By using AWS re:Post, you agree to the Terms of Use
/AWS app registration/

AWS app registration


Hi, i'm wonder what is the way to register a third party app in AWS account. I'm looking for something similar to Azure app registration, where i can register a certain app and give it specific permissions to use the Azure api. I managed to do so by creating a IAM user and give it the desired permissions, but I'm not sure if it's the best way to do it. The goal is to use read only permissions to get some reports for the AWS account (via AWS CLI/AWS API). This is an AWS CLI request for example:

aws iam get-account-summary

Azure equivalent: Azure app registration

1 Answers

AWS' IAM approach is to leverage IAM Policies which dictate what actions to which resources can be performed. Policies can be attached to Roles, Users, and Groups. Roles, Users, and Groups (to a lesser extent) define who is able to do something in an AWS Account (based on the attached or associated policies). Users are AWS IAM user constructs which when the API functionality is enabled provide long term credentials. Groups offer a logical organization of users (e.g. Developers, Admins, etc.) which can help manage the user of IAM Users. Roles provide a human (if done through federated access) and system/service/programmatic access to perform actions.

IAM Users are great for folks who are just starting out in AWS or for companies which do not have their own Identity Provider (e.g. AzureAD, Ping, Auth0, etc) which provides authentication of a human. If a company has an Identity Provide, IdP, it is recommended that they use federated access (also called "assuming a role") to provide ephemeral, short term, credentials which decreases the likelihood of credential compromise.

If an application has the ability to assume a role in AWS, then it can perform any action defined by the policy (or policies) attached to it. There are several ways this can happen. if your application is under your development control, you can build in the ability for it assume a role and store the credentials for use in the calls it makes. If the application cannot assume a role, and you're running the application on an Amazon EC2 instance, you can create an EC2 instance profile (which is an IAM Role/Policy for EC2 instances) which allows anything running on that instance to be able to perform the allowed actions. the necessary credentials are available via the Amazon Metadata Service (referred to as IMDS). If your application requires credentials to be provided to it as a configuration of the application, IAM Users can be leveraged, however this is not considered an AWS Security best practice and additional guardrails should be in place to ensure rotation and credential safe guarding are in place.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions