, Amazon AWS™ does not charge any additional fees for using Amazon AWS MFA™.

Features And Benefits

You can enable identity federation to allow existing identities in your enterprise to access the Amazon AWS Management Console™, call Amazon AWS™ APIs, and access resources, without the need to create an IAM user for each identity. Amazon AWS Identity and Access Management™ supports identity federation for delegated access to the Amazon AWS Management Console™ or Amazon AWS™ APIs. With identity federation, external identities are granted secure access to resources in your Amazon AWS™ account without having to create IAM users. These external identities can come from your corporate identity provider such as Microsoft Active Directory™ or from the Amazon AWS Directory Service™ or from a web identity provider, such as Amazon AWS Cognito™, Login with Amazon AWS™, Facebook™, Google™ or any OpenID Connect™ compatible provider. You can create users in IAM, assign them individual security credentials, or request temporary security credentials to provide users access to Amazon AWS™ services and resources. You can manage permissions in order to control which operations a user can perform.