AWS Identity Services Cheat Sheet

AWS Identity Services Cheat Sheet

AWS Identity and Security Services

IAM – Identity & Access Management

  • securely control access to AWS services and resources
  • helps create and manage user identities and grant permissions for those users to access AWS resources
  • helps create groups for multiple users with similar permissions
  • not appropriate for application authentication
  • is Global and does not need to be migrated to a different region
  • helps define Policies,
    • in JSON format
    • all permissions are implicitly denied by default
    • most restrictive policy wins
  • IAM Role
    • helps grants and delegate access to users and services without the need of creating permanent credentials
    • IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls
    • needs Trust policy to define who and Permission policy to define what the user or service can access
    • used with Security Token Service (STS), a lightweight web service that provides temporary, limited privilege credentials for IAM users or for authenticated federated users
    • IAM role scenarios
      • Service access for e.g. EC2 to access S3 or DynamoDB
      • Cross Account access for users
        • with user within the same account
        • with user within an AWS account owned the same owner
        • with user from a Third Party AWS account with External ID for enhanced security
      • Identity Providers & Federation
        • AssumeRoleWithWebIdentity – Web Identity Federation, where the user can be authenticated using external authentication Identity providers like Amazon, Google or any OpenId IdP
        • AssumeRoleWithSAML – Identity Provider using SAML 2.0, where the user can be authenticated using on premises Active Directory, Open Ldap or any SAML 2.0 compliant IdP
        • AssumeRole (recommended) or GetFederationToken – For other Identity Providers, use Identity Broker to authenticate and provide temporary Credentials
  • IAM MFA (Multi-Factor Authentication)
    • AWS supports FIDO2 passkeys, virtual MFA devices (authenticator apps), and hardware MFA tokens
    • SMS MFA has been discontinued – use FIDO2 passkeys or virtual/hardware MFA devices instead
    • AWS enforces MFA for root users across all account types (rolled out 2024-2025)
    • FIDO2 passkeys use public key cryptography for phishing-resistant authentication
    • Up to 8 MFA devices can be registered per IAM user
  • IAM Best Practices
    • Do not use Root account for anything other than billing
    • Create Individual IAM users
    • Use groups to assign permissions to IAM users
    • Grant least privilege
    • Use IAM roles for applications on EC2
    • Delegate using roles instead of sharing credentials
    • Rotate credentials regularly
    • Use Policy conditions for increased granularity
    • Use CloudTrail to keep a history of activity
    • Enforce a strong IAM password policy for IAM users
    • Remove all unused users and credentials
    • Enable MFA for all users, especially root accounts – use FIDO2 passkeys for strongest protection
    • Use IAM Access Analyzer to identify unused access and overly permissive policies
  • Increased IAM Quotas (May 2026)
    • Roles per account: up to 10,000
    • Managed policies per account: up to 10,000
    • Role trust policy size: up to 8,192 characters

IAM Roles Anywhere

  • enables workloads running outside of AWS (on-premises, hybrid, multi-cloud) to access AWS resources using temporary credentials
  • eliminates the need for long-term AWS access keys for external workloads
  • uses X.509 certificates from your Certificate Authority (CA) for authentication
  • integrates with existing enterprise PKI infrastructure
  • key components:
    • Trust Anchor – establishes trust between IAM Roles Anywhere and your CA
    • Profile – specifies the IAM roles and session policies
    • Credential Helper – tool that runs on the workload to obtain temporary credentials
  • supports workloads on-premises, in containers, or in other cloud providers
  • uses the same IAM policies and roles as AWS workloads for consistent access control

IAM Access Analyzer

  • helps identify resources shared with external entities and validate IAM policies
  • provides External Access Analysis – identifies resources accessible from outside your account or organization
  • provides Unused Access Analysis – continuously monitors for:
    • Unused IAM roles
    • Unused access keys for IAM users
    • Unused passwords for IAM users
    • Unused services and actions for active roles/users
  • supports Custom Policy Checks – validates policies before deployment against best practices
  • generates policy recommendations based on access activity (least privilege)
  • integrates with AWS Security Hub for centralized findings
  • zone of trust can be set at account or organization level

