Choosing an AWS identity service

Taking the first step

Time to read	10 minutes
Purpose	Help determine which AWS identity service is the best fit for your organization.
Last updated	August 15, 2025

Introduction

Identity and access management helps ensure that only authenticated and authorized users can access only the cloud resources that they need to perform their tasks, and that they can do it in a secure and compliant way.

As shown in the preceding diagram, identity is the unique identification of an entity, authentication is the process of verifying the identity, and authorization is the process of determining what the authenticated entity is allowed to do.

AWS offers multiple services that help you manage access to your resources on AWS. These include the following:

Services covered

AWS Identity and Access Management (IAM) AWS IAM Identity Center IAM Access Analyzer AWS Directory Service IAM Roles Anywhere Amazon Cognito Amazon Verified Permissions

Though there are similarities between some identity services, these services address different scenarios. This decision guide helps you get started and choose the right AWS identity service for your use case.

Understand AWS identity and access management

Understanding the foundations of IAM can help you meet your needs.

Principals, including human users, workloads, federated users, and assumed roles, access AWS services by using APIs. All AWS compute environments deliver credentials that applications use to sign their API calls and request access to AWS services. API requests are authenticated and authorized by a system of identities (such as IAM roles), actions (IAM policies), and resources that are defined in IAM. Every AWS customer configures these to use AWS APIs. IAM roles are identities with temporary and conditional permissions to perform scoped actions on AWS resources. IAM policies define the actions that IAM roles can perform on specific AWS resources.

By carefully crafting IAM policies, you can ensure that the permissions available to an IAM role allow access only to the resources needed to fulfill a task: a concept known as least privilege.

The preceding video is from a re:Inforce 2024 session by Lucas Wagner, a senior applied science manager at AWS, and Sean McLaughlin, a principal applied scientist at AWS. They provide a quick overview of AWS authorization and how AWS Identity and Access Management works, in a roughly four-minute excerpt (08:35-12:30).

Consider criteria for choosing an AWS identity service

Choosing the right AWS services depends on your needs, and on the following considerations:

• Who requires access - you and your workforce, a machine and your workloads, or the applications you build.

• What they want to access - AWS accounts; AWS applications and services, and the data in them; or data in the applications you build.

• Where they want to access it from - from within AWS, from your on-premises environment, from another cloud environment, or from AWS IoT devices.

Choose which AWS identity services to use

The following table helps you find recommended AWS services for your use cases. For best results, consider the additional services and capabilities recommended for your objective.

I am a...	I want to...	AWS identity service	Additional services and capabilities to consider
Cloud/Identity administrator	Make it easier for my team to grant and audit access to AWS applications, such as Amazon Q and Amazon SageMaker AI.	IAM Identity Center	Trusted identity propagation in IAM Identity Center AWS Lake Formation Amazon S3 Access Grants
Cloud/Identity administrator	Make it easier for the owners of my organization's data to grant data access by workforce user or group.	IAM Identity Center	Trusted identity propagation in IAM Identity Center AWS Lake Formation Amazon S3 Access Grants
Cloud/Identity administrator OR Developer	Configure workforce access to AWS accounts and the resources in them, such as Amazon S3 buckets.	IAM Identity Center Federation with IAM	AWS Control Tower Centralize root access for member accounts Temporary security credentials in IAM
Cloud/Identity administrator	Run Active Directory dependent workloads in AWS.	AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD	Integrations with AWS services and applications
Cloud/Identity administrator	Join my AWS workloads to my on-premises Microsoft Active Directory Domain Services.	AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD	Integrations with AWS services and applications
Cloud/Identity administrator	Configure the access of my workloads to AWS resources.	IAM	AWS Resource Access Manager
Cloud/Identity administrator	Establish a data perimeter to enforce my organization's security requirements.	IAM permissions guardrails using data perimeters	Data perimeters on AWS
Cloud/Identity administrator	Verify which IAM roles and users within my organization have access to critical AWS resources.	IAM Access Analyzer internal access analysis
Cloud/Identity administrator	Analyze and refine permissions to drive towards least privilege.	IAM Access Analyzer
Cloud/Identity administrator	Grant on-premises workloads access to AWS.	IAM Roles Anywhere (requires PKI, the ability to issue and manage certificates)
Cloud/Identity administrator	Grant an IoT device access to AWS.	AWS IoT Device Management
Developer	Grant code in any external-to-AWS cloud environment access to AWS.	AWS Security Token ServiceAssumeRoleWithWebIdentity	Temporary security credentials in IAM AWS Security Token Service CLI V2 Reference
Developer	Perform service-to-service authentication and authorization in my application running solely in AWS.	Amazon VPC Lattice	Amazon API Gateway with AWS Signature Version 4 authentication AWS PrivateLink
Developer	Perform service-to-service authentication and authorization in my application with components in various cloud environments.	Amazon Cognito	Amazon Verified Permissions
Developer	Enable your customers to access your AI application and manage the identities of AI agents.	Amazon Bedrock AgentCore Identity	Amazon Bedrock AgentCore
Developer	Build and manage IoT device software on AWS.	AWS IoT Greengrass
Developer	Build an authentication mechanism into my own application.	Amazon Cognito
Developer	Build an authorization mechanism into an application.	Amazon Verified Permissions

Use AWS identity services

For you and your workforce

IAM Identity Center

IAM Identity Center helps you configure the single sign-on experience of your employees from your existing identity provider to user-facing AWS applications, such as Amazon Q and Amazon SageMaker AI, and to the AWS Management Console, including any AWS accounts that are assigned to your employees. With a single connection of your identity provider, you can scale your use of AWS applications as much as your business requires, and offer a continuous user experience across applications.

