AWS decision-guides low security documentation change
Summary
Updated IAM Access Analyzer dashboard images and findings descriptions
Security assessment
Enhanced visualization and explanation of security findings related to external/internal access and unused permissions
Diff
diff --git a/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md b/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md index adb050ffe..64287f39c 100644 --- a//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md +++ b//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md @@ -14 +14 @@ IntroductionUnderstandConsiderChooseUseExploreResources -**Last updated** | April 30, 2025 +**Last updated** | August 15, 2025 @@ -32 +31,0 @@ AWS offers multiple services that help you manage access to your resources on AW - * [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html) @@ -50 +49 @@ By carefully crafting IAM policies, you can ensure that the permissions availabl -This three minute excerpt is from a re:Inforce 2024 session by Lucas Wagner, a senior applied science manager at AWS, and Sean McLaughlin, a principal applied scientist at AWS. They provide a quick overview of AWS authorization and how AWS Identity and Access Management works. +The preceding video is from a re:Inforce 2024 session by Lucas Wagner, a senior applied science manager at AWS, and Sean McLaughlin, a principal applied scientist at AWS. They provide a quick overview of AWS authorization and how AWS Identity and Access Management works, in a roughly four-minute excerpt (08:35-12:30). @@ -71,7 +70,9 @@ I am a... | I want to... | AWS identity service | Additional services and capabi -Cloud/Identity administrator | Make it easier for my team to grant access to multiple AWS applications, such as Amazon Q and Amazon SageMaker AI. | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) | -Cloud/Identity administrator | Make it easier for the owners of my organization's structured or unstructured data to manage workforce access to the data. | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) | [Trusted identity propagation in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html) [AWS Lake Formation](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-lf.html) [Amazon S3 Access Grants](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-s3.html) -Cloud/Identity administrator OR Developer | Configure my access to AWS resources, such as an Amazon S3 bucket, in an AWS account. | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) | [Using the default IAM Identity Center directory](https://docs.aws.amazon.com/singlesignon/latest/userguide/quick-start-default-idc.html) [AWS Security Token Service API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) [AWS STS CLI V2 Reference](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/index.html) -Cloud/Identity administrator | Configure access of our workforce to AWS resources, such as Amazon S3 buckets, in multiple AWS accounts. | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) | [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) [Centralize root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html) [Connecting your source of identities](https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html) -Cloud/Identity administrator | Have my on-premises workloads and my AWS resources use the same corporate directory. | [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html), also known as AWS Managed Microsoft AD | -Cloud/Identity administrator | Tailor the access of my workloads to AWS resources. | [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) | [AWS Resource Access Manager (AWS RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) -Cloud/Identity administrator | Remove unused permissions and drive towards least privilege. | [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) | +Cloud/Identity administrator | Make it easier for my team to grant and audit access to AWS applications, such as Amazon Q and Amazon SageMaker AI. | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) | [Trusted identity propagation in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html) [AWS Lake Formation](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-lf.html) [Amazon S3 Access Grants](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-s3.html) +Cloud/Identity administrator | Make it easier for the owners of my organization's data to grant data access by workforce user or group. | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) | [Trusted identity propagation in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html) [AWS Lake Formation](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-lf.html) [Amazon S3 Access Grants](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-s3.html) +Cloud/Identity administrator OR Developer | Configure workforce access to AWS accounts and the resources in them, such as Amazon S3 buckets. | [IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) [Federation with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html#id_roles_providers_iam) | [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) [Centralize root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html) [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +Cloud/Identity administrator | Run Active Directory dependent workloads in AWS. | [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html), also known as AWS Managed Microsoft AD | [Integrations with AWS services and applications](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) +Cloud/Identity administrator | Join my AWS workloads to my on-premises Microsoft Active Directory Domain Services. | [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html), also known as AWS Managed Microsoft AD | [Integrations with AWS services and applications](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) +Cloud/Identity administrator | Configure the access of my workloads to AWS resources. | [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) | [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) +Cloud/Identity administrator | Establish a data perimeter to enforce my organization's security requirements. | [IAM permissions guardrails using data perimeters](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_data-perimeters.html) | [Data perimeters on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/) +Cloud/Identity administrator | Verify which IAM roles and users within my organization have access to critical AWS resources. | [IAM Access Analyzer internal access analysis](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html#what-is-access-analyzer-internal-access-analysis) | +Cloud/Identity administrator | Analyze and refine permissions to drive towards least privilege. | [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) | @@ -80,3 +81,4 @@ Cloud/Identity administrator | Grant an IoT device access to AWS. | [AWS IoT D -Developer | Grant code in any external-to-AWS cloud environment access to AWS. | [AWS Security Token Service API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) | -Developer | Perform service-to-service authentication and authorization in my own application running on AWS. | [Amazon VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html) | [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) with [AWS Signature Version 4 authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) -Developer | Perform service-to-service authentication and authorization in my own application running on AWS as well as other cloud environments. | [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html) | [Amazon Verified Permissions](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html) +Developer | Grant code in any external-to-AWS cloud environment access to AWS. | [AWS Security Token Service`AssumeRoleWithWebIdentity`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) | [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) [AWS Security Token Service CLI V2 Reference](https://docs.aws.amazon.com/cli/latest/reference/sts/) +Developer | Perform service-to-service authentication and authorization in my application running solely in AWS. | [Amazon VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html) | [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) with [AWS Signature Version 4 authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) +Developer | Perform service-to-service authentication and authorization in my application with components in various cloud environments. | [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html) | [Amazon Verified Permissions](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html) +Developer | Enable your customers to access your AI application and manage the identities of AI agents. | [Amazon Bedrock AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) | [Amazon Bedrock AgentCore](https://aws.amazon.com/bedrock/agentcore/) @@ -93 +95 @@ Developer | Build an authorization mechanism into an application. | [Amazon Ve -IAM Identity Center helps you configure the single sign-on experience of your employees from your existing identity provider to user-facing AWS applications, such as Amazon Q and Amazon SageMaker AI, and to the AWS Management Console, including any AWS accounts that are assigned to your employees. With IAM Identity Center access, your developers can sign in to the AWS Command Line Interface (AWS CLI) using their existing corporate credentials. This helps you build apps on AWS more easily and safely because it eliminates the need to sign in to the AWS CLI separately, with credentials that might not be securely stored or protected from unauthorized use. +IAM Identity Center helps you configure the single sign-on experience of your employees from your existing identity provider to user-facing AWS applications, such as Amazon Q and Amazon SageMaker AI, and to the AWS Management Console, including any AWS accounts that are assigned to your employees. With a single connection of your identity provider, you can scale your use of AWS applications as much as your business requires, and offer a continuous user experience across applications. @@ -95 +97 @@ IAM Identity Center helps you configure the single sign-on experience of your em -**Configuring workforce access to AWS applications:** With IAM Identity Center, AWS applications such as Amazon Q can provide your users with personalized experiences, such as a dashboard showing what a user was working on when they last signed in. AWS data and analytics services also can recognize your employees by their directory identities without the need to connect your directory to each service. Your data service owners, such as an Amazon Redshift administrator, can define permissions and audit access to data in AWS by the users in your directory. For more information, see [Application access](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-applications.html) in the AWS IAM Identity Center User Guide. +With IAM Identity Center, AWS applications such as Amazon Q can provide your users with personalized experiences, such as a dashboard showing what a user was working on when they last signed in. Data service owners, such as an Amazon Redshift administrator, can define permissions and audit access to data in AWS by the users in your directory. AWS data and analytics services can recognize your employees by their directory identities. For more information, see [Application access](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-applications.html) in the AWS IAM Identity Center User Guide. @@ -97 +99 @@ IAM Identity Center helps you configure the single sign-on experience of your em -The following image shows the [trusted identity propagation](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html) workflow in IAM Identity Center. +An [_organization instance_](https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html) of IAM Identity Center can help you manage your workforce access to AWS accounts as well. It lets you assign permissions to users and provision the permissions to multiple accounts from a central place. For more information, see [AWS account access](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html) in the AWS IAM Identity Center User Guide. @@ -99 +101 @@ The following image shows the [trusted identity propagation](https://docs.aws.am - +#### Federation with IAM @@ -101 +103 @@ The following image shows the [trusted identity propagation](https://docs.aws.am -**Configuring workforce access to the AWS Management Console and AWS accounts:** As a best practice, use a [multi-account strategy](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html) to separate workloads within your organization. Use an organization instance of IAM Identity Center for centralized and scalable management of workforce permissions across your organization. For more information, see [AWS account access](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html) in the AWS IAM Identity Center User Guide. +You can also use IAM to federate workforce users through your identity provider to specific AWS accounts. Users assume IAM roles to perform scoped actions on the AWS resources in the account. You can federate with an identity provider that provides identity information using either OpenID Connect (OIDC) or SAML 2.0. For more information, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). @@ -103 +105 @@ The following image shows the [trusted identity propagation](https://docs.aws.am -#### AWS Directory Service +### For your workloads @@ -105 +107 @@ The following image shows the [trusted identity