AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM enables customers to leverage the agility and efficiency of the cloud while maintaining secure control of their organization’s AWS infrastructure. IAM Administrators new to AWS can be sometimes overwhelmed by the options available as they face competing goals: securing the environment while quickly enabling new users to accomplish their jobs. Further complicating the task, the initial controls they implement must grow and adapt without disrupting productivity as the company navigates its path to the cloud. Show
Functionality AWS IAM allows you to: • Manage IAM users and their access – You can create users in IAM, assign them individual security credentials (in other words, access keys, passwords, and multi-factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform. • Manage IAM roles and their permissions – You can create roles in IAM and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role. In addition, you can use service-linked roles to delegate permissions to AWS services that create and manage AWS resources on your behalf.
• Manage federated users and their permissions – You can enable identity federation to allow existing identities (users, groups, and roles) in your enterprise to access the AWS Management Console, call AWS APIs, and access resources, without the need to create an IAM user for each identity. Use any identity management solution that supports SAML 2.0, or use one of our federation samples (AWS Console SSO or API federation). Features • Shared access to your AWS account: You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key. • Granular permissions: You can grant different permissions to different people for different resources. • Secure access to AWS resources for applications that run on Amazon EC2: You can use IAM features to securely provide credentials for applications that run on EC2 instances • Multi-factor authentication (MFA): You can add two-factor authentication to your account and to individual users for extra security. • Identity federation: You can allow users who already have passwords elsewhere—for example, in your corporate network or with an internet identity provider—to get temporary access to your AWS account. • Identity information for assurance: If you use AWS CloudTrail, you receive log records that include information about those who made requests for resources in your account. • Integrated with many AWS services: For a list of AWS services that work with IAM, see AWS Services That Work with IAM.
• Eventually Consistent: IAM, like many other AWS services, is eventually consistent. IAM achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world. Benefits • Enhanced Security • Granular control • Temporary Credentials • Flexible security credential management • Leverage external identity systems Securely manage access to workloads and applications You can use AWS Identity Services to manage identities, resources, and permissions securely and at scale. For applications running on AWS, you can use fine-grained access controls to grant your employees, applications, and devices the access they need to AWS services and resources within
easily deployed governance guardrails. AWS Identity Services provide flexible options for where and how you manage your employee, partner, and customer identities so that you can confidently migrate existing workloads to AWS. For hybrid workload deployments, AWS Identity Services allow you to establish a single identity and access strategy across your on-premises environments and AWS. For customer-facing web and mobile apps, you can use AWS Identity Services to quickly add sign-up and sign-in
functionality backed by scalable cloud directories for your app users. AWS Identity Services for your workforce give you a choice of where to manage the identities and credentials of your employees, and the fine-grained permissions to grant the right access, to the right people, at the right time. AWS Identity Services for your customer-facing applications give your developers more time to build great apps for your customers by enabling them to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. With AWS, you have the identity management services you need to get started quickly with the features and capabilities you need to securely manage access to your workloads and applications as you scale.
