Federated User
A federated user is an identity that is authenticated by a third-party identity provider and can access AWS resources without needing to create a dedicated AWS account.
Description
In the context of Amazon Web Services (AWS), a federated user is someone who accesses AWS resources through a federation process, which allows them to use their existing credentials from an external identity provider (IdP). This is particularly useful for organizations that want to manage user identities centrally while allowing access to AWS services without the overhead of managing AWS IAM users. Federated users are often used in scenarios involving Single Sign-On (SSO) where employees can log in with their corporate credentials. By using standards like SAML (Security Assertion Markup Language) or OpenID Connect, AWS can securely authenticate users from various IdPs, such as Microsoft Active Directory, Google Workspace, or Okta. This approach not only streamlines the user management process but also enhances security by reducing the number of passwords that users need to remember. Consequently, federated access enables organizations to maintain compliance and better control access to sensitive AWS resources.
Examples
- An employee logs into the AWS Management Console using corporate credentials from Microsoft Active Directory.
- A developer accesses an AWS application through a web portal that uses Okta for authentication.
Additional Information
- Federated users do not have a permanent IAM user account in AWS, which can enhance security by reducing the attack surface.
- Organizations can define permissions for federated users using AWS IAM roles, allowing fine-grained access control.