AWS Organizations

  • is an account management service that enables consolidating multiple AWS accounts into an organization that can be centrally managed.
  • include consolidated billing and account management capabilities that enable one to better meet the budgetary, security, and compliance needs of your business.
  • As an administrator of an organization, new accounts can be created in an organization and invite existing accounts to join the organization.
  • enables you to
    • Automate AWS account creation and management, and provision resources with AWS CloudFormation Stacksets.
    • Maintain a secure environment with policies and management of AWS security services
    • Govern access to AWS services, resources, and regions
    • Centrally manage policies across multiple AWS accounts
    • Audit your environment for compliance
    • View and manage costs with consolidated billing
    • Configure AWS services across multiple accounts
  • supports Service Control Policies – SCPs
    • offer central control over the maximum available permissions for all of the accounts in your organization, ensuring member accounts stay within the organization’s access control guidelines.
    • are available only in an organization that has all features enabled, and aren’t available if the organization has enabled only the consolidated billing features.
    • are NOT sufficient for granting access to the accounts in the organization.
    • defines a guardrail for what actions accounts within the organization root or OU can do, but IAM policies need to be attached to the users and roles in the organization’s accounts to grant permissions to them.
    • Effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.
    • with an SCP attached to member accounts, identity-based and resource-based policies grant permissions to entities only if those policies and the SCP allow the action
    • don’t affect users or roles in the management account. They affect only the member accounts in your organization.
  • supports Resource Control Policies (RCPs)launched Nov 2024
    • a new authorization policy type that sets the maximum available permissions on resources within the organization
    • complement SCPs – SCPs control what principals can do, RCPs control what can be done on resources
    • help centrally restrict external access to AWS resources at scale (establish data perimeters)
    • don’t affect resources in the management account – only affect resources in member accounts
    • work alongside SCPs to provide comprehensive authorization guardrails
    • supported by AWS Control Tower for managed preventive controls
  • supports Declarative Policieslaunched Dec 2024 at re:Invent
    • a new management policy type that declares and enforces desired configuration for AWS services at scale
    • different from SCPs/RCPs – declarative policies enforce service configurations, not just permissions
    • configuration is always maintained even when the service adds new features or APIs
    • simplifies governance by defining durable intent for baseline service configurations

AWS Directory Services

  • gives applications in AWS access to Active Directory services
  • different from SAML + AD, where the access is granted to AWS services through Temporary Credentials
  • AWS Managed Microsoft AD
    • fully managed Microsoft Active Directory powered by Windows Server
    • available in Standard and Enterprise editions
    • supports self-service API-driven edition upgrades (Standard to Enterprise) – Oct 2025
    • supports dual-stack networking (IPv4 and IPv6) – Sep 2025
    • includes Directory Service Data API for built-in object management (users, groups, attributes) – Sep 2024
    • Hybrid Edition (Aug 2025) – extends your existing self-managed AD domain to AWS Managed Microsoft AD
      • automatically handles replication between on-premises AD and AWS
      • preserves existing identity and access infrastructure
      • simplifies migration of AD-dependent workloads to AWS
      • supports extending domains from on-premises, AWS, or multi-cloud
  • Simple AD
    • least expensive but does not support Microsoft AD advanced features
    • provides a Samba 4 Microsoft Active Directory compatible standalone directory service on AWS
    • No single point of Authentication or Authorization, as a separate copy is maintained
    • trust relationships cannot be setup between Simple AD and other Active Directory domains
    • Don’t use it, if the requirement is to leverage access and control through centralized authentication service
  • AD Connector
    • acts just as an hosted proxy service for instances in AWS to connect to on-premises Active Directory
    • enables consistent enforcement of existing security policies, such as password expiration, password history, and account lockouts, whether users are accessing resources on-premises or in the AWS cloud
    • needs VPN connectivity (or Direct Connect)
    • integrates with existing RADIUS-based MFA solutions to enabled multi-factor authentication
    • does not cache data which might lead to latency
  • Read-only Domain Controllers (RODCs)
    • works out as a Read-only Active Directory
    • holds a copy of the Active Directory Domain Service (AD DS) database and respond to authentication requests
    • they cannot be written to and are typically deployed in locations where physical security cannot be guaranteed
    • helps maintain a single point to authentication & authorization controls, however needs to be synced
  • Writable Domain Controllers
    • are expensive to setup
    • operate in a multi-master model; changes can be made on any writable server in the forest, and those changes are replicated to servers throughout the entire forest

