The notion of shadow IT — developers spinning up applications in the cloud that are not officially on IT’s roadmap — has become a big issue. Now Amazon is taking a stab at that problem by integrating its Identity and Access Management (IAM) with the Amazon Marketplace, which lists an array of third-party services — MongoDB or CouchDB databases, SAP analytics, RiverBed traffic management, etc. — that run on Amazon infrastructure.
According to a post on the Amazon Web Services blog
As the AWS account owner, you now have fine-grained control over usage and software costs. Roles and permissions are created and managed through IAM, making it easy to get started, and easy to add controls for AWS Marketplace to new or existing IAM groups. You can now use Marketplace permissions to control access to Marketplace and to the EC2 instances that it launches, based on a user’s role in the business.
There are three pre-built roles set up for different user types — although they can all be customized. A read-only mode lets administrators view subscribed software to see who’s using what but not actually manage it. A manager function allows the user to subscribe to software but not launch or manage the underlying Amazon EC2 instances. And a full control role is a superset of all of the other permissions that allows that rights holder to subscribe, create, and manage the underlying EC2 instances.
IAM, which provides some central controls and permissions for multiple users on a central account, has been available for years. “With it you can do users vs. allowed action. For example, you might be able to create and delete S3 buckets, but Bob is only able to read S3 buckets, but he can create new EC2 instances and you can’t. All of these things can cause the monthly bill to go up (or down, I suppose if you delete stuff),” said Robert Shear, CEO of Greystone Solutions via email. Greystone is a Boston-based developer and heavy AWS user.
Ed Byrne, CEO of Cloud Vertical, a startup dedicated to helping customers get the most of their AWS infrastructure, said this move “abstracts AWS away from being Infrastructure as a Service only.”
“Now AWS admins can give business users [the ability to] deploy applications themselves without worrying about underlying infrastructure or security,” Byrne said.
Amazon recently launched a marketplace that lets users trade Amazon Reserved Instances, although that looks like a separate effort. But taken together these efforts do broaden AWS reach beyond hard-core developers.
The ability for a company to trade the Reserved Instances it has already bought, makes the notion of prepaying for compute power more palatable to finance departments, Byrne said. “Amazon Web Services are starting to become less of a black hole to CIOs.”
