| Last Updated | 01 March 2022 |
| Document Tag | tch-research-next-gen-authz |
| Author | simonm@thecyberhut.com |
| Part of Research Product | Next Generation Authorization Technology |
Amazon Web Services (AWS) provides a range of identity and security services – some of which can be applied to the authorization area.
Their own categorization lists 25 native Amazon products in the “Security, Identity and Compliance” area.
For those which AWS places into the Identity & Access Management category, we can reduce that list to the following:
| Use Case | AWS Service |
| Securely manage access to services and resources | AWS Identity & Access Management (IAM) |
| Cloud single-sign-on (SSO) service | AWS Single Sign-On |
| Identity management for your apps | Amazon Cognito |
| Managed Microsoft Active Directory | AWS Directory Service |
| Simple, secure service to share AWS resources | AWS Resource Access Manager |
| Central governance and management across AWS accounts | AWS Organizations |
Some additional services that may impact both data and application authorization services could include the following:
| Use Case | AWS Service |
| Analyze application security | Amazon Inspector |
| Track user activity and API usage | AWS CloudTrail |
| Discover and protect your sensitive data at scale | Amazon Macie |
| Continuously audit your AWS usage to simplify how you assess risk and compliance | WS Audit Manager |
Across all 25 Security, Identity and Compliance AWS services, updates are periodic and can be counted as per the following:
There have been approximately 40 updates specifically on identity and access management related capabilities since 2019.
The following are interesting from an authorization related context:
| Date | Feature | Details |
| Dec 2019 | Introduction of IAM Access Analyzer | AWS Identity and Access Management (IAM) Access Analyzer is a new feature that makes it simple for security teams and administrators to check that their policies provide only the intended access to resources. Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment. |
| Dec 2019 | Access Analyzer for S3 Buckets | Access Analyzer for S3 is a new feature that monitors your access policies, ensuring that the policies provide only the intended access to your S3 resources. Access Analyzer for S3 evaluates your bucket access policies and enables you to discover and swiftly remediate buckets with potentially unintended access. |
| Nov 2019 | Simplify Employee ABAC | AWS Identity and Access Management (IAM) enables you to use your employees’ existing identity attributes such as cost center and department from your directory to create fine-grained permissions in AWS. Your administrators can use these employee attributes in AWS to implement attribute-based access control to AWS resources and simplify permissions management at scale. |
| Nov 2019 | Improved IAM Sharing Based on Organizations | AWS Identity and Access Management (IAM) enables you to use your employees’ existing identity attributes such as cost center and department from your directory to create fine-grained permissions in AWS. Your administrators can use these employee attributes in AWS to implement attribute-based access control to AWS resources and simplify permissions management at scale. |
| June 2019 | Access Adviser Ability to Set Permissions | AWS Identity and Access Management (IAM) access advisor uses data analysis to help you set permission guardrails confidently by providing service last accessed information for your accounts, organizational units (OUs), and your organization managed by AWS Organizations. |
| May 2019 | Set Fine Grained Session Permissions | AWS Security Token Service (STS) now enables you to specify IAM managed policies as session policies to create fine-grained session permissions when a user assumes a role in AWS to create a session. With this launch, you have up to 10 full-sized policies to choose from that enable you to define more fine-grained session permissions. |
| March 2019 | Enable Fine Grained Permissions for Service Control Policies | You can use Service Control Policies (SCPs) to set permission guardrails with the fine-grained controls used in AWS Identity and Access Management (IAM) policies. This makes it easier to meet the specific requirements of your organization’s governance rules. |