Comprehensive Identity and Access Management in AWS: Authentication, Authorization, and Policy Control Mechanisms
DOI:
https://doi.org/10.63282/3117-5481/AIJCST-V2I4P101Keywords:
AWS IAM, Authentication, Authorization, Multi-Factor Authentication (MFA), IAM Identity Center (AWS SSO), AWS STS, Identity-Based Policies, Resource-Based Policies, Permission Boundaries, Service Control Policies (Scps), Attribute-Based Access Control (ABAC)Abstract
This paper presents a cohesive blueprint for implementing Identity and Access Management (IAM) on Amazon Web Services that balances security, scalability, and developer velocity. We frame IAM around three pillars authentication, authorization, and policy control and show how they interlock to operationalize zero-trust and least-privilege principles. For authentication, we examine multi-factor authentication (MFA), workforce federation with IAM Identity Center (AWS SSO), and short-lived credentials issued by AWS Security Token Service (STS) to minimize exposure from long-lived secrets. For authorization, we detail the composition of identity-based, resource-based, session, and boundary policies, along with Service Control Policies (SCPs) under AWS Organizations, and explain the evaluation order (explicit deny, allow, implicit deny) that governs effective permissions. We further explore scalable entitlement models using attribute-based access control (ABAC) with tags and context keys, and cover workload identity patterns for EC2, Lambda, and EKS that eliminate embedded credentials. On governance, we outline preventive guardrails (SCPs, permission boundaries), detective controls (CloudTrail, Access Analyzer, CloudTrail Insights), and policies-as-code practices versioning, automated testing, and continuous right-sizing from observed usage to maintain compliance while reducing policy sprawl. The paper concludes with a practical operating model that integrates evidence generation, policy simulation, and automated least-privilege recommendations, enabling organizations to reduce risk and audit burden without impeding delivery across multi-account and hybrid environments
References
[1] Chandramouli, R., & Iorga, M. “NIST Cloud Computing Security Reference Architecture.” National Institute of Standards and Technology (NIST SP 500-299), 2013.
[2] Hölbl, M., Kompara, M., Kamišalić, A., & Nemec Zlatolas, L. “A Systematic Review of the Use of Blockchain in Identity Management.” Computer Science Review, Vol. 30, 2018, pp. 1–22.
[3] Mell, P., & Grance, T. “The NIST Definition of Cloud Computing.” National Institute of Standards and Technology (NIST SP 800-145), 2011.
[4] Ethelbert, O., Fatemi Moghaddam, F., Wieder, P., & Yahyapour, R. “A JSON Token-Based Authentication and Access Management Schema for Cloud SaaS Applications.” arXiv preprint arXiv:1710.08281, 2017.
[5] Subashini, S., & Kavitha, V. “A Survey on Security Issues in Service Delivery Models of Cloud Computing.” Journal of Network and Computer Applications, Vol. 34, No. 1, 2011, pp. 1–11.
[6] Gruschka, N., Mavroeidis, V., Vishi, K., & Jensen, M. “Privacy and Security in Cloud Computing.” IEEE Cloud Computing, Vol. 5, No. 1, 2018, pp. 24–31.
[7] Fernandes, D. A. B., Soares, L. F. B., Gomes, J. V., Freire, M. M., & Inácio, P. R. M. “Security Issues in Cloud Environments: A Survey.” International Journal of Information Security, Vol. 13, 2014, pp. 113–170.
[8] Aljawarneh, S., Aldwairi, M., & Yassein, M. B. “Anomaly-Based Intrusion Detection System through Feature Selection Analysis and Building Hybrid Efficient Model.” Journal of Computational Science, Vol. 25, 2018, pp. 152–160.
[9] Rosado, D. G., Fernández-Medina, E., López, J., & Piattini, M. “Security Analysis in the Migration to Cloud Environments.” Future Internet, Vol. 4, 2012, pp. 469–487.
[10] Li, W., & Ping, L. “Trust Model to Enhance Security and Interoperability of Cloud Environment.” Proceedings of the 1st International Conference on Cloud Computing (CloudCom 2009), Beijing, 2009.
[11] Takabi, H., Joshi, J. B. D., & Ahn, G. J. “Security and Privacy Challenges in Cloud Computing Environments.” IEEE Security & Privacy, Vol. 8, No. 6, 2010, pp. 24–31.
[12] Enabling Mission-Critical Communication via VoLTE for Public Safety Networks - Varinder Kumar Sharma - IJAIDR Volume 10, Issue 1, January-June 2019. DOI 10.71097/IJAIDR.v10.i1.1539
