This content is part of the Essential Guide: How to deal with Identity and access management systems

Essential Guide

Browse Sections
Get started Bring yourself up to speed with our introductory content.

When to use AWS IAM roles vs. users or groups

We have restrictions imposed on in-house IT staff with AWS Identity and Access Management. How do IAM roles protect access to services, applications and end users?

Security vulnerabilities can crop up anywhere in the cloud, even in connections to trusted resources and personnel. The AWS Identity and Access Management service enables administrators to define access to in-house IT staff as well as outside users, services and applications. AWS IAM roles help to protect resources by dynamically creating access keys to grant temporary access to an account.

With AWS Identity and Access Management (IAM) roles, admins create permissions in abstraction and apply them to users, workloads or services, such as Elastic Compute Cloud (EC2) or Simple Storage Service (S3) instances. Admins must apply roles to users, workloads or services that have credentials for AWS access.

Typically, IT teams use AWS IAM roles with applications to handle credentials that run on AWS tools. While it's possible to provision and update AWS credentials to each instance -- allowing workloads to sign requests for authentication -- the dynamic environment of a public cloud complicates that process. Admins apply roles to instances so workloads can make secure API requests -- without any concern for underlying security credentials; AWS IAM roles allow admins and developers to delegate API permissions. For example, AWS IAM roles can permit EC2 applications to access storage in S3.

Administrators create a role through the IAM console, IAM APIs or AWS Command Line Interface. First, they define the AWS accounts or service that will take on the defined role, as well as the API actions and resources that the role can access. Next, an admin provisions the role as the instance launches; they may need to restart instances that are needed for the role to take effect. Finally, an admin allows the entity -- service, user or API -- that receives the role to retrieve temporary credentials for access.

How federated identity management, MFA differ

Identity federation, which is different from roles, assigns trust and managed access to outside resources. When a business opens an AWS account and uses IAM, an admin typically creates IAM users and assigns permissions and credentials that allow those users to access resources. Only users or services with IAM credentials and permissions can access resources within a company's AWS account. But AWS allows admins to delegate access to outside resources that weren't first created in IAM. These external identities may originate from Active Directory or AWS Directory Service, Amazon Cognito or from an outside identity provider such as Facebook or Google. Federated end users receive permissions or roles and use temporary security credentials to access the AWS Management Console and APIs.

Multifactor authentication (MFA) is a technology designed to enhance security for an organization's AWS account and resources. Admins combine user name and password details with a unique authentication code the MFA device produces. Admins enable MFA at the AWS account level for individual IAM users within the account and for access to AWS APIs.

MFA requires the addition of a unique physical or virtual device that produces the authentication code; AWS currently supports a virtual MFA device for mobile devices, a hardware key MFA device and SMS MFA codes sent to specific mobile devices. Virtual devices essentially are utilities installed on one hardware device, like an Android or Windows phone. The hardware key device typically operates through a PC USB port or wireless sync connection.

SMS MFA is generally reserved for only the most secure situations. SMS MFA ensures that assigned users of each mobile device have access to MFA codes. Additional passwords or bio-recognition tools, such as an iPad thumbprint, further bolster security to MFA. AWS is only testing SMS at this time, but it could be an option for highly secure user- or account-specific access.

Next Steps

Manage IAM permissions to control resource access

secure cloud services with AWS IAM

Resolve your security concerns with these methods

Dig Deeper on AWS security