AWS adds Identity Management

Stephen Gillies

Amazon Web Services has added a new feature to the existing AWS Control Panel, AWS Identity and Access Management (IAM). Almost 9 months in development but offered for no extra cost, AWS Identity and Access Management (IAM) lets you manage users, groups of users, and access permissions for AWS services and resources.

According to an Amazon IAM product page “Using IAM you can create users (representing a person, an organization, or an application, as desired) within an existing AWS Account. You can also group users to apply the same set of permissions. The groups can represent functional boundaries (development vs. test), organizational boundaries (main office vs. branch office), or job function (manager, tester, developer, or system administrator).”

Newly created users have no permissions and all permission control is controlled using policy documents containing policy statements which grant or deny access to AWS service actions or resources. This tight integration of Identity and Access management across AWS products means granular access to applications, file systems and databases can now better reflect complex corporate enterprise environments and multi-tenant environments.

Examples on the AWS blog drill down to the command line driven environment. Once a user is created access permissions, group membership and application access.

“The iam-useraddpolicy command is used to add permissions to a user. The iam-groupaddpolicy command can be used to do the same for a group. Let's add a policy that gives me (user "jeff") permission to use the IAM APIs on users under the "/app" path. I might not be the only user in my account that should have this permission so I'll start by creating a group and granting the permissions to the group and then add "jeff" to the group.

C:\> iam-groupcreate -g admins
C:\> iam-groupaddpolicy -g admins -p manageusers -e Allow -a "iam:*" -r "arn:aws:iam::889279108296:user/app/*"
C:\> iam-groupadduser -g admins -u jeff

jeff can now create and manage users under the /app path.” According to AWS commands are “fully documented in the IAM CLI reference”.

With IAM included in the AWS Control Panel things are a great deal simpler. A wizard driven process guides an administrator through setting up groups, adding users and editing permissions.

IAM currently integrates with Amazon EC2, Amazon RDS, Amazon S3, Amazon SimpleDB, Amazon SNS, Amazon SQS, Amazon VPC, Auto Scaling, Amazon Route 53, Amazon CloudFront, Amazon ElasticMapReduce, Elastic Load Balancing, AWS CloudFormation, Amazon CloudWatch, and Elastic Block Storage. IAM also integrates with itself — you can use it to give certain users or groups the ability to perform IAM actions such as creation of new users.