AWS User Management: 4 Approaches for Secure IAM

Written by Mike Ranellone on January 18, 2020

Share This Article

With AWS® becoming more popular than ever, many IT admins and DevOps engineers are working through the best ways to handle AWS user management. Although the transition to the cloud increases efficiency, one of the top issues in this process is maintaining a high level of security throughout an increasingly diverse environment. 

On a fundamental level, security starts with controlling access to IT resources. A compromised identity is the quickest, easiest way through the maze of security that many organizations try to create. And according to Verizon, 81% of confirmed data breaches can be traced to weak, reused, or stolen credentials. As a result, for organizations leveraging AWS, a core part of enabling success is controlling user management. The challenge for IT admins is how to implement a cloud identity and access management (IAM) strategy that’s unified, efficient, and secure.

Traditionally, IT organizations have leveraged Microsoft® Active Directory® (AD) as their identity provider and user management system of choice. AD made sense while the IT infrastructure was Windows®-based and on-prem. But as organizations shifted to cloud infrastructure, web applications, Mac® and Linux® systems, and other non-Windows or on-prem resources, the challenges increased. This is especially true with AWS.

So, what are the best options for AWS user management? Consider the four approaches below in the context of your existing environment and longer-term IT goals. 

AWS User Management Options 

1. Manage AWS Users by Extending Active Directory

For organizations deeply invested in Active Directory and the Microsoft infrastructure that goes with it, the ideal way to manage AWS users may be to integrate AWS with AD. AD user identities and permissions would propagate out to AWS, keeping AD as the central management interface. Users would enjoy the convenience of single sign-on (SSO), with AD automatically negotiating a trust relationship between the AD user and its corresponding AWS user at the time of AD authentication. 

A number of AD extensions offer this kind of functionality, though you’ll want to keep an eye out for some differences between them. A solution that only integrates AD with AWS, for example, may not be cost effective compared to one that can integrate AD with additional cloud platforms and apps. Different AD extensions offer different levels of integration, too. Will you be able to provision users and groups to AWS resources from within AD? What about Linux servers? An ideal AD integration solution would simplify all of the above. 

If you don’t already have Active Directory, or your existing Active Directory infrastructure needs additional maintenance, other options for AWS user management may be more cost effective and less labor intensive than the above. Of course, if you are leveraging Linux servers at AWS, and not Windows servers, then it may be easier to skip this path as well.

2. Leverage Configuration Management Tools 

For granular control over AWS users and resources outside of your central directory, you can choose among a variety of server management tools, the most popular being Chef Automate and Puppet Enterprise. AWS offers managed versions of these tools, or you can host, configure, and operate them manually. You’ll need to write scripts (or at least modify borrowed ones and update them with each change), but if you’re comfortable with that, they can be a powerful solution for AWS user management and for configuring your suite of Amazon cloud resources. Learn more about using Chef and Puppet with AWS

One potential downside is this approach to user management creates a new IAM silo. In other words, each user could end up with an extra set of credentials to remember or store (in the case of SSH keys), and you could end up with a set of resources that require extra administrative attention, increasing the risks of laziness and human error, respectively. Depending on your use case, it may also be overkill to deploy a complicated patchwork of configuration tools just for user management.

3. Managed Active Directory Solutions 

If you run a 100% Windows environment that already uses an up-to-date Windows Server with AD properly set up, this approach to AWS user management can work similarly to the AD extension option above. Instead of syncing identities from your existing Active Directory with AWS infrastructure through an extension solution, it involves hosting an actual AD instance in your AWS cloud. This approach is often used because of the comfort that IT admins have with creating additional AD forests. Configured carefully, it can allow for limited usage of AD GPOs (for Windows servers) and AD-based user access to Amazon WorkSpaces VMs. 

This is a good user management solution specifically for AWS Windows servers, but it’s not as easy a solution for Linux systems. A universal AD extension can extend AD identities to AWS and other resources, but this cloud-hosted AD instance isn’t usually leveraged in the opposite direction as a core user directory for IT resources outside AWS. 

If you don’t already have AD, you could employ a managed AD instance in a limited fashion to control Windows resources in AWS, though you may need additional directory solutions for non-Windows and/or non-AWS resources. And even if you do already have AD, other AD extensions may provide greater value by integrating AD with a wider variety of vendors and operating systems. 

4. Implement a Cloud Directory Service

The right solution for your organization depends on your environment and its specific requirements. As most organizations are shifting to the cloud, however, many are leaning into IT management tools delivered from the cloud. The result is a reimagination of directory services to match this new cloud-centric landscape: a modern directory hosted in the cloud that can often be more nimble and more universal than its on-prem ancestor for most organizations.

Unlike a cloud-hosted AD instance, a next-generation cloud directory service can manage user provisioning and authentication beyond AWS and Windows resources, offering centralized control over Mac, Windows, and Linux systems, both on-prem and cloud infrastructure, networks, and more.

Learn more about implementing a cloud directory service for AWS user management

Continue Learning with our Newsletter