AWS Security ChangesHomeSearch

AWS decision-guides documentation change

Service: decision-guides · 2025-05-03 · Documentation low

File: decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md

Summary

Major restructuring of AWS identity services documentation with updated service coverage, simplified content flow, and new emphasis on IAM Access Analyzer/IAM Roles Anywhere. Removed detailed technical breakdowns in favor of use-case tables and workforce/workload/applications categorization.

Security assessment

Adds documentation for IAM Access Analyzer (least privilege enforcement) and IAM Roles Anywhere (secure hybrid access), while emphasizing temporary credentials and Zero Trust principles. However, no evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md b/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md
index d6339e32f..0325749f3 100644
--- a//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md
+++ b//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md
@@ -5 +5 @@
-IntroductionUnderstandConsiderChooseUseExplore
+IntroductionUnderstandConsiderChooseUseExploreResources
@@ -11 +11 @@ IntroductionUnderstandConsiderChooseUseExplore
-**Time to read** |  27 minutes   
+**Time to read** |  10 minutes   
@@ -14,12 +14 @@ IntroductionUnderstandConsiderChooseUseExplore
-**Last updated** |  January 17, 2025  
-**Covered services** | 
-
-  * [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html)
-  * [AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html)
-  * [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html)
-  * [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
-  * [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html)
-  * [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html)
-  * [Amazon Verified Permissions](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html)
-
-  
+**Last updated** |  April 30, 2025  
@@ -29,21 +18 @@ IntroductionUnderstandConsiderChooseUseExplore
-AWS identity services are crucial for establishing secure and manageable access as you begin your AWS journey.
-
-**First steps**
-
-AWS Identity and Access Management (IAM) is typically the first step, where users create and enforce policies that control access to resources. By establishing IAM best practices—like requiring human users to use federation with an identity provider, using groups, and following the principle of least privilege—organizations can build a secure foundation. 
-
-**Scaling**
-
-As needs grow, other AWS identity services add functionality. For example, AWS IAM Identity Center centralizes access management, helping teams easily manage permissions in complex environments. AWS Directory Service extends existing on-premises Microsoft Active Directory structures, enabling seamless integration and enhancing security. You can use Amazon Cognito to provide secure, user-friendly access for external users to applications that you build on AWS and need sign-in and sign-up features. 
-
-Each identity service plays a role in enhancing security, scalability, and ease of management, making your AWS environments safer and more efficient. Leveraging these services from the beginning supports long-term growth by securing resources, improving operational efficiency, and helping you maintain structured and secure access as you scale. 
-
-**About this guide**
-
-This decision guide helps you get started and choose the right AWS identity service for your use case.
-
-This three minute excerpt is from a re:Inforce 2024 session about AWS authorization. It provides an overview of how AWS Identity and Access Management works.
-
-## Understand AWS identity services
-
-Let's start by understanding the difference between identity, authentication, and authorization. As shown in the following diagram, **identity** is the unique identification of an entity, **authentication** is the process of verifying the identity, and **authorization** is the process of determining what the authenticated entity is allowed to do. 
+Identity and access management helps ensure that only authenticated and authorized users can access only the cloud resources that they need to perform their tasks, and that they can do it in a secure and compliant way.
@@ -53,71 +22 @@ Let's start by understanding the difference between identity, authentication, an
-Another way to think of these concepts is entry to a conference. Your identity is on your credential, which is a government-issued ID. Authentication occurs when the security guard checks your credential upon entry. Authorization occurs when the guard gives you a wristband that indicates which areas and activities you can attend at this conference. 
-
-###### Note
-
-It's important to follow best practices for identity, authentication, and authorization, such as applying least-privilege permissions, requiring multi-factor authentication, and managing human and machine users differently. The following are helpful resources: 
-
-  * [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the _AWS Identity and Access Management User Guide_
-
-  * [Best practices for a multi-account environment](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices.html) in the _AWS Organizations User Guide_
-
-  * [Identity and access management](https://docs.aws.amazon.com/wellarchitected/latest/framework/a-identity-and-access-management.html) in the _AWS Well-Architected Framework_
-
-
-
-
-The following subsections provide additional detail on AWS services for identity, authentication, and authorization. You can use these services individually, or combined with other services. We'll explore these choices further in the Choose section. 
