AWS identity services

Effective identity management is provided by AWS services, solutions, and AWS Partners that permit you to securely manage identities, resources, and permissions at scale. AWS identity services provide flexible options for where and how you manage your employee, partner, and customer identities. The following AWS services can be used to help you meet the prescribed benefits of the M&G Guide:

AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. Using IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least privilege permissions.

AWS IAM Access Analyzer guides you toward least privilege by helping you set, verify, and refine permissions. Policy validation with Access Analyzer helps you author secure and functional permissions with more than 100 policy checks. Policy generation with Access Analyzer makes it easier to apply fine-grained permissions by generating policies based on your access activity in AWS CloudTrail. Access Analyzer also continually monitors resources and generates public and cross-account findings to help you verify that existing access meets your intent.

AWS IAM Identity Center (IAM Identity Center) helps you centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With IAM Identity Center, you can manage access and user permissions to all of your accounts in AWS Organizations centrally. IAM Identity Center configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. IAM Identity Center also includes built-in integrations to many business applications, such as Salesforce, Box, and Office 365.

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in AWS. AWS Managed Microsoft AD is built on Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use the standard Active Directory administration tools and take advantage of the built-in Active Directory features, such as group policy and single sign-on.

AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in AWS. AD Connector comes in two sizes, small and large. You can spread application loads across multiple Active Directory connectors to scale to your performance needs.

If you would like support implementing this guidance, or assisting you with building the foundational elements prescribed by the M&G Guide, we recommend you review the offerings provided by AWS Professional Services or the AWS Partners in the Built on Control Tower program.

If you are seeking help to operate your workloads in AWS following this guidance, AWS Managed Services (AMS) can augment your operational capabilities as a short-term accelerator or a long-term solution, letting you focus on transforming your applications and businesses in the cloud.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Implementation priorities

Integrated identity partners