10 min.

AWS federated access and identity services

AWS federated access isn't a standalone service but a feature integrated into various AWS Identity Services

AWS federated access means access to AWS resources by users created outside of AWS.


We will explore 4 available distinct Identity Services within the AWS ecosystem, highlighting their federated access options.



AWS Identity and Access Management (IAM)


This service plays a crucial role in providing centralized control over access to AWS services and resources within a single account.


IAM enables federated access through roles, trust relationships, policies and identity providers without need to create an IAM user.


Identity providers need to utilize SAML 2.0 or OpenID Connet (like Shibboleth or Active Directory Federation Services). 


In order to give a federated user access to AWS, you will have to create a role that can be assumed by the identity provider (through trust relationship) and assign proper permission to the role using policies.


You can additionally impose conditions to limit the trust based on certain attributes thus limiting access for specific users from identity provider.



AWS IAM Identity Center (successor to AWS Single Sign-On)


Manages user access to multiple accounts and applications with the same set of credentials.


The service has 3 options for source of your identities (where your users are created).


The default Identity Center directory is for handling users created inside of AWS.


Active Directory and External Identity Provider for users and groups created outside of AWS which means utilizing federated access.


Federated access is realized under the hood by AWS IAM with trust relationship, policies and role assumed by federated users. However it's easier to set up with AWS IAM Identity Center than using AWS IAM.



AWS Directory Service


AWS Directory Service is an abstraction for the concept of Active Directory in AWS cloud. 


If you're new to Active Directory, it's essentially a directory service for storing various types of information and managing user and their permissions to access different resources (akin to AWS IAM)


Integrating with AWS Services


After creating/importing users and assigning proper permissions your users can use some of AWS Services instantly with AD authentication utilizing single sign-on or in other words using federated access.


Amazon WorkSpacesUser can access its WorkSpace Desktop
Amazon WorkMailUser can access its email account
Amazon WorkDoscUser can access and share files in his WorkDosc account
Amazon QuickSightUser can access is QuickSight dashboards
Amazon RDSUser can access MS SQL Server
Amazon ConnectUser can authenticate himself as contact center agent
EC2You can add EC2 instances to your a domain


Not a very impressive list!


However you can integrate AWS Directory Service with AWS IAM (through assigning IAM roles to AD users) or AWS IAM Central Identity to give access to any AWS resources, accounts and applications (see AWS IAM Central Identity).



Amazon Cognito


The service provides identity and access management (in contrast to AWS IAM) for web and mobile applications.


The key principle of the service is the division into User pools and Identity pools. A User pool contains users who have registered with your app, while an Identity pool enables authenticated users from the User pool to access AWS resource.



Federated access


You can configure the user pool to enable users to sign in using their social identity provider credentials from platforms such as Facebook, Google, Amazon, and Apple, or through external directories by leveraging SAML 2.0 or Open ID Connect.





Each of the mentioned services give an option to use federated access. The level of access is constrained by the scope of the service.


ServiceFederated access scope
AWS IAMAccess to single account resources.
AWS IAM Central IdentityAccess to multi account resources.
AWS Directory ServiceNative access to selected AWS services. Possible further integration with AWS IAM or AWS IAM Central Identity giving access to single or multi account resources.
Amazon CognitoAccess to web or mobile apps.





IAM management methods - AWS Identity and Access Management

Getting set up with IAM - AWS Identity and Access Management

Federated identity - AWS Setup

Federated identity - AWS Sign-In

Federated access - Establishing Your Cloud Foundation on AWS

Configure federated identity with the AWS Tools for PowerShell - AWS Tools for PowerShell

Active Directory – AWS Directory Service – AWS

Amazon Cognito identity pools (federated identities) - Amazon Cognito