AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.
Introducing Identity Federation using SAML 2.0
Identity federation enables users from an existing directory to access resources within an AWS account, making it easier to manage users by maintaining their identities in a single place. AWS supports identity federation using the Security Assertion Markup Language (SAML) 2.0, an open standard used by many identity providers.
For more information see this section of the AWS Security Token Service guide.
IAM allows you to:
Manage IAM users and their access - You can create users in IAM, assign them individual security credentials (i.e., access keys, passwords, and Multi-Factor Authentication devices) or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform.
Manage IAM roles and their permissions - You can create roles in IAM, and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role.
Manage federated users and their permissions - You can enable identity federation to allow existing identities (e.g. users) in your enterprise to access the AWS Management Console, to call AWS APIs, and to access resources, without the need to create an IAM user for each identity.
You enable identity federation by requesting temporary security credentials that can be used to sign requests to AWS. The temporary security credentials are comprised of short- lived access keys and session tokens associated with the keys. Your enterprise users can use the access keys the same way as before, as long as they pass the token along in the calls that they make to the AWS APIs. The permissions associated with temporary security credentials are at most equal to those of the IAM user who issued them; you can further restrict them by specifying explicit permissions as part of the request to create them. There is no limit on the number of temporary security credentials that can be issued.
As an example, an enterprise might want an application running on all employee laptops to perform daily backups to an employee-specific subfolder in Amazon S3. The enterprise could run a small application that would serve as an “identity broker”, requesting an AWS temporary security credential for each user after they login to their corporate network. This credential could specify the exact permissions granted (i.e. write access to a particular S3 bucket/folder), and the duration of the permissions (i.e. 12 hours). The credential would be passed back to the backup application on the employee's laptop, providing secure and direct access to Amazon S3. To learn more about configuring identity federation with your corporate directory, try out our sample application.
IAM enables security best practices by allowing you to grant unique security credentials to users and groups to specify which AWS service APIs and resources they can access. IAM is secure by default; users have no access to AWS resources until permissions are explicitly granted.
IAM provides the granularity to control a user’s access to specific AWS services and resources using permissions. For example, terminating EC2 instances or reading the contents of an Amazon S3 bucket.
Seamlessly integrated into AWS services
IAM is integrated into most AWS services. This provides the ability to define access controls from one place in the AWS Management Console that will take affect throughout your AWS environment.
Flexible security credential management
IAM allows you to authenticate users in several ways, depending on how they want to use AWS services. You can assign a range of security credentials including passwords, key pairs, and X.509 certificates. You can also enforce multi-factor authentication (MFA) on users who access the AWS Management Console or use APIs
Leverage external identity systems
You can use IAM to grant your employees and applications access to the AWS Management Console and to AWS service APIs, using your existing identity systems. AWS supports federation from corporate systems like Microsoft Active Directory as well as external Web Identity Providers like Google and Facebook.
Easy to manage permissions with roles
In addition to defining access permissions directly to users and groups, IAM lets you create roles. Roles allow you to define a set of permissions and then let authenticated users or EC2 instances assume them, getting temporary access to the resources you define.
Fine-grained access control to your AWS resources
IAM enables you to control access to AWS service APIs and to specific resources. IAM also enables you to add specific conditions to control how a user can use AWS, such as time of day, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi-factor authentication device.
Integrate with your corporate Active Directory
IAM can be used to grant your employees, and applications access to AWS Management Console and AWS service APIs, using your existing identity systems like Microsoft Active Directory.
Manage access control for mobile applications
You can enable your mobile and browser-based applications to securely access AWS resources by requesting temporary security credentials that grant access only to specific AWS resources for a configurable period of time.