By Ryan Squires Posted November 18, 2019
The range of AWS® identity and access management (IAM) solutions provide for a confusing landscape. With countless products in its portfolio, it is easy to get lost in a sea of AWS identity management options. To help bring clarity to this issue, this AWS identity management overview will explore several AWS products and what they mean to you as an IT admin.
To start, it would help to briefly overview all of the various AWS identity management solutions available and their purpose. We fit each solution into larger sub categories to help make the picture clear.
Traditional Identity Management Services
These services are akin to what IT admins are used to in the IAM space; each service in this subcategory are akin to Active Directory® (AD) in their usage and scope.
AWS Managed Active Directory
A subset of the overarching AWS Directory Service, this product represents a mainstay AWS offering. AWS Managed AD is a resold Active Directory instance that is hosted by AWS. Amazon® knows that because most organizations leverage AD on-prem, it would be helpful to have an AD instance in the AWS cloud. Positioned there, it helps organizations because they can then connect their main, on-prem identity provider to it. Of course, as with AD on-prem, you still have problems related to managing non-Windows resources like macOS® and Linux® devices.
Simple Active Directory
Based on the open-source Samba platform, this product is a simplified version of AWS Managed AD. Essentially, Simple Active Directory is designed to act as a “simple” directory service used to manage primarily Windows-based users. In keeping with its Windows user management scope, it can be managed from a separate Windows Server interface.
Managing AWS Identities
Think of these solutions as related to cloud-based services. These are used for pushing AWS identities to web-based services in the AWS cloud or using them to authenticate users to third-party web applications.
This is perhaps the core of AWS’ cloud identity management approach. AWS IAM is the user management system for the AWS portal. This service enables system admins and DevOps engineers to appropriately control who can do what within the AWS infrastructure. It is important to note that AWS IAM is not meant to act as the user management system for admins and engineers to directly log in to systems and applications within the infrastructure. This service is used only for accessing AWS services and resources via the web console.
Perhaps the most recent identity management offering from AWS, this product has been created to extend AWS credentials to other web-based applications. AWS is aware that many technical personnel within an organization have user credentials within AWS, so extending those to complementary services is helpful and convenient for users. Think of it like traditional SSO solutions where AD credentials get federated to web applications.
Non-IAM Focused Directory Solution
Here is where a considerable amount of confusion lies as it pertains to AWS services. The product listed below highlights key differences between IAM solutions and tools that may share similar names.
AWS Cloud Directory
This service provides an example of AWS using the term “directory” in a manner different from how we perceive it in the IAM space. In short, AWS Cloud Directory is not a traditional identity management tool. Rather, it is used to create associations and hierarchies between different objects. A course catalog is a good example of how this product is used. Individual courses often fit under several different umbrellas, and AWS Cloud Directory is used to define what each course means as it relates to other objects — like students. Think electives versus required classes.
Ultimately, AWS Cloud Directory is not meant to serve as a replacement to a regular directory service, which means you will need a different tool to perform user authentications.
AWS Product Wrap Up
Hopefully this quick rundown helped you understand a bit more about the different AWS identity management services available, as well as some that are not exactly focused on traditional identity management.
In short, AWS’ plethora of IAM solutions can ultimately prove helpful to IT admins and DevOps engineers if you exist mainly within a Windows / AWS environment. But, for modern organizations that either want to move beyond single platforms or locations, a platform-agnostic, cloud-based directory service may constitute an interesting alternative to the solutions overviewed in this post.
Benefits of a cloud-based directory service like Directory-as-a-Service® enables IT admins to manage users of myriad services including Google Cloud Platform™, AWS, Jira®, and even networks via RADIUS from a single interface. Users benefit in that they only have to remember a single set of credentials for each of those services.
Learn More About Directory-as-a-Service
Ready to unravel the confusing tangle known as AWS Identity and Access management tools? Contact us today and see how you can manage users across multiple tools while doing it from a single interface.