Manage IAM Roles
In order to enable trusted identities, such as workforce IDs and applications, to carry out actions in AWS, you must define AWS Identity and Access Management (IAM) roles and provide them particular permissions. Only the permissions scoped by those IAM roles are granted to your trusted identities when they take on those responsibilities. Because IAM roles offer temporary credentials that don’t need to be changed, using them is a security best practice.
Typical situations where IAM roles are utilised
Integrate employee identities with AWS
Your users can federate into AWS accounts using their current corporate credentials by utilising IAM Identity Centre. You can define the permissions users should have when logging into AWS accounts using IAM roles.
Access workloads within AWS
Workloads that can be accessed within AWS Workloads are collections of code and resources, like applications, that need an identity in order to submit requests to AWS services. IAM roles eliminate the need to store long-term credentials by enabling your application to access AWS resources with temporary credentials while it runs in any AWS compute environment, including Amazon EC2 instances.
Workloads that are not hosted on AWS
You may have workloads that require access to your AWS resources that are hosted in on-premises, hybrid, and multicloud environments. Applications running outside of AWS can gain temporary access to resources in your AWS environment by utilising IAM Roles Anywhere.
Turn on cross-account access
To separate and manage your business apps and data, AWS advise using different AWS accounts. You can use IAM roles to grant access so that your identities in one AWS account can access resources in another AWS account.
Provide access to AWS services
In order for AWS services to operate on your behalf in your AWS account, they must be granted authorisation.
You choose a role for the service to take on when you set up an AWS service environment. After then, the service can take on the function of the service and solely carry out the tasks you’ve given it.
Multi-Factor Authentication (MFA) for IAM
What is MFA?
AWS multi-factor authentication (MFA), a recommended practice for AWS Identity and Access Management (IAM), calls for a second authentication factor in addition to the login credentials of the user name and password. For root and IAM users that you have created in your account, you can enable MFA at the AWS account level.
When MFA is enabled, a user is prompted for their user name and password, which they are familiar with, as well as an authentication code from their MFA device, which they possess (or, if they use a biometrics-enabled authenticator, which they are). When combined, these elements strengthen the security of your AWS resources and accounts.
AWS advise you to make it mandatory for your human users to access AWS using temporary credentials. Your users can authenticate using their corporate credentials and MFA configurations by federating into AWS through an identity provider. AWS advise you to utilise AWS IAM Identity Centre to control access to AWS and business apps. Refer to the IAM Identity Centre User Guide for additional details.
With your IAM MFA setup, you can utilise the following MFA choices. You can purchase a hardware MFA device from the appropriate manufacturer or download virtual authenticator apps using the links provided. AWS doesn’t charge more for using MFA once you’ve purchased a compatible virtual or physical MFA device.
MFA techniques that are available for IAM
The IAM console is where you can control your MFA devices. The MFA techniques that IAM supports are as follows.
Security keys and passkeys
Based on FIDO standards, passkeys and security keys provide simpler and more secure sign-ins across all of your users’ devices. Public key cryptography, the foundation of FIDO authentication standards, provides robust, phishing-resistant authentication that is more secure than passwords. Using your fingerprint, face, or device PIN, passkeys are generated with your preferred passkey provider such as iCloud Keychain, Google Password Manager, 1Password, or Dashlane and synchronised across all of your devices to enable AWS sign-in.
Device-bound passkeys, sometimes referred to as security keys, are another option available to customers from outside suppliers like Yubico. A list of all FIDO-certified goods that meet FIDO requirements is kept up to date by the FIDO Alliance. With a single security key, FIDO security keys can support several root accounts and IAM users. All AWS Regions accept passkeys and security keys for root and IAM users, with the exception of Sinnet’s AWS China (Beijing) Region and NWCD’s AWS (Ningxia) Region.
For qualified AWS account holders in the US, AWS provides a complimentary MFA security key. Use the Security Hub console to order a key and find out your eligibility.
Apps for virtual authenticators
Virtual authenticator applications support numerous tokens on a single device and use the time-based one-time password ) technique. IAM users in the AWS GovCloud (US) and other AWS regions can use virtual authenticators. See Enabling a virtual multi-factor authentication (MFA) device for additional details on how to enable virtual authenticators.
Apps tailored to your smartphone type are available for download from the app store. Web and desktop applications are also offered by certain app suppliers.
Hardware tokens for TOTP
Thales, a third-party source, offers hardware tokens that likewise support the TOTP algorithm. Only AWS accounts may be used with these tokens.
Hardware TOTP tokens for the US regions of AWS GovCloud
Hypersecu, a third-party provider, offers hardware TOTP tokens that are interoperable with the AWS GovCloud (US) Regions. IAM users who have AWS GovCloud (US) accounts are the only ones permitted to utilise these tokens.