Overview of AWS identity management: Users
First Time Access Only: Your Root User Credentials
As we all know, while creating an AWS account, a one sign-in account called root user (having total access over all the AWS services and resources available in the account) is accessed via the email address as well as the password used while creating the account. this combination of the email address and password is also termed as Root User Credentials.
Since Root User Credentials offers unrestricted access to all the AWS resources (which also includes your billing information and permission to change the password), it's strongly recommended to not use them on regular basis and/or share them with anyone. Only Service Control Policies (SCPs) in organizations can restrict the permissions that are granted to the root user.
IAM Users
The term referred to as authentication helps you in providing the "identity" of the user of IAM. Hence, you can also create your own users (that corresponds to users within your account) within your account instead of sharing your root user credentials with anyone. Each user can have its own password and access key to access the AWS management console in order to work with the resources in your account.
Note: Some of the users can actually be applications that can be created to generate an access key for an application and doesn't need to represent a real person.
Federating Existing Users
If users in an organization can be authenticated, then, there is no need to create separate IAM users, instead, you can federate their user identities into AWS which can be useful in following cases:
- Users already have identities in a corporate directory
However, if it's not compatible, then, an identity broker application can be created to provide the single-sign on access for the users.
If it's a Microsoft AD, then, AWS Directory Service can be used to establish trust between your corporate directory and AWS account.
- Users already have internet identities
If a mobile app or web-based app is being created that can provide identities via an Internet Identity Provider like Login with Amazon, Facebook, Google, etc., that app can readily use federation to access AWS.
Comments
Post a Comment