AWS federated access and identity services

AWS federated access means access to AWS resources by users created outside of AWS.

We will explore 4 available distinct Identity Services within the AWS ecosystem, highlighting their federated access options.

AWS Identity and Access Management (IAM)

This service plays a crucial role in providing centralized control over access to AWS services and resources within a single account.

IAM enables federated access through roles, trust relationships, policies and identity providers without need to create an IAM user.

Identity providers need to utilize SAML 2.0 or OpenID Connet (like Shibboleth or Active Directory Federation Services). 

In order to give a federated user access to AWS, you will have to create a role that can be assumed by the identity provider (through trust relationship) and assign proper permission to the role using policies.

You can additionally impose conditions to limit the trust based on certain attributes thus limiting access for specific users from identity provider.

AWS IAM Identity Center (successor to AWS Single Sign-On)

Manages user access to multiple accounts and applications with the same set of credentials.

The service has 3 options for source of your identities (where your users are created).

The default Identity Center directory is for handling users created inside of AWS.

Active Directory and External Identity Provider for users and groups created outside of AWS which means utilizing federated access.

Federated access is realized under the hood by AWS IAM with trust relationship, policies and role assumed by federated users. However it's easier to set up with AWS IAM Identity Center than using AWS IAM.

AWS Directory Service

AWS Directory Service is an abstraction for the concept of Active Directory in AWS cloud. 

If you're new to Active Directory, it's essentially a directory service for storing various types of information and managing user and their permissions to access different resources (akin to AWS IAM)

Integrating with AWS Services

After creating/importing users and assigning proper permissions your users can use some of AWS Services instantly with AD authentication utilizing single sign-on or in other words using federated access.

Not a very impressive list!

However you can integrate AWS Directory Service with AWS IAM (through assigning IAM roles to AD users) or AWS IAM Central Identity to give access to any AWS resources, accounts and applications (see AWS IAM Central Identity).

Amazon Cognito

The service provides identity and access management (in contrast to AWS IAM) for web and mobile applications.

The key principle of the service is the division into User pools and Identity pools. A User pool contains users who have registered with your app, while an Identity pool enables authenticated users from the User pool to access AWS resource.

Federated access

You can configure the user pool to enable users to sign in using their social identity provider credentials from platforms such as Facebook, Google, Amazon, and Apple, or through external directories by leveraging SAML 2.0 or Open ID Connect.

Summary

Each of the mentioned services give an option to use federated access. The level of access is constrained by the scope of the service.

Resources

IAM management methods - AWS Identity and Access Management

Getting set up with IAM - AWS Identity and Access Management

Federated identity - AWS Setup

Federated identity - AWS Sign-In

Federated access - Establishing Your Cloud Foundation on AWS

Configure federated identity with the AWS Tools for PowerShell - AWS Tools for PowerShell

Active Directory – AWS Directory Service – AWS

Amazon Cognito identity pools (federated identities) - Amazon Cognito