The AWS Management Console now recognizes Users created via AWS Identity and Access Management (IAM). IAM users can now log in to the console and manage resources within an AWS account. IAM Users can be assigned individual Multi-Factor Authentication (MFA) devices to provide additional security when they access the console. IAM can also be used to give permission for a particular User to access resources, services, and APIs.
Here's a quick recap of the major features of IAM:
- Create User Identities - Add Users (unique identities that can interact with AWS services) to your AWS account. A User can be an individual, a system, or an application with a need to access AWS services.
- Assign and Manage Security Credentials - Assign security credentials such as access keys to each User, with the ability to rotate or revoke these credentials as needed.
- Organize Users in Groups - Create IAM Groups to simplify the management of permissions for multiple Users.
- Centrally Control User Access - Control the operations that each User can perform, including access to APIs for specific AWS Services and resources.
- Add Conditions to Permissions - Use conditions such as time of day, source IP address, or protocol (e.g. SSL) to control how and when a User can access AWS.
- View a Single AWS Bill - Receive a single bill which represents the activity of all of the Users within a single AWS account.
Put it all together and what's the result? It is now much easier for multiple people to securely share access to an AWS account. This should be of interest to everyone -- individual developers, small companies, and large enterprises. I am currently setting up individual IAM Users for each of my own AWS applications.
IAM is a really powerful feature and I'll have a lot more to say about it over the next couple of weeks. I've got the following blog posts in the pipeline:
- A more detailed introduction to IAM.
- A step-by-step guide to using the IAM CLI to enable sharing of a limited set of files within an Amazon S3 bucket.
- A walkthrough to show you how IAM Users can access the AWS Management Console.
- A walkthrough on the use of the AWS Access Policy Language for more advanced/conditional control of permissions.
Let me know if you'd like me to cover any other topics and I'll do my best to oblige. In the meantime, check out the IAM Getting Started Guide, the IAM API Reference, and the IAM Quick Reference Card (there's even more documentation here). Also, don’t forget to refer to my previous blog post on the AWS Policy Generator for help creating policies that control permissions for your users.
A number of applications and development tools already include support for IAM. Here's what I know about (leave a comment if you know of any others):
- Boto - Python interface to AWS.
- CloudBerry S3 Explorer.
- Ylastic Cloud management interface (web and mobile).
- S3 Browser (Bucket Sharing Wizard).
- SDB Explorer - Amazon SimpleDB browser.
The AWS Identity and Access team is hiring, so let us know if you’re interested in joining the team:
- Principal Product Manager
- Software Development Engineers (SDE-I to Principal levels)
- Software Development Engineers (UI)
- Sr. Software Development Manager
-- Jeff;
This sounds great, but I don't see how to log in. When I go to the console page it requires an email and password, not an AWS access key. Has this already been rolled out around the world? (I am in Israel)
-tom
Posted by: Tom Rosenfeld | February 15, 2011 at 02:18 AM
Tom, here are some resources for you:
* The AWS Management Console Sign-In Page - http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html?AccountAlias.html
* Using an Alias for your AWS Account Id - http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html?AccountAlias.html
I am working on some blog posts with additional information.
Posted by: Jeff Barr | February 15, 2011 at 11:42 AM
This is a big deal- thanks for breaking the news, Jeff. We have a guide for folks getting started with AWS which includes a how-to for setting up IAM users compatible with the AWS console login on our wiki at http://wiki.cloudcontrollers.com/AWS_Best_Practices
Posted by: Cloudcontroller | February 16, 2011 at 12:41 PM
Awesome, Jeff. I've been waiting for this feature for some time. Works great!
Posted by: tomatohater | February 17, 2011 at 11:08 AM
Great news;however when will be able to access IAM from the web console.
Posted by: Junior | February 18, 2011 at 06:54 AM
It would be extremely useful if IAM was extended in the API to allow a website hosted within AWS EC2 to validate MFA devices. This would allow anyone to setup MFA for say their Blog, or corporate websites without investing time and money into custom development and integration. This could be a Per/User/Month charge or Per/MFA/Month, or even a Per/Authentication charge and could actually generate revenue. In-fact I purchased 3 MFA devices assuming this is what it was for =P oh well, it's nice having one setup to make my account that much more secure.
Posted by: Brant Wedel | November 06, 2011 at 12:51 AM