AWS IAM Identity Center (formerly AWS Single Sign-On)

  • is the recommended service for managing workforce access to AWS accounts and applications (formerly known as AWS SSO, renamed July 2022)
  • provides centralized SSO access to all AWS accounts and cloud applications
  • helps manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS-integrated applications as well as custom applications that support SAML 2.0.
  • includes a user portal where end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.
  • supports connecting external identity providers (Okta, Microsoft Entra ID, Ping Identity) or using built-in directory
  • Trusted Identity Propagation
    • enables administrators to grant permissions based on user attributes (user ID, group associations) across AWS service boundaries
    • eliminates the need for service-specific identity mapping
    • supports services like Amazon Redshift, Amazon Q Business, Amazon EMR, and more
  • Multi-Region Replication (Feb 2026)
    • replicate identity configurations across multiple AWS Regions
    • provides active access portal endpoints in multiple Regions for improved availability
    • available for organization instances connected to external identity providers
    • currently available in 17 enabled-by-default commercial AWS Regions
  • supports customer managed policies and permission boundaries in permission sets

Amazon Cognito

  • Amazon Cognito provides authentication, authorization, and user management for the web and mobile apps.
  • Users can sign in directly with a username and password, or through a third party such as Facebook, Amazon, Google, or Apple.
  • Cognito has two main components.
    • User pools are user directories that provide sign-up and sign-in options for the app users.
    • Identity pools enable you to grant the users access to other AWS services.
  • Feature Tiers (Nov 2024) – User pools now offer three tiers:
    • Lite – basic authentication features (existing user pools default to this)
    • Essentials – includes Managed Login, passwordless authentication (passkeys, email, SMS), access token customization, password reuse prevention (new user pools default to this)
    • Plus – adds advanced security features including adaptive authentication, threat protection, and compromised credentials detection
  • Managed Login (Nov 2024) – fully managed, hosted sign-in/sign-up experience with rich branding customization
  • Passwordless Authentication (Nov 2024)
    • supports passkeys (FIDO standards, public key cryptography) for phishing-resistant sign-in
    • supports email and SMS one-time passwords
    • available in the Essentials tier
  • Refresh Token Rotation (Apr 2025) – enables automatic rotation of OAuth 2.0 refresh tokens for improved security
  • Client Secret Management (Feb 2026) – custom client secrets, on-demand rotation, up to two active secrets per app client
  • Multi-Region Replication (2026) – replicate user pools across Regions for business continuity and reduced latency
  • Customer-Managed Keys – full control over data encryption at rest using your own KMS keys
  • Cognito SyncNote: AWS recommends using AWS AppSync instead of Cognito Sync for new implementations. AppSync provides similar data synchronization with additional real-time and offline capabilities.

Amazon Verified Permissions

  • a fully managed, fine-grained authorization service for applications (GA 2023)
  • uses Cedar, an open-source policy language purpose-built for authorization
  • externalizes authorization logic from application code for consistent access control
  • supports both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
  • key components:
    • Policy Store – container for Cedar policies, logically isolated from other stores
    • Policies and Templates – define who can do what on which resources
    • Schema – defines entity types, actions, and their relationships
    • Authorization Requests – real-time evaluation of user access against policies
  • integrates natively with Amazon Cognito for identity context
  • aligns with Zero Trust principles – least privilege and continuous verification
  • supports multi-tenant authorization with multiple identity providers
  • enables security teams to audit and analyze application-level access centrally