This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Programmatic Authentication and Authorization
AWS IAM provides a comprehensive set of authentication and authorization features. IAM enables granular permissions to be granted to AWS services. Permissions can then be assigned to users, groups of users, and users or services running with a particular role.
Runtime Access Control
Although access keys are well-suited for developers, when deploying .NET applications to an AWS environment, we recommend that you use role-based access in place of access keys.
You can create a role with permissions based on the principle of least privilege. The role is then assigned to the compute environment hosting the .NET application, whether it requires EC2 virtual machines, ECS containers, or Lambda serverless functions. This way, you no longer need to manually create and rotate programming keys to authenticate your applications. Instead, IAM generates temporary keys and automatically rotates them on your behalf, allowing your applications running on AWS to get authenticated and authorized to use AWS resources securely and seamlessly.
Runtime Access Control with Temporary Credentials
Although role-based access works well for .NET applications running in AWS, for applications hosted outside of AWS, such as desktop or mobile applications, or for applications that execute with multiple roles, or across multiple AWS accounts, it’s better to provide an additional level of access control by using temporary credentials.
The AWS Security Token Service (AWS STS) can be used to generate temporary credentials, and can either be accessed through a single, global endpoint or from a series of regional endpoints.
Temporary credentials are generated dynamically when requested, and can last from a few minutes to several hours. After credentials expire, they can no longer be used to make API requests. However, the user can request new credentials, as long as they still have permissions to do so.
To learn about how to program with AWS STS using .NET, see Making Requests Using IAM User Temporary Credentials - AWS SDK for .NET.
