Amazon IAM and other authentication system



Identity & Access Management, or IAM.
Now, AWS’ IAM offering predates Google or Microsoft’s cloud offerings even being publicly available. That fact alone speaks volumes of the head start they have. This isn’t just about functionality. AWS has millions of users, and most of them started using IAM as soon as it was released. Bug reports and feature requests from users followed, and improvements were shipped. AWS IAM is now so tightly-integrated with the rest of that platform’s services that other providers have to simply mimic their approach to succeed (sadly, a step neither Google nor Microsoft has taken to this point).
If you’re in an organization that is espousing the ideal that a hybrid cloud approach is sustainable, you either have to engineer around the disparity between AWS’ services and the other providers’, or simply ignore the features of IAM that are missing from Google and Microsoft. Which path should you take?

Authenticate your application

Question: Somebody propose to use IAM as database users to authenticate our application

This is simple impossible at the current state but 99% also for the future. For simple reasons
If you look the iam faqs you can find this
Q: What problems does IAM solve?
Use IAM to access to AWS resource, not for example to login Windows/Linux machine.
The only case where you can store an ssh keys in an IAM user is to access to AWS CodeCommit that is a git repos as a service

This is also motivated by money
Q: How much do IAM roles cost?
IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.

Somebody in stack overflow though the same and the response are coherent with my idea

So you use IAM to manage AWS resource and you don’t pay for it instead if you want to manage other resource you need to use the Directory Service and you pay depends from the usage and size of the directory

You can do the opposite you can grant AWS Web Access using LDAP users (your active directory or directory service in aws or I saw also using google or facebook authentication)

Let’s analyze the solutions instead

Solution 1 JumpCloud Directory As A Service

This is a company like or
There is this magic product that promise total integration with everything.
The first 10 users are free so I hope to test in the future.

Solution 2 AWS Cognito

It was born for webapp and mobile device authentication, there is also as web console where you can create user disable ecc in a standard way and easily.
Later you can use it to integrate in with others entities Google , Facebook , Custom ecc

Solution 3 AWS Directory Service

More details here
You have directory service managed in the cloud , It is less user friendly than AWS Cognito , so no web console to access but it is not a big deal
you can have 4 different choices:

  1. AD Connector, it is like a managed proxy for the on premise directory (samba or microsoft). From the doc “AD Connector uses your existing on-premises Microsoft Active Directories to access AWS applications and services. ” CHEAP price
  2. Simple AD , it is good for not huge environment “Simple AD is a Microsoft Active Directory–compatible directory that is powered by Samba 4 and hosted on the AWS cloud” INTERMEDIATE price
  3. Microsoft AD : it is microsoft directory managed , from the doc “Microsoft AD is a Microsoft Active Directory hosted on AWS. It integrates most Active Directory features with AWS applications. ‘’ MORE EXPENSIVE THAN SIMPLE AD
  4. Amazon Cloud Directory from the doc "Create a highly scalable directory in AWS to manage hierarchical data using sample schemas or based on your own custom schemas.", it is not very clear at the moment if this is an alternative or an integration of the previous solutions
Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License