AWS IAM Users: Understanding Identity Center, Organizations, and Federation

AWS IAM Users: Understanding Identity Center, Organizations, and Federation

Users are an essential part of AWS Identity and Access Management (IAM) service that enables individuals and applications to interact with AWS resources with specific permissions.

In this article, we will explore the basics of IAM users, the issues associated with long-term credentials, and the advantages of using AWS Organizations alongside AWS Identity Center to centrally manage users across multiple accounts. Additionally, we will discuss how federation can simplify user management and administration by integrating with a dedicated identity provider.

We will also discuss AWS Identity Center, Organizations, and Federation in detail to help you understand how to best manage your AWS resources.

AWS IAM Users Infographic

A brief overview of the key points is provided below. The article will delve into each topic in greater detail.

IAM users are an essential part of your work with one or multiple AWS accounts. With AWS Identity Center and Identity Federation, you can enhance your user management without compromising on security.

Introduction

AWS IAM is one of the most mature and complete services of AWS, but still one of the most underlooked. It's the core of every application you'll ever build and integrates natively with all other AWS services to ensure security across resources.

IAM users are a fundamental concept. In this article, we will discuss the basics and explain why these users are considered legacy features. It is recommended to avoid using them and opt for federation instead.

Your Account's Root User

First and foremost, the initial user you utilize to log into your account is the root user. This user should solely be employed for creating your first IAM user and must not possess any long-term credentials, such as an access key or secret access key.

The root user, linked to an email address, holds all possible permissions. This implies that the root user can access billing information, launch or create any conceivable resource, and even close the account itself, thereby terminating all existing resources and services.

Your AWS Account Root User has all possible permissions for your AWS Account.

In the given example, it is evident that the root user's permissions encompass all other permissions, even when creating a policy (or policy set) with extensive permissions for a specific group.

Thus, it is recommended to create a dedicated IAM user promptly after opening a new account, even if solely for establishing the basic setup. The root user should be reserved for tasks that specifically necessitate root user privileges, such as accessing billing information or closing the account once it is no longer needed.

Users

AWS IAM Users are entities within the AWS IAM service that represent individuals (humans) or applications (machines) that interact with the AWS API.

As we've learned before, your account comes with your root user by default. Besides this root, further IAM users can be created within an AWS account and can be used in two different ways:

  • via the AWS console by assigning a unique username and password. This allows you to manually create your AWS resources via the web.

  • via the AWS API, you can authenticate with an access key and secret access key. This enables you to programmatically create resources through your terminal or even utilize Infrastructure as Code tools.

Using AWS either via username and password or programmatically via Access Key ID and Secret Access Key.

Once an IAM user is created, you can grant them direct access to specific AWS resources or services by adding inline policies. You can also create groups with designated permissions and include the user as a member of that group. Additionally, users can assume roles to temporarily obtain the associated permissions.

The Problem with Long-Term Credentials

Since IAM users depend on long-term credentials, it typically poses a security risk.

Even if you mandate regular password changes or implement multi-factor authentication (MFA) for users, the dependence on long-term credentials for IAM users still poses a significant security risk.

Groups

If your project is straightforward, does not require multiple accounts or you simply want to keep it very simple and not rely on external identities, you will be utilizing IAM users. In this situation, it is also advisable to employ the use of groups.

IAM users can be added to one or multiple groups which will authorise them with the corresponding policies that are attached to those groups.

Groups do not function as principals, even though they are identities to which you can attach policies.

From Users to Organizations and Identity Center to Federation

Large-scale projects usually don't occur within a single AWS account. Generally, it's advisable to take advantage of the inherent security boundaries that an AWS account provides and to use multiple accounts for your ecosystem.

AWS Organizations enables seamless management of multiple accounts by providing essential tools such as service control policies.

To enable your users to effortlessly access and switch between multiple accounts, you can also utilize AWS Identity Center, which can serve as an identity provider source for all accounts within your organization.

To elevate this to the ultimate level, you can delegate your user management to an external service that exclusively focuses on identity management like Okta or Azure Active Directory.

AWS Organizations

AWS Organizations allows you to centrally manage and govern a range of accounts in a single entity, from a single place.

How Organizations Work

AWS Organizations is a container for multiple AWS accounts that allows for the management of policies and permissions across all accounts. The management account, which has full access to all AWS resources and services, is the initial account that was used to create the organization. Due to its unlimited permissions, it should only be used for the initial setup and account management tasks.

Each AWS Organization has a management account. This account was used to create the organization.

Organizational units are another tool for fine-grained management. Each unit is a logical container that can include accounts and other organizational units.

You can add multiple member accounts to your AWS Organization either by inviting existing accounts via email or creating new accounts directly in the AWS Organizations console.

This allows for the structuring of applications, projects, or even the layers of your organization.

Organization units enable you to cluster accounts for easier management.

Service Control Policies (SCPs) can be applied to an organization, organizational unit, or individual account. They allow you to restrict access to AWS resources and services, which helps you to apply fine-grained permissions across your set of accounts so you can fulfill compliance rules and enforce strict security setups.

Service Control Policies allow you to restrict permissions across member accounts or organizational units.

Understanding these key concepts is important to understand the inner mechanics of AWS Organizations before jumping into the practice. It is recommended to follow best practices for working with the management account to ensure security and compliance. AWS Organizations provides a centralized and efficient way to manage multiple AWS accounts with fine-grained control over policies and permissions.

Benefits of Organizations

AWS Organizations come with multiple features, including:

  • Account Management - Create and manage multiple accounts in one place. You can move existing accounts into an organization, create new member accounts from a single location, and also add automation rules for the creation of new accounts.

