By Zach DeMeyer Posted October 3, 2019
The identity and access management (IAM) space continues to grow as we move further into the cloud era. And, when a market gets more active, it generally gets more complex as well. This is exemplified by the increase of vendors in the space, namely the recent entrance of Amazon® Web Services (AWS®) products. Interestingly, AWS is trying to play across the IAM field. Amazon made a number of different forays into IAM, which can get confusing fast. To help clarify, this blog post is an AWS cloud identity management solutions primer.
AWS Cloud Identity Management Solutions
With the current lead in Infrastructure-as-a-Service (IaaS) market share, AWS continues to extend its platform and services to solve more customer issues. Ultimately, it appears that Amazon’s goal is to add more solutions on top of AWS to encourage customers to use more core AWS compute and storage services. The result is a plethora of identity and access management solutions.
For IT and DevOps organizations, this wide range of solutions can be confusing and difficult to sort through. Although AWS’ strategy provides microservices for nearly any identity management task, admins and engineers might struggle with finding the best way to implement them effectively. A more holistic solution might provide centralized control over much of the same resources. Regardless, let’s briefly evaluate each of AWS’ current entrants in the space, and the potential options that lie beyond.
AWS Cloud Directory
Although it’s not necessarily an IAM solution, this AWS service is often mistaken for being an identity provider in the cloud. In practice, AWS Cloud Directory is a tool that can help organizations build relationships between objects in a hierarchical fashion. Specifically, Amazon touts use cases such as car fleet management, HR directories, and learning management systems.
It is important for IT organizations to realize that this service doesn’t perform authentication services, which is what one would think a cloud directory would do. This is actually a simple difference in terminology that can be confusing for AWS customers.
AWS Directory Service
The AWS Directory Service moniker is used to describe different iterations of a solution that is akin to the common definition of a cloud directory. These solutions are largely focused on mirroring the Active Directory® (AD) model.
Their simple directory service version is essentially the open-source Samba platform rebadged in a managed directory service model. It should be noted that managing this service is done through remote tools, as the service does not have a user interface. Another version of the AWS Directory Service (discussed in greater detail below) is in essence a cloud-managed Active Directory instance.
In general, IT admins and DevOps engineers can consider anything under the AWS Directory Service wing as some sort of extension for an on-prem Active Directory instance. It is largely focused on making an on-prem AD identity work for Windows® servers hosted at AWS.
A core part of managing AWS users is through Amazon’s proprietary IAM solution, aptly named AWS IAM. This solution is included for free with every AWS account, and is the interface that controls who can access, provision, modify, and delete AWS services.
Admins should note that this service doesn’t provide user management capabilities for the servers themselves. Think of this as a layer above logging into servers individually. The AWS IAM service is a core part of managing AWS users, and many DevOps organizations leverage web application single sign-on (SSO) platforms to control access to the AWS IAM web console.
AWS Managed Active Directory
As discussed above, a key service for AWS is their managed Active Directory solution. Because most organizations have AD on-prem, this service is meant as a way for IT and DevOps organizations to easily extend their on-prem identities to the cloud.
In doing so, AWS believes that more customers will migrate their data center infrastructure to them. Interestingly though, while AWS is reselling the decades-old Microsoft® platform, Microsoft has their own cloud identity management solution called Azure® Active Directory®. Note that Google’s cloud infrastructure service, Google Cloud Platform (GCP™), also resells a managed Active Directory solution.
Because so many technical personnel leverage AWS credentials, AWS SSO extends the ability for those credentials to work with other web applications. This makes a lot of sense for technical personnel with AWS logins, giving them the ability to leverage them for other DevOps solutions.
The challenge with AWS SSO for IT organizations comes when they consider leveraging the solution for all of their users. Leveraging AWS as the authoritative identity for non-DevOps personnel can become cumbersome, not to mention ineffective, depending on the required web app connection. Furthermore, when it comes to web application SSO solutions in general, there are already a large number of them in the market that can not only work with AWS credentials, but work outside of AWS as well.
The Centralized Cloud Identity Management Solution
Clearly, AWS has targeted much of the cloud identity management space with this raft of solutions. In general, however, many modern organizations aren’t in the market for a handful of point solutions.
Instead, they want a single authoritative cloud identity provider that can connect users to all of their resources, AWS included. That means Windows, macOS®, and Linux® systems, cloud servers from AWS and others, web applications, physical and virtual file servers, and VPN and WiFi networks. Despite the broad reach of AWS’ cloud identity management solutions, even they can’t tackle all of these needs by themselves.
What today’s IT organizations need is a cloud directory service that reimagines Active Directory for the cloud era. With a cloud directory service, IT organizations can provide end-users with a single set of credentials to authenticate to virtually all of the resources listed above, including AWS infrastructure.
A cloud directory service consolidates much of the abilities of AWS’ cloud identity management solutions in a unified platform, available from a single browser window. If this kind of cloud identity management solution sounds intriguing to you, please contact us. We’d be happy to tell you more about the world’s first cloud directory service.