Amazon IAM announcements at re:Invent 2023
At AWS re:Invent 2023, Amazon announced several new features around machine and human identities designed to improve identity and access management.
While much of Amazon re:Invent 2023 unsurprisingly focused on AI, Amazon also made numerous announcements related to identity and access management, or IAM.
Two new capabilities coming to AWS help developers secure machine identities, for example. The following features aim to simplify application authentication and authorization:
- Mutual authentication for Application Load Balancer. This obviates the need for developers to build their own X.509 certificate authentication stack. Instead, developers can offload the client certificate authentication to the Application Load Balancer.
- EKS Pod Identity. Developers can define the default identities, roles and permissions that applications use to connect with AWS services outside of Kubernetes clusters.
These new capabilities simplify developers' efforts to apply zero trust by ensuring all clients and servers are authenticated and authorized, and the correct roles and permissions are applied during application and data access. Zero trust is not just an esoteric concept, it's a new paradigm that inverts how applications communicate from a default of allowing any communication to denying any communication until it receives explicit authorization.
Human identity-focused IAM AWS features
Amazon announced new capabilities to secure human identities, including two enhancements to IAM Access Analyzer:
- Unused access analyzer. This feature continuously monitors roles looking for permissions that are granted but remain unused.
- Custom policy checks. Identity administrators can validate that newly authored access policies don't accidentally grant additional permissions. This validation can be incorporated to automated policy reviews as part of the continuous integration/continuous delivery pipeline.
According to research from TechTarget's Enterprise Strategy Group, 36% of organizations have suffered a breach or attack that exploited over-permissioned and underused identities. AWS' new capabilities simplify the efforts of identity security teams in reducing this critical attack surface.
Amazon One heading to the enterprise
What really captured my attention at re:Invent was Amazon One Enterprise, which brings the consumer palm-based Amazon One identity authentication service to the enterprise.
We've been using fingerprints, voice and facial authentication for years. Fingerprint readers, microphones and cameras are built into just about every mobile device and computer these days. So why is Amazon One Enterprise revolutionary?
Up until now, authentication and authorization for access to physical resources were largely managed separately from digital resource access.
Amazon One Enterprise merges and integrates physical and digital access into a single access management system. The following are some of the near-term benefits:
- Simplification of the UX. Anyone who needs physical access no longer needs to keep track of and use badges, key fobs, access cards or keys.
- Elimination of management of physical devices. Organizations don't have to purchase, distribute and manage badges, key fobs, access cards or keys.
- Deduplication of identity systems and records. Organizations don't have to maintain separate systems for physical and digital access. Each person has one identity for access to any resource -- physical or digital.
- Enhancement of security. Organizations can instantly and simultaneously disable both physical and digital access to terminated or otherwise unauthorized people.
In the longer term, I foresee Amazon enhancing the system to provide advanced security benefits, including the following:
- Adaptive access. I envision that administrators could create a policy that prevents access to sensitive digital resources, such as corporate financial systems and bank accounts, unless the user recently authenticated they are in a specific physical environment, such as corporate headquarters.
- Identity verification and verified IDs. Amazon could create a verified ID that associates the user's palm biometrics with other biometrics and other forms of identity with provenance, such as government-issued identification. This ensures the organization can establish and maintain confidence in the identity of users during onboarding and for account security in the credential management process.
I can also see other possibilities arising from Amazon One Enterprise, including threat detection and forensics capabilities due to the combination of physical and digital access logging.
The situation isn't perfect, however. I also foresee some challenges ahead, especially with user acceptance. Are users going to be happy with their employers or other organizations collecting more biometric data? Is Amazon providing a universal ID or is each biometric record stored separately for each Amazon One Enterprise customer? How do I provide alternative physical access when the service is unavailable?
Pricing -- of both the service and the palm reader device -- is another question. Will Amazon license the technology to other manufacturers? What if I want to use Amazon One Enterprise for access in a mobile environment, such as a crane or other heavy machinery?
Regardless of these questions, I'm excited by both the opportunities that Amazon One Enterprise opens and by Amazon's continued focus on simplification and enhancement of identity security.
Senior Analyst Jack Poller covers identity and data security at TechTarget's Enterprise Strategy Group.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.
