Sunday, March 30, 2014

IAM integration with on premise LDAP

You can manually create IAM users with passwords for access to AWS resources using the AWS Management Console, AWS CLI or API calls. This is a great way to start, but you may already have an identity store (such as Active Directory) that you wish to leverage for AWS resource access. Two methods are possible: Replication and Federation.
With replication, you copy account credentials from your identity store into AWS IAM. This is useful for smaller organizations who need a quick solution without building ongoing connectivity between the two identity stores. While fast to execute, this method has some drawbacks such as: Limited to the number of accounts supported by IAM (5,000 default), changes between identity stores are not automatically propagated, this includes password changes, and disabling or deleting of accounts.

Federation can be done using AWS STS or a third-party such as Okta.   

Remember IAM is not a substitute for an identity store such as Active Directory. 

No comments:

Post a Comment