Working with users, groups, and policies is just the start. There are a lot more awesome features provided by AWS IAM that can help you with managing the access and security for your organization that we haven't covered in this chapter. Let's browse through some of these interesting features and services quickly.
For starters, let's talk about roles and identity providers. Roles are nothing but a group of permissions that grant users access to some particular AWS resources and services. But wait, doesn't a policy do the same thing? You're absolutely right! Both are, in a sense, a set of permissions, but the difference lies in where and how you apply them.
Policies are applied to users and groups that belong to a particular AWS account, whereas roles are applied to users who are generally not a part of your AWS account. In a sense, you use roles to delegate access to users, applications, and services that do not have access to your AWS resources. You can also use roles to create federated identities where a user from your organization's corporate directory gets access to your AWS resources on a temporary basis.
To learn more about roles and how you can leverage them in your organization, use http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html.
This temporary access to AWS resources can be provided using an identity provider as well. Ever used your Facebook or Google credentials to log in to a website? If yes, then this is a classic example of using an identity provider to provide external users access to some resources. In your case, your organization's active directory can be used as an identity provider to authenticate and grant your corporate users access to AWS resources. As of today, you can use either SAML 2.0 or OpenID Connect to establish trust between your AWS account and your external source of identity provider.
Besides these, AWS has also introduced a couple of new services as well that help with your account's easy administration and management. Here are a few of those services briefly explained:
These are just some of the tools and services that you can leverage to make your AWS environment more efficient and secure. Feel free to have a look at each of these new services, and don't be afraid to take them out for a spin as well!