-
-### Identity on AWS
-
-Identity assigns a unique identification to an entity, such as a user, application, or system. 
-
-You can manage identity on AWS by using the following services. 
-
-IAM Identity Center
-    
-
-[IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) is the recommended AWS service for connecting [workforce users](https://docs.aws.amazon.com/singlesignon/latest/userguide/identities.html) to AWS resources, such as AWS-managed applications. It also connects with Microsoft Active Directory through AWS Directory Service. 
-
-IAM roles
-    
-
-We recommend using [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) to delegate access to human users, applications, or services that don't normally have access to your AWS resources. IAM roles are IAM identities that have specific permissions and can be assumed by any user, application, or service that needs it. 
-
-AWS Directory Service
-    
-
-For AWS customers who use Microsoft Active Directory, [AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) provides multiple ways to use Microsoft Active Directory with other AWS services. This allows your human and machine users to access AWS resources and applications using their existing corporate credentials, simplifying identity management. You can also use AWS Directory Service administer AWS resources using your existing Active Directory credentials. 
-
-### Authentication on AWS
-
-Authentication is the first step in the access control process, where the system confirms that the entity attempting to access it is who they claim to be. Authentication is a crucial security mechanism that ensures that only authorized entities can interact with your AWS services and resources. 
-
-You can manage authentication on AWS by using the following services. 
-
-IAM Identity Center
-    
-
-[IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) is the recommended AWS service for centrally managing workforce user access to AWS resources. IAM Identity Center users are granted **temporary credentials** (short-term, limited duration) for accessing AWS resources. 
-
-IAM roles
-    
-
-[IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) are granted **temporary credentials**. Humans, workloads, and AWS services can assume IAM roles. 
-
-AWS STS
-    
-
-You can use [AWS Security Token Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html), a feature of IAM, to create and provide trusted users with **temporary credentials** that can control access to your AWS resources. 
-
-Amazon Cognito
-    
-
-[Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) provides credentials for web and mobile apps by using user pools and identity pools. Create a [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html#what-is-amazon-cognito-user-pools) when you want to authenticate and authorize users to your **app or API** , and create an [identity pool](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html#what-is-amazon-cognito-identity-pools) when you want to authorize authenticated or anonymous users to access your **AWS resources**. 
-
-### Authorization on AWS
-
-Authorization is based on the identity that has been authenticated. This identity is used to determine the permissions and access rights. **Permissions** define the specific actions or resources that an identity is allowed to access or perform. These permissions are typically defined in **policies** , which are used to grant or deny specific actions on AWS resources to users, groups, or roles. 
-
-You can manage authorization on AWS by using the following services. 
-
-IAM Identity Center
+As shown in the preceding diagram, identity is the unique identification of an entity, authentication is the process of verifying the identity, and authorization is the process of determining what the authenticated entity is allowed to do.
@@ -124,0 +24 @@ IAM Identity Center
+AWS offers multiple services that help you manage access to your resources on AWS. These include the following: 
@@ -126 +26 @@ IAM Identity Center
-[IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) is the recommended AWS service for centrally managing workforce user access to AWS resources. You can use [permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsets.html) to simplify how you assign users and groups in your organization access to AWS accounts. Permission sets are stored in IAM Identity Center and **define the level of access** that users and groups have to an AWS account. 
+**Services covered** | 
@@ -128,11 +28,8 @@ IAM Identity Center
-IAM roles
-    
-
-We recommend using [policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) to grant permissions to IAM roles. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. 
-
-Amazon Cognito
-    
-
-[Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) provides credentials for web and mobile apps by using user pools and identity pools. Create a [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html#what-is-amazon-cognito-user-pools) when you want to authenticate and authorize users to your **app or API** , and create an [identity pool](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html#what-is-amazon-cognito-identity-pools) when you want to authorize authenticated or anonymous users to access your **AWS resources**. 
-
-Organizations
+  * [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.htm)
+  * [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+  * [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)
+  * [AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html)
+  * [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html)
