What is workforce identity and access management on AWS?
AWS gives you scalable, highly available, and resilient options for how and where you manage the lifecycle of identities and the ability to implement fine-grained access for your employees, services, and workloads. Workforce identity and access management on AWS enables you to modernize infrastructures and applications with native and partner identity solutions. With AWS, you have flexible administration capabilities and governance capabilities, such as preventative, detective, and proactive security controls, over applications and multi-account environments.
Benefits
Choose your preferred identity source
AWS Identity Services allow your identity administrators to create identities directly in AWS or connect to an existing identity source, such as Microsoft Active Directory (AD), Okta, CyberArk, Ping Identity, JumpCloud, Azure AD, and other identity providers. With AWS IAM Identity Center, your employees can see their assigned permissions for AWS accounts and business applications from one place.
Apply fine-grained access controls for your workforce
AWS Identity Services enable you to grant the right access by selecting permissions from a library of AWS managed policies or create your own policies, designed for specific job functions and roles. AWS supports the use of role-based and attribute-based access controls to define and manage fine-grained access at scale. Fine-grained access controls can be applied to AWS resources, on-premises workloads, and applications used in AWS.
Implement flexible administration and governance controls
AWS Identity Services paired with AWS Cloud Governance Services give you the ability to perform cloud governance and access management at scale. You can create always-on boundaries to protect and strictly control access to data across AWS, specify what AWS Regions a builder can operate in, and what AWS services can be used. Your admins can centrally manage access across your environment with AWS Organizations and deploy brand new, multi-account environments using AWS Control Tower.
Strengthen your security posture with access analysis
AWS Identity Services provide provable access analysis tools, such as IAM Access Analyzer, which help you continuously set, verify, and refine permissions toward least privilege. You can analyze the services and actions that your users and workloads use and then generate and test new policies before deploying to production. You can regularly review and remove unused permissions, users, and roles for further refinement. AWS Identity Services can extend and integrate with comprehensive AWS monitoring and observability services so you can audit access patterns in AWS.
Featured resources
Identity management and access control
This documentation provides guidance to help you apply best practices, current recommendations in the design, delivery, and maintenance of secure AWS workloads.
Workforce identity and access management on AWS videos
Watch the latest demo videos to help you manage workforce identities, resources, and access securely and at scale.
Security best practices with AWS Identity and Access Management
Learn about IAM best practices like working with temporary credentials, applying least-privilege permissions, and analyzing access to your resources, and more.
Harness the power of IAM policies & rein in permissions
Explore the power of IAM policies and discover how to use IAM Access Analyzer to set, verify, and refine permissions. Learn advanced skills that empower builders to apply fine-grained permissions across AWS.
Watch now >>
Workforce identity and access management capabilities on AWS
AWS helps you implement and enforce the principle of least privilege on your Zero Trust journey. With access analysis tools, you can identify unused or excessive permissions across your AWS environment so that you can remove unnecessary access quickly and confidently.
Give your workforce improved access experiences
With AWS IAM Identity Center, you can give workforce users single sign-on access to view and operate in assigned AWS accounts, AWS applications, SaaS applications, like Box or Salesforce. You can configure multi-factor authentication, perform user session management, configure single sign-on access to applications, and centrally configure and assign access across AWS.
Establish guardrails and access controls aligned to Zero Trust
Identity-centric controls in AWS offer coarse and fine-grained access control aligned to Zero Trust principles. You can implement organization-wide permissions so your workforce has the freedom to build with the resources they only need. You can establish always-on, preventative controls with a data perimeter, detective controls for real-time access events, and remediation on unintended access events. These controls help you keep your data protected across accounts, applications, and resources.
Quickly connect your workforce to run workloads on AWS
AWS enables you to connect your existing identity source to AWS, apply fine-grained access controls to AWS applications and resources, and begin building and modernizing by importing your existing users and groups. You can give workloads running outside of AWS access to AWS resources with IAM Roles Anywhere. AWS supports your transformation journey with standard and advanced administration tools for identity management and access control.
Scale and automate workforce and workload access
You can manage, automate, and govern workload and workforce access granularly across AWS accounts. AWS gives you tools and resources to centralize identity and access management at scale and use industry standards and APIs to automate the management of users and groups, saving you time and administrative effort. With AWS Identity Services, you can automate account or identity creation and use integrated applications within AWS IAM Identity Center to share a consistent view of users and groups.
Identity services for your workforce
| AWS IAM Identity Center | Manage workforce access across AWS accounts and applications |
| AWS Identity and Access Management (IAM) | Securely manage access to AWS services and resources |
| AWS Directory Service | Managed Microsoft Active Directory |
| AWS Resource Access Manager |
Simply and securely share your AWS resources across multiple accounts |
| AWS Organizations | Central governance and management across AWS accounts |
| AWS Control Tower | Govern a new, secure multi-account AWS environment |