With IAM Identity Center, AWS applications such as Amazon Q can provide your users with personalized experiences, such as a dashboard showing what a user was working on when they last signed in. Data service owners, such as an Amazon Redshift administrator, can define permissions and audit access to data in AWS by the users in your directory. AWS data and analytics services can recognize your employees by their directory identities. For more information, see Application access in the AWS IAM Identity Center User Guide.

An organization instance of IAM Identity Center can help you manage your workforce access to AWS accounts as well. It lets you assign permissions to users and provision the permissions to multiple accounts from a central place. For more information, see AWS account access in the AWS IAM Identity Center User Guide.

Federation with IAM

You can also use IAM to federate workforce users through your identity provider to specific AWS accounts. Users assume IAM roles to perform scoped actions on the AWS resources in the account. You can federate with an identity provider that provides identity information using either OpenID Connect (OIDC) or SAML 2.0. For more information, see Identity providers and federation.

For your workloads

IAM

IAM lets your workload assume IAM roles with temporary security credentials to use AWS APIs and perform scoped actions on AWS resources. For example, they let workloads run code on compute services such as Amazon EC2 or Lambda. For more information, see IAM roles in the IAM User Guide.

IAM Access Analyzer

IAM Access Analyzer guides you to least privilege by providing features to set, verify, and refine permissions. It helps you implement your access management strategy by analyzing external, internal, and unused access, and validating that your IAM policies match your specified security standards. Use IAM Access Analyzer to do the following:

• Generate least-privilege policies based on access activity

• Validate that your policies match IAM best practices and your security standards

• Verify who can access what and detect unintended public and cross-account access

• Verify internal access to critical resources by identifying which IAM roles and users within your AWS organization have access to critical resources such as Amazon S3 buckets, Amazon DynamoDB tables, and Amazon RDS snapshots.

• Refine permissions by identifying unused access in your IAM policies

The following image shows the IAM Access Analyzer dashboard with external and internal access findings.

The following image shows unused access findings in the IAM Access Analyzer dashboard.

IAM Roles Anywhere

IAM Roles Anywhere extends the capabilities of IAM to on-premises and hybrid cloud workloads. Use it to get temporary security credentials and to use the same IAM policies and IAM roles that you use for AWS workloads.

AWS Directory Service

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, is a highly available, fully managed Microsoft Active Directory (AD) service. It extends your on-premises Microsoft AD configurations to AWS so that your Microsoft Windows on-premises workloads can communicate with your AWS resources. Using AWS Managed Microsoft AD, you can join to your domain AWS resources such as Amazon EC2 instances, Amazon WorkSpaces managed desktops, and Amazon RDS for Microsoft SQL Server.

For the applications you build

Amazon Cognito

Amazon Cognito helps your developers implement customer identity and access management (CIAM) in the web and mobile applications that they develop. It is a scalable service they can use in your applications to manage users, authenticate, and authorize their access. In addition to CIAM, Amazon Cognito supports service-to-service authentication and authorization within your applications. It scales to millions of users across devices, and processes more than 100 billion authentications per month.

Verified Permissions

Verified Permissions is a fully managed authorization service, which uses the easy-to-understand Cedar policy language for fine-grained permissions. Authorization decisions are verified formally by using automated reasoning. With Verified Permissions, developers can externalize authorization, align it with Zero Trust principles, and centralize policy management. Security and audit teams can better analyze and audit who has access to what within your applications.

The following image shows an example of permissions policy details from Verified Permissions and to whom the policy grants access.

Explore other AWS services

This section suggests additional services you should consider.

• AWS Control Tower - Lets you set up a well-architected, multi-account AWS environment based on security and compliance best practices, and to manage it at scale.

• AWS Resource Access Manager - Helps you share your resources across AWS accounts.

• Amazon VPC Lattice - Lets you connect, secure, and monitor services and resources for your application.

• Amazon API Gateway - Lets you create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs.

• AWS IoT Device Management - Lets you onboard, organize, and manage Internet of Things (IoT) devices.

• AWS IoT Greengrass - Lets you build, deploy, and manage IoT device software.

Additional resources

User guides with specific deployment guidance for AWS identity services:

• AWS Identity and Access Management (IAM)

  • IAM roles

  • IAM federation

  • AWS STS API Reference

• AWS IAM Identity Center

• IAM Access Analyzer

  • Policy generation

  • Policy validation

  • Unused permissions

  • External access

  • Internal access

• AWS Directory Service

• IAM Roles Anywhere

• Amazon Cognito

• Amazon Verified Permissions

AWS Security Blog posts with use case specific guidance:

• How to use AWS managed applications with IAM Identity Center (Amazon Q)

• Cloud infrastructure entitlement management in AWS

• Customize the scope of IAM Access Analyzer unused access analysis

• Use IAM roles to connect GitHub actions to actions in AWS

• Planning for your IAM Roles Anywhere deployment

• How to monitor, optimize, and secure Amazon Cognito machine-to-machine authorization

• How to support OpenID AuthZEN requests with Amazon Verified Permissions

• Approaches for authenticating external applications in a machine-to-machine scenario

• Blog Post Series: Establishing a Data Perimeter on AWS

• Verify internal access to critical AWS resources with new IAM Access Analyzer capabilities