The SWF service allows us to control access to the SWF resources directly via IAM. Each actor in the workflow is required to use a secret key and access key to sign each and every request to the SWF service endpoint. The best practice will be to design our actors with roles that have the correct permission to access a certain workflow, and they can be issued temporary credentials to access and poll the SWF service. This means we do not need to expose our secret key and access key when designing our application. We can, however, maintain access with our secret key and access key when performing manual tasks or designing and troubleshooting the workflow itself.

There are two types of permissions that can be applied to each IAM security principal to control access to SWF:

• Resource permissions: Allow us to define the resources that a user, group, or role is able to use within a domain
• API permissions: Allow us to define which API actions the user is allowed to perform against the SWF API

A coordination of these two permissions will allow us to create fine-grained control over the SWF resources and adhere to the least privilege principle. For example, we can allow a certain security principal the following:

• Full control over all resources in all domains or in a certain domain
• Read-only permissions over all domains or all resources in a certain domain
• Read-only permissions over a certain workflow within a certain domain
• A combination of full control and read-only access to specific resources in specific domains