Sharing is caring 🙂

IAM is the main entry point for AWS authentication and user privileges. AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. In addition to IAM, AWS offers many Advanced Identity Services like Security Token Service, Cognito, Directory Services, Single Sign-On, and more. In this article, we’ll look at these Amazon Identity Services.

AWS Security Token Service

AWS provides AWS Security Token Service as a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users). A security token is a physical or digital device that provides two-factor authentication (2FA) for users to prove their identity in a login process. It is typically used as a form of identification for physical access or as a method of computer system access.

• Enables you to create temporary, limited- privileges credentials to access your AWS resources
• Short-term credentials: you configure the expiration period
• Use cases
• Identity federation: manage user identities in external systems, and provide them with STS tokens to access AWS resources
• IAM Roles for cross/same account access
• IAM Roles for Amazon EC2: provide temporary credentials for EC2 instances to access AWS resources

AWS Cognito

Amazon Cognito lets you quickly add user sign-up and authentication to your mobile and web apps. Amazon Cognito also enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Cognito is for authenticating users, while AWS SSO is for authenticating employees. Users don’t usually need to be stored in Active Directory, authenticate to other services with SAML, or assign groups to control access. AWS SSO should also have better integration with AWS IAM.

• Identity for your Web and Mobile applications users (potentially millions)

• Instead of creating them an IAM user, you create a user in Cognito

Amazon Cognito can be used to implement identity management for a fleet of mobile apps that are running in the AWS Cloud.

Amazon Cognito lets users sign in directly with a user name and password, or through a third-party provider for a company that needs to set up user authentication for a new application.

AWS Directory Services

AWS Directory Service provides multiple ways to use Microsoft Active Directory (AD) with other AWS services. Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources. The primary benefit of implementing AWS Directory Service is that organizations can extend AD identities and management capabilities to AWS resources. Without the AWS Directory Service, both AD and AWS would be siloed to their respective resources and have to be managed separately.

AWS Managed Microsoft AD
• Create your AD in AWS, manage users locally, and supports MFA
• Establish “trust” connections with your on-premise AD

AD Connector
• Directory Gateway (proxy) to redirect to on-premise AD, supports MFA
• Users are managed on the on-premise AD

Simple AD
• AD-compatible managed directory on AWS • Cannot be joined with on-premise AD

AWS Single Sign-On

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. It enables users to sign in to a user portal with their existing corporate credentials and access all their assigned accounts and applications from one place. SSO and IAM users can coexist. Nothing happens to your current IAM users, groups, roles, or policies when you provision SSO into your accounts. SSO appears as a new identity provider in your IAM config and manages its functions (permission sets) alongside your standard IAM roles.

You can control in Azure AD who has access to AWS. You can enable your users to automatically sign in to AWS by using single sign-on (SSO) with their Azure AD accounts. You can manage your accounts in one central location, the Azure portal. Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications. Select New application to add an application. In the Add from the gallery section, type AWS Single-Account Access in the search box. Select AWS Single-Account Access from the results panel and then add the app.

• Centrally manage Single Sign- On to access multiple accounts and 3rd-party business applications.
• Integrated with AWS Organizations
• Supports SAML 2.0 markup
• Integration with on-premise Active Directory

When a company that has multiple business units wants to centrally manage and govern its AWS Cloud environments and wants to automate the creation of AWS accounts, apply service control policies (SCPs), and simplify billing processes, AWS Organizations can be used to meet these requirements.

Sharing is caring 🙂