propagation](https://docs.aws.am -[AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html), also known as AWS Managed Microsoft AD, is a highly available, fully managed Microsoft Active Directory (AD) service. It extends your on-premises Microsoft AD configurations to AWS, so that your Microsoft Windows on-premises workloads can communicate with your AWS resources. Using AWS Managed Microsoft AD, you can join to your domain AWS resources such as Amazon EC2 instances, Amazon WorkSpaces managed desktops, and Amazon RDS for Microsoft SQL Server. +#### IAM @@ -107 +109,5 @@ The following image shows the [trusted identity propagation](https://docs.aws.am -### For your workloads +IAM lets your workload assume IAM roles with temporary security credentials to use AWS APIs and perform scoped actions on AWS resources. For example, they let workloads run code on compute services such as Amazon EC2 or Lambda. For more information, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the IAM User Guide. + +#### IAM Access Analyzer + +IAM Access Analyzer guides you to least privilege by providing features to set, verify, and refine permissions. It helps you implement your access management strategy by analyzing external, internal, and unused access, and validating that your IAM policies match your specified security standards. Use IAM Access Analyzer to do the following: @@ -109 +115 @@ The following image shows the [trusted identity propagation](https://docs.aws.am -#### IAM and IAM Access Analyzer + * [Generate least-privilege policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html) based on access activity @@ -111 +117 @@ The following image shows the [trusted identity propagation](https://docs.aws.am -IAM offers tools to manage the access of your workloads to your AWS resources. IAM lets your workload assume IAM roles to use AWS APIs and perform scoped actions on AWS resources. For more information, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the IAM User Guide. IAM includes IAM Access Analyzer, which guides you to least privilege by providing features to set, verify, and refine permissions. It analyzes external access, and validates that your policies match your specified corporate security standards. Use IAM Access Analyzer to do the following: + * [Validate that your policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-checks-validating-policies.html) match IAM best practices and your security standards @@ -113 +119 @@ IAM offers tools to manage the access of your workloads to your AWS resources. I - 1. Generate least-privilege policies based on access activity + * Verify who can access what and [detect unintended public and cross-account access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html#access-analyzer-work-with-findings-external) @@ -115 +121 @@ IAM offers tools to manage the access of your workloads to your AWS resources. I - 2. Verify who can access what, and detect unintended public and cross-account access + * [Verify internal access to critical resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html#access-analyzer-work-with-findings-internal) by identifying which IAM roles and users within your AWS organization have access to critical resources such as Amazon S3 buckets, Amazon DynamoDB tables, and Amazon RDS snapshots. @@ -117 +123 @@ IAM offers tools to manage the access of your workloads to your AWS resources. I - 3. Validate that your policies match IAM best practices and your security standards + * Refine permissions by [identifying unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html#access-analyzer-work-with-findings-unused) in your IAM policies @@ -122 +128 @@ IAM offers tools to manage the access of your workloads to your AWS resources. I -The following image shows external and public access findings in the IAM Access Analyzer console. +The following image shows the IAM Access Analyzer dashboard with external and internal access findings. @@ -124 +130 @@ The following image shows external and public access findings in the IAM Access - + @@ -126 +132 @@ The following image shows external and public access findings in the IAM Access -The following image shows unused access findings in the IAM Access Analyzer console. +The following image shows unused access findings in the IAM Access Analyzer dashboard. @@ -133,0 +140,4 @@ IAM Roles Anywhere extends the capabilities of IAM to on-premises and hybrid clo +#### AWS Directory Service + +AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, is a highly available, fully managed Microsoft Active Directory (AD) service. It extends your on-premises Microsoft AD configurations to AWS so that your Microsoft Windows on-premises workloads can communicate with your AWS resources. Using AWS Managed Microsoft AD, you can join to your domain AWS resources such as Amazon EC2 instances, Amazon WorkSpaces managed desktops, and Amazon RDS for Microsoft SQL Server. + @@ -156,2 +165,0 @@ This section suggests additional services you should consider. - * [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) \- Lets you request temporary, limited-privilege credentials for access to AWS resources by using the API or CLI. - @@ -174,0 +183,6 @@ User guides with specific deployment guidance for AWS identity services: + * [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) + + * [IAM federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html#id_roles_providers_iam) + + * [AWS STS API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) + @@ -179 +193,5 @@ User guides with specific deployment guidance for AWS identity services: - * [AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) + * [Policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html) + + * [Policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-checks-validating-policies.html) + + * [Unused permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html#access-analyzer-work-with-findings-unused) @@ -181 +199,5 @@ User guides with specific deployment guidance for AWS identity services: - * [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html) + * [External access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html#access-analyzer-work-with-findings-external) + + * [Internal access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html#access-analyzer-work-with-findings-internal) + + * [AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) @@ -209,0 +232,4 @@ AWS Security Blog posts with use case specific guidance: + * [Blog Post Series: Establishing a Data Perimeter on AWS](https://aws.amazon.com/identity/data-perimeters-blog-post-series/) + + * [Verify internal access to critical AWS resources with new IAM Access Analyzer capabilities](https://aws.amazon.com/blogs/aws/verify-internal-access-to-critical-aws-resources-with-new-iam-access-analyzer-capabilities/) +