Machine to Machine Authentication

Summary

Authentication Mechanism Service Use Case
AWS Signature v4 All
  • You have access to AWS credentials (temporary or long-lived)
  • You want to call AWS services directly through their APIs
Mutual TLS API Gateway
  • The cost and effort of maintaining digital certificates is acceptable
  • Your already have a process in place to maintain digital certificates
  • You plan to call AWS services indirectly through custom-built APIs
OpenID Connect Cognito / API Gateway
  • You need or want to procure temporary AWS credentials by using a REST-based mechanism
  • You want to call AWS services directly through their APIs
SAML Cognito/IAM
  • You need to procure temporary AWS credentials
  • You already have a SAML-based authentication process in place
  • You want to call AWS services directly through their APIs
Kerberos
  • You already have a Kerberos-based authentication process in place
  • None of the previously mentioned mechanisms can be used for your use case
IAM Roles Anywhere IAM
  • The cost and effort of maintaining digital certificates is acceptable
  • You already have a process in place to maintain digital certificates
  • You want to call AWS services directly through their APIs
  • You need temporary security credentials for workloads such as servers, containers, and applications that run outside of AWS