Should you use AWS IAM roles and permission for application users?

Question

I'm working on a nodejs application on AWS for the first time and am still learning all the services. I'm working on my applications authentication and authorization and am at the point to create my user roles and groups. Is the AWS IAM service meant for both AWS management and for your application's user authorization or should I use one of nodejs's ACL modules and manage my roles and users outside of AWS IAM service?

Answer 1

Should you use AWS IAM roles and permission for application users?

No, you should not. AWS IAM roles and permission control AWS user/instance access to AWS services only via EC2 user profiles and instances. They are not intended to be used for specifying user authentication or roles in a proprietary application.

Should I use one of nodejs's ACL modules and manage my roles and users outside of AWS IAM service?

Yes, correct. Use native methods/libraries for managing application specific user authentication and roles in your app.

Answer 2

With the rise of API gateway and lambda, I'm wondering if this advice still holds true.

i have a very simple API in node, which is pretty much just ACL around storing a blob of JSON in mongo.

If i could model my permissions in IAM and use a lambda function for handling the mongo write/read, it would seem sensible to use IAM for my application user creds.

Possibly this is what Cognito was released to support? (although i haven't looked into this much)

Answer 3

AWS IAM users are used to share your Amazon services with someone (your team for example) without having to disclose your personal password.

One of the key advantages is being able to give admin access to any staff member without allowing it to access your credit card data.

If you need to create a simple authentication module for your application or website (a common case of system with username and password) then you can try using something like PassportJS