Security implications
In conclusion, the type of credentials you choose to use in AWS depends on your specific use case and security requirements. Long-term credentials are suitable for persistent access but require careful management and regular rotation. On the other hand, temporary credentials offer a high level of security due to their short lifespan and are ideal for scenarios that require temporary, limited access, or access from non-human identities hosted in AWS.
The following table (Table 3.2) compares the different types of credentials mentioned in this sub-section, including their use case, the types of users, and their level of security:
| Credentials Type | Use Cases | User Types | Security Level |
| Passwords | AWS Management Console | Human | Low (single factor) |
| MFA | AWS Management Console and CLI | Human | High (two factors) |
| Access keys | AWS CLI, AWS SDKs, and AWS API | Human, non-human | Low (single factor) |
| Temporary credentials | Identity federation, cross-account access, IAM roles assigned to non-human identities | Human, non-human | High (short lifespan, automatically revoked) |
Table 3.2 – Comparison of the different types of credentials
Remember, the security of your AWS environment is only as strong as the weakest link. Therefore, it is crucial to enforce strong security practices across all types of credentials regardless of their security level. As we wrap up our discussion on the types of credentials and their use cases, let’s transition to the foundational elements of AWS IAM identities: users, groups, and roles. Understanding these elements is essential for implementing robust access control measures.
IAM users, groups, and roles
In the vast ecosystem of AWS IAM, the concepts of users, groups, and roles are foundational. These components are the building blocks that allow for fine-grained access control, ensuring that only authorized identities can access your AWS resources. Let’s delve deeper into each of these components, understanding their significance, use cases, and best practices.
Users
An IAM user is an individual identity with specific permissions that determine what it can and cannot access in AWS. Each IAM user is associated with a single AWS account. While each AWS account starts with a single IAM user, the root user, it is essential to differentiate between human and non-human users.