AWS Identity, Directory, and Access Services

Manage authentication, authorization, and governance in the AWS Cloud.

AWS Identity, Directory, and Access services help you manage authentication, authorization, and governance in the AWS Cloud. These services enable you to securely manage and audit access to your AWS accounts and infrastructure anywhere along your AWS Cloud journey. With AWS, you can use purpose-built identity, directory, and access services to help you easily and securely migrate existing workloads to the AWS Cloud and build new cloud-native applications. You also have the flexibility to use your existing identities and directories or take advantage of AWS-managed services.

To help users authenticate easily and securely, AWS Identity, Directory, and Access services enable users to bring their own identities to the AWS Cloud. For example, you can authenticate users for your own applications using social identity providers, such as Facebook and Amazon. You can also enable developers and AWS administrators to access their AWS accounts using their existing corporate credentials. AWS helps you manage authorization within AWS accounts by using fine-grained access policies and short-term credentials to manage permissions to your AWS resources. As you scale and add more AWS accounts and resources, AWS helps you meet your audit and compliance requirements with services to manage single sign-on (SSO) access, policies, and governance across multiple AWS accounts. With AWS, you can get started quickly and securely and take advantage of richer functionality over time as you scale up on the AWS Cloud.

 

re:Invent 2017: SID303: How to use AWS Identity Services to be Successful on your AWS Cloud Journey

Benefits

Get started quickly and securely

AWS Identity, Directory, and Access services help you follow security best practices so you can get started on the AWS Cloud quickly and securely. With AWS Identity and Access Management (IAM) managed policies and the point and click visual editor, you can easily create IAM policies based on common job functions, such as database administrator, data scientist, and auditor. You can also extend these built-in policies to meet your specific security requirements. For example, you can copy the built-in database administrator policy and scope-down the permissions to only allow access to Amazon DynamoDB.

Take advantage of rich functionality over time

With AWS, you can take advantage of richer functionality as your needs become more advanced over time. You can create fine-grained access policies to meet stringent regulatory and compliance requirements. You can define permissions to AWS services and resources down to an API level and set conditions on when and how those permissions can be used. And through integrations with AWS logging and monitoring services, such as AWS CloudTrail and AWS CloudWatch, you can have visibility into who has been accessing what across your AWS resources.

Scale in the AWS Cloud securely

To help you scale securely as you add more AWS accounts, AWS Identity, Directory, and Access services enable you to manage access and governance across your AWS accounts. With AWS Single Sign-On (SSO), you can manage access to multiple AWS accounts centrally. And with AWS Organizations, you can create groups of accounts and then apply service control policies to manage which AWS service APIs are permissible in your AWS accounts. For example, you can create separate groups of accounts used for development and production resources and then apply different service control policies to each group.

Use Cases

100x100_benefit_team-access

Manage and secure user access to your AWS resources and business applications.

Managing and securing user access to your AWS resources and business applications is a critical part of your security and compliance policies. Using AWS Identity, Directory, and Access services, you can manage user access to your AWS accounts and business applications using your existing corporate identities and define fine-grained access policies to manage permissions to your AWS resources. You can also control the use of AWS service APIs across your AWS accounts to meet security and compliance policies. AWS Identity, Directory, and Access services also enable you to extend permissions to the resources a user runs in their AWS account. For example, you can ensure that the permissions granted to an AWS Lambda function that is triggered by a security engineer do not exceed the permissions granted to the engineer.

100x100_benefit_workflow2

Manage and secure application access to your AWS resources.

To build distributed applications running across different AWS services and accounts you need to be able to validate the identity and permissions of your application resources. AWS Identity, Directory, and Access services enable you to securely validate identities and manage resource permissions using short-term credentials called roles. Using roles helps you follow security best practices for granting least privilege access and enables you to manage fine-grained permissions for AWS services and applications running on Amazon EC2 instances and containers. Roles enable you to grant these resources access to data without distributing passwords and API keys, or hard-coding credentials in your source code.

100x100_benefit_credential

Manage and secure access to your own applications.

Building custom solutions to manage identities and authentication in applications is complex. With AWS Identity, Directory, and Access services, you can easily add sign-up and sign-in functionality to your applications and create scalable cloud-native directories for your application users. You also can enable users to bring their own identities from social identity providers, such as Facebook and Amazon, or use their existing corporate identities through SAML. To help protect access to your application’s user accounts, AWS Identity, Directory, and Access Services enable you to add multi-factor authentication (MFA) to your applications. With MFA enabled, users have to provide an additional verification factor before they can access your application, such as a six-digit code delivered by SMS.

