alphaspirit - Fotolia

AWS IAM centralizes policy management

Amazon Web Services IAM now supports managed policies, which allows IT teams to cut back on manual processes.

Amazon Web Services users who deploy the cloud-based Identity and Access Management service will be able to apply centralized policies, freeing enterprise IT pros from scripting work.

Amazon Web Services (AWS) Identity and Access Management (IAM) previously required manual labor or scripting to attach policies to multiple users, as policies were directly attached to each user they governed.

As of last week, policies have been made "first-class citizens" in IAM, according to the AWS blog, meaning they can be named; assigned to multiple users, groups and roles; and versioned for streamlined management. The permissions needed to attach and detach managed policies can be delegated within an organization; AWS also launched a set of predefined policies for common use cases, such as read-only access to databases.

"What we used to have to do programmatically has turned into a nice, easy-to-use service," said Peter Zimmerman, vice president of services and operations for Sonian, Inc., a cloud email archiving service provider based in Dedham, Mass. "We built our internal system that has to map to IAM -- it looks like this can remove our need to depend on some of the homegrown stuff we've been using."

For large AWS shops, managing policies for security is a major nightmare if they can't do it in one place, said Edward Haletky, CEO of The Virtualization Practice LLC, based in Austin, Texas.

While the intent of this move is to improve IAM for managing AWS resources specifically, over time, Haletky sees Amazon's Directory Service and AWS IAM potentially becoming a centralized identity store and policy manager that spans multiple clouds, a position for which it would have to compete with Microsoft's Azure Active Directory, which offers Active Directory Federation Services for identity federation across clouds.

Multicloud deployments require a unified identities pool, Haletky said. Some companies already use or Google as this identity source, and there are third-party software makers such as JumpCloud, Inc., that provide centralized identity management and directory services. 

Still, "If Amazon could become your corporate identity store, that would be a big deal," Haletky said. "Given all the security management they're putting in place now … they could very well be the future corporate identity store, crossing cloud boundaries."

AWS Directory Service became available in October. AWS customers can use AWS Directory Service to connect to on-premises Active Directory using the AD Connector feature or create a new, managed directory hosted in the AWS Cloud -- known as Simple AD. Customers can then use those accounts to manage AWS resources via AWS IAM role-based access to the AWS Management Console.  

AWS Identity and Access Management is available through AWS accounts at no additional charge. With the AWS Directory Service, prices for the AD Connector range from $0.05 per hour for a small deployment (up to 10,000 objects) to $0.15 for a large deployment (up to 100,000 objects). Prices for Simple AD are $0.05 per hour for a small deployment (up to 2,000 objects) and $0.15 for a large deployment (up to 20,000 objects).

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.  

Dig Deeper on AWS compliance, governance, privacy and regulations