ECS Identify and Access Management (IAM) enables you to control and secure access to the ECS S3 resources. This functionality ensures that each access request to an ECS resource is identified, authenticated, and authorized. ECS IAM allows admin to add users, roles, and groups. Admin can also restrict the access by adding policies to the ECS IAM entities.
Note: ECS IAM is for use with S3 only. It is not enabled for CAS or filesystem enabled buckets.
ECS IAM consists of the following components
- Account Management - enables you to manage IAM identities within each namespace such as users, groups, and roles
- Access Management - access is managed by creating policies and attaching them to IAM identities or resources
- Identity Federation - identity is be established and authenticated by SAML (Security Assertion Markup Language). After the identity is established you will use the Secure Token Service to obtain temporary credentials that will be used to access the resource
- Secure Token Service - enables you to request temporary credentials for cross account access to resources and also for users who are authenticated using SAML authentication from an enterprise identity provider or directory service
By using IAM, you can control who are authenticated and authorized to use ECS resources by creating and managing:
- Users - IAM user represents a person or application in the namespace that can interact with ECS resources
- Groups - IAM group is a collection of IAM users. Use groups to specify permissions for a collection of IAM users
- Roles - IAM Role is an identity that could be assumed by anyone who requires the role. A role is similar to a user, an identity with permission policies that determine what the identity can and cannot do.
- Policies - IAM policy is a document in JSON format, which defines the permissions for a role. Assign and attach policies to IAM Users, IAM Groups, and IAM Roles.
- SAML provider- SAML is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML provider in ECS is used to establish trust between a SAML-compatible Identity Provider (IdP) and ECS
Each ECS system is allotted with an ECS IAM account. This account supports multiple namespaces and has related IAM entities that are defined in its namespace.
- Individual namespaces support in managing account using the ECS IAM entities such as users, roles, and groups.
- Policies, permissions, Access Control List (ACL) that are associated with the ECS IAM entities, and the ECS S3 resources support in managing access to the ECS IAM features.
- ECS IAM supports cross-account access using Security Assertion Markup Language (SAML) and roles.
- ECS IAM supports Amazon Web Services (AWS) Access Key to access IAM and S3 in ECS.
See the latest ECS Security Guide for more information about ECS IAM.