AWS – Security, Identity & Compliance – IAM

90

91

Security, Identity & Compliance

  • The first priority at AWS is cloud security.
  • AWS and its partners offer tools and features to help you meet your security objectives around visibility, auditability, controllability, and agility.

IAM

  • A web service that helps you securely control access to AWS resources for your users.
  • Controls who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).

Principals

  • It is an IAM entity that is allowed to interact with AWS resources.
  • It can be permanent or temporary.
  • It can represent a human or an application.
  • Types of principals : root users, IAM users , rules/ temporary security tokens.

Overview of Identity Management: Users

  • Root User

○When you create an AWS account, you create an account (or “root”) identity, which you use to sign in to AWS.

○You can sign in to the AWS Management Console using this root identity.

○This combination of your email address and password is also called your root account credentials.

  • IAM User

○Instead of sharing your root account credentials with others, you can create individual IAM users within your account that correspond to users in your organization.

○IAM users are not separate accounts; they are users within your account.

  • Roles/ temporary security tokens

○They are used to grant specific privileges to specific actors for a set duration of time.

Actors are authenticated by AWS

Security Features Outside of IAM

  • You use IAM to control access to tasks that are performed using the AWS Management Console, the AWS Command Line Tools, or service APIs using the AWS SDKs.
  • Some AWS products have other ways to secure their resources as well.
  • These access control methods are not part of IAM.
  • IAM helps you control the tasks that are performed by making requests to Amazon Web Services, and it helps you control access to the AWS Management Console.
  • IAM does not help you manage security for tasks like signing in to an operating system (Amazon EC2), database (Amazon RDS), desktop (Amazon WorkSpaces) , or collaboration site (Amazon WorkDocs).

Authentication

  • IAM authenticates a principal in three ways:

○User Name/Password—A username / password pair will be provided to the human, which is represented by a principal, to verify their identity.

○Access Key—A combination of an access key ID (20 characters) and an access secret key (40 characters) is known as an access key.

Access Key/Session Token—The temporary security token provides an access key for authentication when a process operates under an assumed role

  • An IAM user has neither an access key nor a password when an it is created, and either or both can be set up by the IAS administrator.
  • This adds an extra layer of security.
  • After authenticating a principal, IAM, in order to protect your AWS infrastructure, must then manage the access of that principal.
    • Policies

    ○Each permission defining:

    ■Effect—A single word: Allow or Deny.

    ■Service—Most AWS Cloud services support granting access through IAM, including IAM itself.

    ■Resource—The specific AWS infrastructure is specified by the resource value, for which this permission applies. This is specified as an Amazon Resource Name (ARN).

    ■Action—The subset of actions within a service that the permission allows or denies is specified by the action value.

    ■Condition—One or more additional restrictions that limit the actions allowed by the permission is defined by the condition value.

    • Associating Policies with Principals:

    ○User Policy

    ○Managed Policies

    ○Group Policy

    ○Managed Policies

○Managed Policies—Standalone policies that you can attach to multiple users, groups, and roles in your AWS account.

○The following diagram illustrates AWS managed policies.

92

Using Multi-Factor Authentication (MFA) in AWS

  • For increased security, you configure multi-factor authentication (MFA) to help protect your AWS resources.
  • MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device or SMS text message when they access AWS websites or services.
  • Security token-based: This type of MFA requires you to assign an MFA device (hardware or virtual) to the IAM user or the AWS root account.

Rotating Access Keys

  • As a security best practice, an administrator, regularly rotate (change) the access keys for IAM users in your account.
  • You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords.

Changing Permissions for an IAM User

  • You can change the permissions for an IAM user in your AWS account by changing its group memberships or by attaching and detaching managed policies.
  • A user gets its permissions through one of the following methods:

○Group membership

○Direct policy attachment

  • You can change permissions associated with a user through one of three techniques:

Add user to the group, copy permissions from existing user, attach

policies directly to user.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s