  • Consolidated Billing - Member accounts within your organization don't have to deal with billing, as it's consolidated into the management account. However, each AWS account can still make use of the Free Tier.

  • Applying Policies and Permissions Across Accounts - You can apply permissions and compliance policies across different accounts and manage them in one place. This also enables cross-account access.

  • Identity Federation - AWS Organizations allows for centralized management of identities and permissions throughout the organization. This includes federating with a corporate directory to enable Single Sign-On via AWS Identity Center.

If you're interested in learning more and getting hands-on practice: we have composed an in-depth guide on getting started with AWS Organizations, which covers setting up your first organization, inviting multiple accounts, and creating Service Control Policies to regulate permissions throughout your ecosystem.

AWS Identity Center

AWS Identity Center (previously known as AWS Single Sign-On) enables you to create identities that can be used across multiple accounts.

User's created at the AWS Identity Center.

This significantly reduces administrative efforts in managing user permissions across various accounts without compromising the objective of maintaining the least privilege.

The Features of AWS Identity Center

AWS Identity Center boasts an extensive array of features crucial for handling enterprise-level projects. Among them are:

  • Creating and managing users - As previously mentioned, the primary function of the Identity Center is to consolidate all your users in a central location, enabling them to effortlessly access multiple accounts.

  • Connecting to an external identity provider - You can link the IAM Identity Center to Okta Universal Directory, Azure AD, or another supported identity provider using Security Assertion Markup Language (SAML) 2.0, allowing your users to sign in with their existing credentials.

  • Multi-Factor authentication - The IAM Identity Center enables you to enforce multi-factor authentication (MFA) for all your users, including mandating that users set up MFA devices during the sign-in process.

  • Multi-Account permissions - Create permission sets that comprise one or more policies, granting access to resources across one or multiple accounts in a centralized location.

This is not an exhaustive list of features, but it conveys the main idea: AWS Identity Center serves as a central tool for managing multiple accounts and a large number of users effectively, without compromising on security.

Users within the AWS Identity Center of the Management Account can be enabled to access multiple accounts within the organization via SSO.

This means we don't need to provision users multiple times across various accounts; instead, we can have them in a single location while still allowing them access via Single Sign-On to all the AWS resources they require within our organization.

Identity Federation

Proper identity management can turn into a beast with a growing project size. Even though AWS IAM, AWS Organizations, and AWS Identity Center offer a lot of powerful features, at some point you'll still miss features you dearly want to have.

For this reason, there are dedicated services that focus exclusively on managing identities, known as identity providers. By utilizing identity federation, you can leverage these services to access your AWS Organizations and AWS accounts.

A Dedicated Service for Managing Your Identities

There are multiple famous identity providers across the market. Amongst them are:

  1. Okta: Okta is a cloud-based IdP that provides Single Sign-On (SSO) and multi-factor authentication (MFA) services. It supports various protocols such as SAML, OAuth, and OpenID Connect.

  2. Microsoft Azure Active Directory: Azure Active Directory (Azure AD) is a cloud-based IdP service provided by Microsoft. It provides SSO and MFA services and supports various protocols such as SAML, OAuth, and OpenID Connect.

  3. Google Cloud Identity: Google Cloud Identity is a cloud-based IdP service provided by Google. It provides SSO and MFA services and supports various protocols such as SAML, OAuth, and OpenID Connect.

  4. Ping Identity: Ping Identity is a cloud-based IdP service that provides SSO, MFA, and access management services. It supports various protocols such as SAML, OAuth, and OpenID Connect.

  5. OneLogin: OneLogin is a cloud-based IdP service that provides SSO, MFA, and access management services. It supports various protocols such as SAML, OAuth, and OpenID Connect.

Benefits of Federation

Identity federation is a mechanism that allows users to access multiple systems or applications using a single set of credentials.

Identity federation can be used with AWS Organizations and AWS Identity Center to provide users with seamless access to resources across multiple AWS accounts or even multiple AWS Organizations.

With AWS Organizations and AWS Identity Center you can leverage federation to make use of an external identity provider service.

As Identity Provider services primarily concentrate on identity management, the overall appearance and user experience, as well as user management, are superior to relying solely on AWS IAM or the Identity Center.

Conclusion

In summary, AWS IAM Users are a crucial aspect of managing access and permissions within the AWS ecosystem. However, relying on long-term credentials can pose security risks. Utilizing AWS Organizations, AWS Identity Center, and identity federation can greatly improve the management of users and resources across multiple accounts. By leveraging these tools, you can enhance security, streamline administration, and maintain compliance within your AWS infrastructure.

Frequently Asked Questions

  1. What is the main purpose of AWS IAM Users?
    AWS IAM Users represent individuals or applications that interact with AWS resources, allowing you to grant them specific permissions for accessing resources and services.

  2. Why are long-term credentials considered a security risk?
    Long-term credentials pose a security risk because they can be more easily compromised, leading to unauthorized access to your AWS resources and services.

  3. What are the key benefits of using AWS Organizations?
    AWS Organizations provides centralized account management, consolidated billing, and fine-grained control over policies and permissions across multiple AWS accounts.

  4. How does AWS Identity Center simplify user management across multiple accounts?
    AWS Identity Center centralizes user management, enabling seamless access to multiple accounts and reducing administrative efforts in managing permissions across various accounts.

  5. What is identity federation and how does it improve user management?
    Identity federation allows users to access multiple systems or applications using a single set of credentials, streamlining user management and improving security by leveraging dedicated identity providers.

Are you interested in more?

Head over to our bi-weekly newsletter or check out the following blog posts