+  * [IAM Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)
+  * [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html)
+  * [Amazon Verified Permissions](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html)
@@ -141 +38 @@ Organizations
-[AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that you can use to **consolidate and centrally manage your AWS accounts**. AWS Organizations is recommended, but not required, for use with IAM Identity Center. When you use these services together, you can centrally manage the access of users and groups across all the AWS accounts within your AWS Organization. 
+---|---  
@@ -143 +40 @@ Organizations
-AWS RAM
+Though there are similarities between some identity services, these services address different scenarios. This decision guide helps you get started and choose the right AWS identity service for your use case. 
@@ -144,0 +42 @@ AWS RAM
+## Understand AWS identity and access management
@@ -146 +44 @@ AWS RAM
-[AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) (AWS RAM) helps you securely share your resources **across AWS accounts**. If your account is managed by AWS Organizations, you can also share resources with the other accounts in your organization. 
+Understanding the foundations of IAM can help you meet your needs. 
@@ -148 +46 @@ AWS RAM
-Verified Permissions
+Principals, including human users, workloads, federated users, and assumed roles, access AWS services by using APIs. All AWS compute environments deliver credentials that applications use to sign their API calls and request access to AWS services. API requests are authenticated and authorized by a system of identities (such as IAM roles), actions (IAM policies), and resources that are defined in IAM. Every AWS customer configures these to use AWS APIs. IAM roles are identities with temporary and conditional permissions to perform scoped actions on AWS resources. IAM policies define the actions that IAM roles can perform on specific AWS resources.
@@ -149,0 +48 @@ Verified Permissions
+By carefully crafting IAM policies, you can ensure that the permissions available to an IAM role allow access only to the resources needed to fulfill a task: a concept known as _least privilege_. 
@@ -151 +50 @@ Verified Permissions
-[Amazon Verified Permissions](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html) is a scalable, fine-grained permissions management and authorization service for your custom applications. Verified Permissions uses the [Cedar](https://docs.cedarpolicy.com/) policy language to **define fine-grained permissions** for application users. 
+This three minute excerpt is from a re:Inforce 2024 session by Lucas Wagner, a senior applied science manager at AWS, and Sean McLaughlin, a principal applied scientist at AWS. They provide a quick overview of AWS authorization and how AWS Identity and Access Management works.
@@ -155,75 +54 @@ Verified Permissions
-Choosing the right identity services on AWS depends on your specific requirements and use cases. Here are some criteria to consider when making your decision. 
-
-User type
-    
-
-The user type criteria is crucial in selecting an AWS identity service. It aligns services with specific access needs for internal or external users. 
-
-  1. **External users** (for example, customers or app users): Amazon Cognito is tailored for external users, providing a customizable, secure user directory with options for social sign-ins (such as Google or Facebook) and multi-factor authentication. This service is ideal for web and mobile app developers who need user authentication directly within their applications. 
-
-  2. **Internal users** (for example, employees and contractors): IAM, IAM Identity Center, and AWS Directory Service are designed to manage internal user access to AWS resources. IAM provides granular permissions control, while IAM Identity Center offers streamlined single sign-on for employees across multiple AWS accounts and third-party applications. AWS Directory Service is suited for organizations that want to integrate on-premises Microsoft Active Directory, providing seamless, secure access for users already managed within Microsoft Active Directory. 
-
-
-
-
-By considering user type, organizations can ensure the right balance of security and user experience. 
-
-Access requirements
-    
-
-The access requirements criteria helps determine which AWS identity service best meets your organization's specific access needs, whether for AWS resources or applications. 
-
-  1. **Access to AWS resources:** For managing permissions to AWS resources like Amazon EC2 or [Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) (Amazon S3), IAM is the primary tool, offering fine-grained access control. IAM Identity Center further simplifies access across multiple AWS accounts and provides a centralized way to manage permissions across environments. 
-
-  2. **Access to applications:** If the goal is to manage sign-in and permissions within applications (such as a mobile or web app for customers), Amazon Cognito is the preferred choice. It offers a secure, user-friendly solution with support for social logins and custom sign-up flows. This helps developers to easily integrate authentication and user management. 
-
-  3. **Hybrid scenarios:** AWS Directory Service bridges AWS and on-premises Microsoft Active Directory, supporting users who need secure, unified access to both AWS resources and traditional corporate systems. 
-
-
-
-
-Selecting you identity services based on access requirements helps you to ensure optimal security and user convenience. 
-
-Multi-account management
-    
-