| AWS Signature v4 |
All |
 - You have access to AWS credentials (temporary or long-lived)
- You want to call AWS services directly through their APIs
|
| Mutual TLS |
API Gateway |
 - The cost and effort of maintaining digital certificates is acceptable
- Your already have a process in place to maintain digital certificates
- You plan to call AWS services indirectly through custom-built APIs
|
| OpenID Connect |
Cognito / API Gateway |
 - You need or want to procure temporary AWS credentials by using a REST-based mechanism
- You want to call AWS services directly through their APIs
|
| SAML |
Cognito/IAM |
 - You need to procure temporary AWS credentials
- You already have a SAML-based authentication process in place
- You want to call AWS services directly through their APIs
|
| Kerberos |
|
 - You already have a Kerberos-based authentication process in place
- None of the previously mentioned mechanisms can be used for your use case
|
| IAM Roles Anywhere |
IAM |
 - The cost and effort of maintaining digital certificates is acceptable
- You already have a process in place to maintain digital certificates
- You want to call AWS services directly through their APIs
- You need temporary security credentials for workloads such as servers, containers, and applications that run outside of AWS
|