What is Identity Federation, IAM Identities (Roles, Groups and Users) in AWS IAM?
Identity and Access Management
Identity Federation
If your account users already have a way to be authenticated such as authentication through your corporate network. You can federate those users' identities into AWS. It is like using third-party credentials to verify the users as authenticated instead of creating and maintaining a database of employees/users on your own.
A user who has already logged on to the corporate using their corporate Identity. The corporate can replace its existing identity with a temporary identity in your AWS account. The users can work in the AWS management console. Similarly, an application that the user is working with can make a programmatic request using the permission that you define.
Federation is particularly useful in these cases -
Your users already have identities in the corporate directory
➡ If your corporate directory is compatible with Security Assertion Markup Language (SAML) 2.0
➡ You can configure your corporate directory to provide a Single Sign On (SSO) access to the AWS Management Console for your users.
➡ If your corporate directory is not compatible with SAML 2.0
➡ You can create an identity broker application to provide Single Sign-In On (SSO) access to the AWS Management Console for your users.➡ If your corporate directory is using Microsoft Active Directory, you can use AWS Directory service to establish trust between your corporate directory and your AWS account.
Your users already have Internet Identities
➡ If you're creating a mobile app or web-based app that can let users identify themselves through an Internet Identity Provider like login with Amazon, Facebook, Google or any Open ID Connect (OIDC). Compatible identity provider the app can use Web Federation to access AWS.
➡ AWS recommends using AWS Cognito for Identity Federation.
IAM and SSO
IAM users in your account have access only to the AWS resources that you specify in the Policy that is attached to the user or to an IAM group that the user belongs to.
To work in the console, the user must have permission to perform the actions that the console performs such as listing and creating AWS resources.
IAM Identities
IAM Identities is what you create under your AWS account to provide authentication for people, applications and processes in your AWS account.
Identities represent the user and can be authenticated and then authorized to perform actions in AWS.
Each of these can be associated with one or more policies to determine what action a user, role or member of a group can do with which resources and under what conditions.
IAM Group is a collection of users and the IAM role is similar to the IAM user.
IAM Identity consists of 3 entities:
Users
Groups
Roles
IAM Users
An IAM user is an entity that you create in AWS. It represents the person or service who uses the IAM User to interact with AWS.
You can create 5 users at a time.
An IAM User can represent an actual person or an application that requests AWS access to perform actions on AWS Resources.
A primary use for IAM users is to give people the ability to Sign-In into the AWS Management Console for the interactive task and to make a programmatic request to AWS Service using the API or CLI.
A Username and password to access the AWS Console.
An Access Key ID and Secret Key that they can use for programmatic access.
The newly created IAM users have no password and no access keys, you need to create the user and password.
Each IAM user is associated with one and only one AWS account.
Users are defined within your AWS Account, so users do not have to pay the bill. The bill would be paid by the AWS account holder.
IAM Groups
An IAM group is a collection of IAM users.
It is a way to assign permission/policies to multiple users at once.
Use groups to specify permissions for a collection of users which can make those permissions easier to manage for the users.
For example - You could have a group called HR and give that group the types of permission that the HR department typically needs.
Any user in that group automatically has permission that is assigned to the group. If a new user joins your organization and should have HR privileges you can assign the appropriate permission by adding the user to that group.
If a person changes departments in your organization instead of editing that user's permission we can assign him/her to a different group that has appropriate permissions.
Limitations of IAM Groups
A group is not truly an identity in IAM because it cannot be identitifed as a principal in a permission policy.
Groups can't be nested.
You have a limit of 300 groups in an AWS account.
A user can be a member of up to 10 IAM groups.
IAM Roles
An IAM role is very similar to a User in that it is an identity with permission policies that determine what the identity can and cannot do in AWS.
An IAM role doesn't have any credentials (password or Access Key) associated with it.
Instead of being uniquely associated with one person, a role is intended to be assembled by anyone who needs it.
An IAM user can assume a role to temporarily take on different permission for a specific task.
An IAM role can be assigned to a federated user who sign-in by using an external identity provider instead of AM.
IAM Temporary Credentials
Temporary credentials are primarily used with IAM roles but there are also other uses.
You can request temporary credentials that have a more restricted set of permission than your standard IAM users.
This prevents you from accidentally performing tasks that are permitted by the more restricted credentials.A benefit of temporary credentials is that they expire automatically after a certain period.