Working with users, groups, and policies is just the start. There are a lot more awesome features provided by AWS IAM that can help you with managing the access and security for your organization that we haven't covered in this chapter. Let's browse through some of these interesting features and services quickly.
For starters, let's talk about roles and identity providers. Roles are nothing but a group of permissions that grant users access to some particular AWS resources and services. But wait, doesn't a policy do the same thing? You're absolutely right! Both are, in a sense, a set of permissions, but the difference lies in where and how you apply them.
Policies are applied to users and groups that belong to a particular AWS account, whereas roles are applied to users who are generally not a part of your AWS account. In a sense, you use roles to delegate access to users, applications, and services that do not have access to your AWS resources. You can also use roles to create federated identities where a user from your organization's corporate directory gets access to your AWS resources on a temporary basis.
Note
To learn more about roles and how you can leverage them in your organization, use http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html.
This temporary access to AWS resources can be provided using an identity provider as well. Ever used your Facebook or Google credentials to log in to a website? If yes, then this is a classic example of using an identity provider to provide external users access to some resources. In your case, your organization's active directory can be used as an identity provider to authenticate and grant your corporate users access to AWS resources. As of today, you can use either SAML 2.0 or OpenID Connect to establish trust between your AWS account and your external source of identity provider.
Besides these, AWS has also introduced a couple of new services as well that help with your account's easy administration and management. Here are a few of those services briefly explained:
- AWSCloudTrail: CloudTrail enables you, as an administrator, to log and record each and every API call that is made from within your account. These logs can contain information such as the API's request and response parameters, who made the API call, the time of the API call, and so on. These details are vital and can be used during security audits, compliance tracking, and so on. To know more about AWSCloudTrail, check http://aws.amazon.com/cloudtrail/getting-started/.
- AWSConfig: AWSConfig is a fully automated service that enables you to take a complete snapshot of all your AWS resource's configurations for compliance and auditing purposes. It can also be used as a change management tool to find out when your AWS resources were created, updated, and destroyed. To know more about AWSConfig, check http://aws.amazon.com/config/details/.
- AWS Key Management Service: As the name suggest, this new service enables you to manage your account's keys more effectively and efficiently. It also provides add-on functionality such as centralized key management, one click encryption of your data, automatic key rotations, and so on so forth. To know more about AWS Key Management Service, check http://aws.amazon.com/kms/getting-started/.
These are just some of the tools and services that you can leverage to make your AWS environment more efficient and secure. Feel free to have a look at each of these new services, and don't be afraid to take them out for a spin as well!