Managing Identity and Access in AWS (1:32) AWS Identity Services for your workforceAWS gives you the freedom to choose where to manage the identities and credentials of your employees, and the fine-grained permissions to grant the right access, to the right people, at the right time. With AWS, you have flexible administration capabilities and easy-to-use controls over multi-account environments. AWS helps you implement and enforce the principle of least privilege access with analytic tools that help identify unused permissions across all AWS accounts so that you can remove unnecessary access quickly and confidently. BenefitsFreedom to choose your identity sourceAWS Identity Services allow your identity administrators to create users directly in AWS or to connect to
an existing identity source. Your employees can use their existing credentials to sign in and see all their assigned roles for AWS accounts and business applications from one place. With AWS, you can extend your on-premises Microsoft Active Directory (AD) to AWS using AD forest trusts or AD Connector. You then can use your existing AD users and groups to manage access
to your AWS accounts and AD-aware workloads such as Amazon RDS for SQL Server, Amazon EC2 for Windows Server, and Amazon WorkSpaces. Fine-grained access control with analyticsAWS Identity Services enable you to quickly grant the right access, to the right people, at the right time by selecting permissions from a library of
AWS managed policies, on which you can base your own custom managed policies. AWS also supports the use of attribute-based access control to define and manage fine-grained, highly customizable user permissions. Finally, AWS helps you continuously improve your security
posture by analyzing access patterns and identifying unused permissions across all AWS accounts so that you can remove unnecessary access quickly and confidently. Flexible administration and governanceAWS Identity Services give you the ability to delegate administrative tasks and automate capabilities, such as account creation, to make it easy to manage large, multi-account AWS environments. With AWS, you also can improve security and maintain compliance by consistently enforcing who can create what type of resource and where. To get started running secure and scalable workloads quickly, you can build a brand new, multi-account environment based on AWS best practices with just a few clicks. Workforce identity servicesManage workforce access across AWS accounts and apps Managed Microsoft Active Directory Securely manage access to AWS services and resources Simple, secure service to share AWS resources Central governance and management across AWS accounts Govern a new, secure, multi-account AWS environment AWS Identity Services for customer-facing applicationsAmazon
Cognito helps you create a simple, secure, scalable, and standards-based sign-up and sign-in customer experience for your apps. Amazon Cognito gives your customers the flexibility to use their existing identity providers, social or enterprise, and you save time with easy configurations for federating identity providers. Amazon Cognito allows you to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Your apps will be able to get unique identities for
the users and obtain temporary, limited-privilege AWS credentials to access AWS services. BenefitsScalable and easy to useAmazon Cognito provides a secure user directory that scales to hundreds of millions of users. As a fully managed service, it is easy to set up without standing up server infrastructure. With a built-in user interface and easy configuration for federating identity providers, Amazon Cognito helps you add user sign-in, sign-up, and access control to your apps in minutes. You can customize the user interface to highlight your company branding in all user interactions. See how to quickly integrate Amazon Cognito with your apps. Standards-based social and enterprise identity federationWith Amazon Cognito, your app users can sign in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers via SAML, without having to create and remember additional passwords. Amazon Cognito is a standards-based identity provider and supports identity and access management standards, such as OAuth 2.0, SAML 2.0, and OpenID Connect. Read more about federation. Secure and compliant authentication for your appsAmazon Cognito for customer-facing application identityIdentity management for your apps Featured resourcesStreamlining identity and access management for innovation (43:04) Security best practices with AWS IAM (45:37) Establishing a data perimeter on AWS, featuring Vanguard (55:59) Accessing AWS services from workloads running outside of AWS (43:41) Designing a well-architected identity & access management solution (36:59) Deploy and secure Active Directory with AWS Managed Microsoft AD (44:31) Featured customer GE“GE uses AWS Identity Services to support their global enterprise and allow their businesses to operate securely in the cloud. AWS Organizations and Service Control Policies (SCP) provide top-down governance and allows for the delegation of identity based and resource-based policy administration to each business unit. This model allows the businesses to move independently and operate at scale to solve today’s industrial challenges.” Matthew Green, Sr. Director, Cloud Architecture - GE What's new in AWS Identity?AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more » Which enables you to manage access to AWS services and resources securely?Security, Identity, and Compliance on AWS
AWS Identity Services enable you to securely manage identities, resources, and permissions at scale. With AWS, you have identity services for your workforce and customer-facing applications to get started quickly and manage access to your workloads and applications.
Which of the following should be used to improve the security of access to AWS management Console?MFA is the best way to protect accounts from inappropriate access. Always set up MFA on your Root user and AWS Identity and Access Management (IAM) users.
Which IAM role that grants permissions to an AWS service so it can access AWS resources?You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials, a security best practice. Authorized identities, which can be AWS services or users from your identity provider, can assume roles to make AWS requests. To grant permissions to a role, attach an IAM policy to it.
What are some of the best practices to manage access to AWS resources?AWS Identity and Access Management Best Practices. Require multi-factor authentication (MFA) ... . Rotate access keys regularly for use cases that require long-term credentials. ... . Safeguard your root user credentials and don't use them for everyday tasks. ... . Set permissions guardrails across multiple accounts.. |
