Machine to Machine Authentication

Summary

• This is a summary of the Approaches for authenticating external applications in a machine-to-machine scenario AWS blog post
• It aims to help you decide which approach is best to securely connect your applications, either residing on premises or hosted outside of AWS, to your AWS environment when no human interaction comes into play

Authentication Mechanism	Service	Use Case
AWS Signature v4	All	You have access to AWS credentials (temporary or long-lived) You want to call AWS services directly through their APIs
Mutual TLS	API Gateway	The cost and effort of maintaining digital certificates is acceptable Your already have a process in place to maintain digital certificates You plan to call AWS services indirectly through custom-built APIs
OpenID Connect	Cognito / API Gateway	You need or want to procure temporary AWS credentials by using a REST-based mechanism You want to call AWS services directly through their APIs
SAML	Cognito/IAM	You need to procure temporary AWS credentials You already have a SAML-based authentication process in place You want to call AWS services directly through their APIs
Kerberos		You already have a Kerberos-based authentication process in place None of the previously mentioned mechanisms can be used for your use case
IAM Roles Anywhere	IAM	The cost and effort of maintaining digital certificates is acceptable You already have a process in place to maintain digital certificates You want to call AWS services directly through their APIs You need temporary security credentials for workloads such as servers, containers, and applications that run outside of AWS