IAM users vs federated users

As things stand today, we can say AWS IAM is one of the most important services. Understanding its concepts and its features could make the difference between an average AWS engineer and a top one.

In this post, we want to present 2 types of users and some use cases for each of them. One of the first best practices you should put in practice is to avoid using the root user. That means you have to create different IAM users for each engineer that access AWS, but also for applications that make calls to AWS. Basically, a IAM user is a user that is managed inside your AWS account and it’s the good choice when you are a very small start-up, with only several developers that access AWS.

Comparing to IAM users, federated users are identities that are managed outside your account, in an environment that receives access to your AWS account. So, if you want to manage all users in a single place, then federated users are a better choice.

Another scenario where federated users are the way to go are mobile application. Instead of putting your AWS credentials inside your app (this is something you don’t have to do), use federation along with AWS Cognito to sign in and to access AWS.

Also, considering the definitions gave above for federated accounts, whenever you grant access to another AWS account (for example, AWS account 112233445566 can read from your S3 bucket), you use federated users because they are managed in a different place and not in your AWS account.

To sum up, there are 2 aspects we want to list:

  • Don’t use root account, but create IAM users if you are a very small team that access AWS
  • Whenever possible, use federated access to AWS: Why? Because you have a better control over your environment since you manage access to all resources in a single place.

Happy cloud computing!


2 thoughts on “IAM users vs federated users

Comments are closed.