AWS federated access means access to AWS resources by users created outside of AWS.
We will explore 4 available distinct Identity Services within the AWS ecosystem, highlighting their federated access options.
AWS Identity and Access Management (IAM)
This service plays a crucial role in providing centralized control over access to AWS services and resources within a single account.
IAM enables federated access through roles, trust relationships, policies and identity providers without need to create an IAM user.
Identity providers need to utilize SAML 2.0 or OpenID Connet (like Shibboleth or Active Directory Federation Services).
In order to give a federated user access to AWS, you will have to create a role that can be assumed by the identity provider (through trust relationship) and assign proper permission to the role using policies.
You can additionally impose conditions to limit the trust based on certain attributes thus limiting access for specific users from identity provider.
AWS IAM Identity Center (successor to AWS Single Sign-On)
Manages user access to multiple accounts and applications with the same set of credentials.
The service has 3 options for source of your identities (where your users are created).
The default Identity Center directory is for handling users created inside of AWS.
Active Directory and External Identity Provider for users and groups created outside of AWS which means utilizing federated access.
Federated access is realized under the hood by AWS IAM with trust relationship, policies and role assumed by federated users. However it's easier to set up with AWS IAM Identity Center than using AWS IAM.
AWS Directory Service
AWS Directory Service is an abstraction for the concept of Active Directory in AWS cloud.
If you're new to Active Directory, it's essentially a directory service for storing various types of information and managing user and their permissions to access different resources (akin to AWS IAM)
Integrating with AWS Services
After creating/importing users and assigning proper permissions your users can use some of AWS Services instantly with AD authentication utilizing single sign-on or in other words using federated access.
Service | Description |
---|---|
Amazon WorkSpaces | User can access its WorkSpace Desktop |
Amazon WorkMail | User can access its email account |
Amazon WorkDosc | User can access and share files in his WorkDosc account |
Amazon QuickSight | User can access is QuickSight dashboards |
Amazon RDS | User can access MS SQL Server |
Amazon Connect | User can authenticate himself as contact center agent |
EC2 | You can add EC2 instances to your a domain |
Not a very impressive list!
However you can integrate AWS Directory Service with AWS IAM (through assigning IAM roles to AD users) or AWS IAM Central Identity to give access to any AWS resources, accounts and applications (see AWS IAM Central Identity).
Amazon Cognito
The service provides identity and access management (in contrast to AWS IAM) for web and mobile applications.
The key principle of the service is the division into User pools and Identity pools. A User pool contains users who have registered with your app, while an Identity pool enables authenticated users from the User pool to access AWS resource.
Federated access
You can configure the user pool to enable users to sign in using their social identity provider credentials from platforms such as Facebook, Google, Amazon, and Apple, or through external directories by leveraging SAML 2.0 or Open ID Connect.
Summary
Each of the mentioned services give an option to use federated access. The level of access is constrained by the scope of the service.
Service | Federated access scope |
---|---|
AWS IAM | Access to single account resources. |
AWS IAM Central Identity | Access to multi account resources. |
AWS Directory Service | Native access to selected AWS services. Possible further integration with AWS IAM or AWS IAM Central Identity giving access to single or multi account resources. |
Amazon Cognito | Access to web or mobile apps. |
Resources
IAM management methods - AWS Identity and Access Management
Getting set up with IAM - AWS Identity and Access Management
Federated identity - AWS Setup
Federated identity - AWS Sign-In
Federated access - Establishing Your Cloud Foundation on AWS
Configure federated identity with the AWS Tools for PowerShell - AWS Tools for PowerShell
Active Directory – AWS Directory Service – AWS
Amazon Cognito identity pools (federated identities) - Amazon Cognito