AWS - IAM Identity Center

IAM vs IAM Identity Center

We have already familiar with IAM, and have little hands on experience with it. But there is another service called IAM Identity Center previously known as AWS Single-Sign-On (SSO). 

What is SSO ?

SSO is a method that allows users to authenticate once and access multiple applications without being prompted to enter their credentials again. This is typically done by an identity provider (IdP) that issues a token to the user, which is then passed to the different applications the user wants to access. So basically lets consider the scenario that as company IT engineer you want to provide access of Meta workplace, office365, SAP platforms to company users. But instead of typing their set of credentials for each of these services you implement company SSO. So once they logged in to company's portal, they will be granted access to all integrated platforms without needing to log in again.

So basically IAM Identity Center is providing centralized permissions management and SSO.

You can connect IAM Identity Center to your self-managed AD (Active Directory) via AD connector and other applications which supports this functionality (office365, Adobe AEM etc.).

IAM Identity Center simplifies granting users access to multiple AWS accounts or multiple applications. That is the main difference between IAM and IAM Identity Center. While IAM provides fine-grained access to AWS resources, IAM Identity Center provides centralized authorization mainly.  


IAM :

  •  Can use external Identity Providers for SSO to AWS services
  •  Managing AWS resources and permissions
  •  Creating and managing users, groups and roles
  •  Programmatic Access management possible (cli, API)
  •  Fine-grained access control


IAM Identity Center :

  • Providing SSO access to AWS and non-AWS applications
  • Centrilizing identity management across multiple AWS accounts
  • Integrating with external directory services (Active Directory)

Let's try IAM identity center 

Let's imagine that company employed new professionals to do some security audits. As you might guess we should grant limited access to the resources. Read-only access to be specific. 

  1. Search IAM identity center on the search bar.
       


2. Initially it asks if we are creating organization or doing some testing.

3. Let's create new user for our organization
4.  


5. New user must accept the invitation sent to his email. He might use the link below to login whenever he wants.


6. Since we didn't provide any permission to our new user. After login dashboard will look like this.

7. Let's add specific permission to our new user.

 8. Here I used pre-defined permission set, since there was "Security auditor" permission set. But you can provide "AdministratorAccess" permission to that user too, it really depends on the use cases.

9. 

10. Let's create a group too. Or we can directly attach newly created permission set to our user.


11. Okay, we did almost all, lets attach our user to the group and this group to our organization.


12. Add permission to our newly created group.

13. Let's finish.

14. If we log in to account of newly created user. We will see the our user's access granted. Let's click to SecurityAudit link.
15.  That is it user has read-only access to our security related resources. 


Comments

Post a Comment

Popular posts from this blog

Identity Access Management - How to create user in IAM ?!

Image
Introduction IAM stands for Identity and Access Management. IAM is essential component of AWS allows you to create and manage access of user, role, application and control authentication/authorization. There are 4 essential components of IAM :  Users - are individuals or applications want to access to your AWS resources. Groups - are collection of users. By this you can assign permissions to group instead individual users. Roles - are special access type in IAM that allows user/resource to access another resource via temporary credentials. For example EC2 instance can access to DynamoDB or S3 bucket resources without using permanent credentials. This is possible only via Role which is great security point of view. Policies - are JSON documents that define permissions. In policies we define what actions are allowed or should be denied. This can be attached to users, groups, roles. Hands on IAM exercises :  Login to your AWS account and search for IAM :  After clicking IAM icon, you wil
Read more

AWS pricing fundamentals

Image
When using Amazon Web Services (AWS), there are three primary factors that determine your costs: Compute : This includes the amount of resources such as CPU and RAM you use, as well as the duration for which you use them. Data Storage : The quantity of data stored or allocated. Outbound Data Transfer : The amount of data transferred out from all services. It's important to be cautious and monitor your usage to avoid unexpected costs. AWS Pricing Models On Demand (Pay as you Go) The On Demand model allows you to: Easily adapt to changing business needs. Adjust based on your requirements. Reduce the risk of paying for unused capacity. Reserved Instance (Save When You Reserve) By investing in reserved capacity, such as with EC2 or RDS, you can: Ensure you have resources available for unexpected scenarios like web traffic spikes. Reserve resources for 1-3 years, which can lead to significant discounts. Save up to 75% compared to the Pay-as-you-Go model. The more you pay upfront, the gr
Read more

IAM - Roles

Image
IAM Roles Roles in AWS has special meaning. With this functionality you can define different variety of roles and assign it users or your application/service can use them. Roles are specifically important for AWS security. Because roles use temporary credentials with services. So that we don't need to use own permanent credentials to do some operations. If somehow hackers got access to AWS infrastructure they won't able to access our cached permanent  credentials. Here are some of advantages of using roles : Reduced Risk of Credential Exposure Least Privilege Principle Cross-Account Access  Let's create a role and assign it to the user  Click to "IAM" , "Roles" and then "Create role" button.  We need ARN (we talked about this in the previous post) of the user. Copy 12 digit unique ID. During role creation select "AWS account" since we are planning to add this role to user. Enter the ID we got from previous step. This ID defines our us
Read more