AWS Identity And Access Management (IAM) Products

By Ryan Squires Posted November 18, 2019

The range of AWS® identity and access management (IAM) solutions provide for a confusing  landscape. With countless products in its portfolio, it is easy to get lost in a sea of AWS identity management options. To help bring clarity to this issue, this AWS identity management overview will explore several AWS products and what they mean to you as an IT admin.

To start, it would help to briefly overview all of the various AWS identity management solutions available and their purpose. We fit each solution into larger sub categories to help make the picture clear.

Traditional Identity Management Services

These services are akin to what IT admins are used to in the IAM space; each service in this subcategory are akin to Active Directory® (AD) in their usage and scope. 

AWS Managed Active Directory

A subset of the overarching AWS Directory Service, this product represents a mainstay AWS offering. AWS Managed AD is a resold Active Directory instance that is hosted by AWS. Amazon® knows that because most organizations leverage AD on-prem, it would be helpful to have an AD instance in the AWS cloud. Positioned there, it helps organizations because they can then connect their main, on-prem identity provider to it. Of course, as with AD on-prem, you still have problems related to managing non-Windows resources like macOS® and Linux® devices. 

Simple Active Directory

Based on the open-source Samba platform, this product is a simplified version of AWS Managed AD. Essentially, Simple Active Directory is designed to act as a “simple” directory service used to manage primarily Windows-based users. In keeping with its Windows user management scope, it can be managed from a separate Windows Server interface. 

Managing AWS Identities

Think of these solutions as related to cloud-based services. These are used for pushing AWS identities to web-based services in the AWS cloud or using them to authenticate users to third-party web applications. 

AWS IAM

This is perhaps the core of AWS’ cloud identity management approach. AWS IAM is the user management system for the AWS portal. This service enables system admins and DevOps engineers to appropriately control who can do what within the AWS infrastructure. It is important to note that AWS IAM is not meant to act as the user management system for admins and engineers to directly log in to systems and applications within the infrastructure. This service is used only for accessing AWS services and resources via the web console. 

AWS SSO

Perhaps the most recent identity management offering from AWS, this product has been created to extend AWS credentials to other web-based applications. AWS is aware that many technical personnel within an organization have user credentials within AWS, so extending those to complementary services is helpful and convenient for users. Think of it like traditional SSO solutions where AD credentials get federated to web applications. 

Non-IAM Focused Directory Solution

Here is where a considerable amount of confusion lies as it pertains to AWS services. The product listed below highlights key differences between IAM solutions and tools that may share similar names. 

AWS Cloud Directory

This service provides an example of AWS using the term “directory” in a manner different from how we perceive it in the IAM space. In short, AWS Cloud Directory is not a traditional identity management tool. Rather, it is used to create associations and hierarchies between different objects. A course catalog is a good example of how this product is used. Individual courses often fit under several different umbrellas, and AWS Cloud Directory is used to define what each course means as it relates to other objects — like students. Think electives versus required classes.

Ultimately, AWS Cloud Directory is not meant to serve as a replacement to a regular directory service, which means you will need a different tool to perform user authentications

AWS Product Wrap Up 

Hopefully this quick rundown helped you understand a bit more about the different AWS identity management services available, as well as some that are not exactly focused on traditional identity management. 

In short, AWS’ plethora of IAM solutions can ultimately prove helpful to IT admins and DevOps engineers if you exist mainly within a Windows / AWS environment. But, for modern organizations that either want to move beyond single platforms or locations, a platform-agnostic, cloud-based directory service may constitute an interesting alternative to the solutions overviewed in this post. 

Benefits of a cloud-based directory service like Directory-as-a-Service® enables IT admins to manage users of myriad services including Google Cloud Platform™, AWS, Jira®, and even networks via RADIUS from a single interface. Users benefit in that they only have to remember a single set of credentials for each of those services. 

Learn More About Directory-as-a-Service

Ready to unravel the confusing tangle known as AWS Identity and Access management tools? Contact us today and see how you can manage users across multiple tools while doing it from a single interface. 

Ryan Squires

Ryan Squires is a content writer at JumpCloud, a company dedicated to connecting users to the IT resources they need securely and efficiently. He has a degree in Journalism and Media Communication from Colorado State University.

Recent Posts