Identity, Directory, and Access Services


AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources. You can create IAM policies to manage permissions for IAM users and groups that allow or deny access to AWS resources.


AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts and then apply policies to those groups.


AWS Directory Service for Microsoft Active Directory enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.


AWS Single Sign-On (SSO) makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. Users can sign in to a user portal with their corporate credentials and access their accounts and applications from one place.


Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. You also can authenticate users through social identity providers, such as Facebook and Amazon, or enterprise identity providers through SAML.


Amazon Cloud Directory enables you to build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions. You can create directories for a variety of use cases, such as organizational charts, course catalogs, and device registries.

Webinars

Best Practices for Using AWS Identity and Access Management (IAM) Roles
SAML Federation for AWS
Becoming an AWS Policy Ninja Using AWS IAM and AWS Organizations
AWS Organizations - Account Management at Enterprise Scale
How to Integrate AWS Directory Service with Office 365
Deep Dive on User Sign Up and Sign In with Amazon Cognito

Stay up to date with AWS webinars.

Key Features

Use your existing corporate identities.

With AWS, you can use your existing corporate identities to manage user access to your AWS resources and business applications. AWS Identity and Access Management (IAM) integrates with your on-premises Microsoft Active Directory (AD) using SAML 2.0 (Security Assertion Markup Language 2.0), enabling you to use single sign-on (SSO) to access your AWS accounts using your AD credentials. To help you scale up in the AWS Cloud as you adopt more AWS accounts, you can use AWS Single Sign-On (SSO) to centrally manage SSO access to multiple AWS accounts and business applications. With AWS Directory Service, you can extend your on-premises AD to the AWS Cloud using AD forest trusts or an AD connector. Then, you can use your existing AD users and groups to manage access to your AWS accounts and AD-aware workloads, such as Amazon RDS for SQL Server, Amazon EC2 for Windows Server, and Amazon WorkSpaces.

Manage identities and access securely in your own applications.

Amazon Cognito enables you to use multiple external identity options to manage access to your own applications. You can enable users to bring their own identities to sign up and sign in to your application using social identity providers, such as Facebook and Amazon, or using their enterprise identity providers through SAML. You can also use Amazon Cognito User Pools to manage your application users in a scalable, cloud-native directory.

Secure access with multi-factor authentication.

Secure access to your AWS resources and applications with multi-factor authentication (MFA). With AWS Identity and Access Management (IAM), you can enable MFA for access to your AWS accounts. You can also use AWS Directory Service for Microsoft Active Directory to enable RADIUS (Remote Authentication Dial-In User Service) based MFA for your AD-aware applications. And, with Amazon Cognito you can add MFA to your own applications.

Create fine-grained access policies.

AWS Identity, Directory, and Access services help you manage access securely in the AWS Cloud. Using AWS Identity and Access Management (IAM), you can set fine-grained access policies for your AWS resources. For example, you can create a policy that defines which specific AWS service APIs a group of IAM users has permissions to use and under what conditions.

Manage access using short-term credentials.

With AWS IAM roles, you can manage access to your AWS resources using short-term credentials. IAM roles enable you to grant access to resources in your AWS accounts without distributing passwords or API keys. For instance, you can assign an IAM role to an AWS Lambda function to give it permissions to write logs to AWS CloudWatch on your behalf. Or, you can use IAM Roles for Amazon EC2 to give your applications running on EC2 permissions to access an Amazon RDS database.

Managed directory services.

AWS offers multiple directory service options to support different types of applications. For applications that require Microsoft AD, you can use AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and take advantage of a managed AD service. Or, if AWS Managed Microsoft AD does not fit your requirements, you can deploy your own AD on Amazon EC2. You can also build cloud-native user directories for your own applications using Amazon Cognito User Pools. Or, with Amazon Cloud Directory, you can create scalable directories to manage sophisticated hierarchies of data, such as organization charts, course catalogs, and device registries.

Get started with AWS

icon1

Sign up for an AWS account

Instantly get access to the AWS Free Tier.
icon2

Learn with 10-minute Tutorials

Explore and learn with simple tutorials.
icon3

Start building with AWS

Begin building with step-by-step guides to help you launch your AWS project.

Get started with AWS

Sign up
Have more questions?
Contact us