Amazon emphasized identity and access management during its AWS re:Inforce Security conference in Boston this week. Among announcements for GuardDuty Malware Detection and Amazon Detective for Elastic Kubernetes Service (EKS), Amazon Web Services executives highlighted the launch of IAM Roles Anywhere from earlier this month, which enables AWS Identity and Access Management (IAM) to run on resources outside of AWS. With IAM Roles Anywhere, security teams can provide temporary credentials for on-premises resources.
IAM Roles Anywhere enables on-premises servers, container workloads, and applications to use X.509 certificates for the temporary AWS credentials, which can use the same AWS IAM roles and policies. "IAM Roles provides a secure way for your on-premises servers, containers, applications, to obtain temporary AWS credentials," AWS VP of Platforms Kurt Kufeld said.
Creating temporary credentials is an ideal alternative when they are only needed for short-term purposes, Karen Haberkorn, AWS director of product management for identity, said during a technical session.
"This extends IAM Roles so you can use them and workloads running outside of AWS that lets you tap into all the power of AWS services wherever your applications are running," Haberkorn said. "It lets you manage access to AWS services in the exact same way you are doing today for applications that run in AWS, for applications that run on premises, at the edge — really anywhere."
Because IAM Roles Anywhere enables organizations to configure access the same way, it reduces training and provides a more consistent deployment process, Haberkorn added. "And yes, it means a more secure environment," she said. "It's more secure because you no longer having to manage the rotation and the security of any long-term credential that you might have used for on-premises applications in the past."
New IAM Identity Center
Amazon also announced that it has renamed its AWS Single Sign-On offering "AWS Identity Center." Principal product manager Ron Cully explained in a blog post this week that the name change is to better reflect its full set of capabilities and to support customers who in recent years have shifted to a multi-account strategy. AWS is also looking to "reinforce its recommended role as the central place to manage access across AWS accounts and applications," Cully wrote.
While AWS hasn't announced any technical changes to AWS Identity Center, Cully said that it has emerged as the "front door into AWS." AWS Identity Center handles all authentication and authorization requests, and now processes half a billion API calls per second.
Curtis Franklin, a senior analyst who covers enterprise security management and security operations at Omdia, noted that AWS underscored IAM throughout the 2-day conference. "AWS gave signs that it considers identity the frontline to security and privacy in the cloud," he said. "I think they are going to continue to bring in partners so that AWS is the single source of truth about who authorized users are and what privileges they can have."