Security, Identity & Compliance
- The first priority at AWS is cloud security.
- AWS and its partners offer tools and features to help you meet your security objectives around visibility, auditability, controllability, and agility.
- A web service that helps you securely control access to AWS resources for your users.
- Controls who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).
- It is an IAM entity that is allowed to interact with AWS resources.
- It can be permanent or temporary.
- It can represent a human or an application.
- Types of principals : root users, IAM users , rules/ temporary security tokens.
Overview of Identity Management: Users
- Root User
○When you create an AWS account, you create an account (or “root”) identity, which you use to sign in to AWS.
○You can sign in to the AWS Management Console using this root identity.
○This combination of your email address and password is also called your root account credentials.
- IAM User
○Instead of sharing your root account credentials with others, you can create individual IAM users within your account that correspond to users in your organization.
○IAM users are not separate accounts; they are users within your account.
- Roles/ temporary security tokens
○They are used to grant specific privileges to specific actors for a set duration of time.
Actors are authenticated by AWS
Security Features Outside of IAM
- You use IAM to control access to tasks that are performed using the AWS Management Console, the AWS Command Line Tools, or service APIs using the AWS SDKs.
- Some AWS products have other ways to secure their resources as well.
- These access control methods are not part of IAM.
- IAM helps you control the tasks that are performed by making requests to Amazon Web Services, and it helps you control access to the AWS Management Console.
- IAM does not help you manage security for tasks like signing in to an operating system (Amazon EC2), database (Amazon RDS), desktop (Amazon WorkSpaces) , or collaboration site (Amazon WorkDocs).
- IAM authenticates a principal in three ways:
○User Name/Password—A username / password pair will be provided to the human, which is represented by a principal, to verify their identity.
○Access Key—A combination of an access key ID (20 characters) and an access secret key (40 characters) is known as an access key.
Access Key/Session Token—The temporary security token provides an access key for authentication when a process operates under an assumed role
- An IAM user has neither an access key nor a password when an it is created, and either or both can be set up by the IAS administrator.
- This adds an extra layer of security.
- After authenticating a principal, IAM, in order to protect your AWS infrastructure, must then manage the access of that principal.
○Each permission defining:
■Effect—A single word: Allow or Deny.
■Service—Most AWS Cloud services support granting access through IAM, including IAM itself.
■Resource—The specific AWS infrastructure is specified by the resource value, for which this permission applies. This is specified as an Amazon Resource Name (ARN).
■Action—The subset of actions within a service that the permission allows or denies is specified by the action value.
■Condition—One or more additional restrictions that limit the actions allowed by the permission is defined by the condition value.
- Associating Policies with Principals:
○Managed Policies—Standalone policies that you can attach to multiple users, groups, and roles in your AWS account.
○The following diagram illustrates AWS managed policies.
Using Multi-Factor Authentication (MFA) in AWS
- For increased security, you configure multi-factor authentication (MFA) to help protect your AWS resources.
- MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device or SMS text message when they access AWS websites or services.
- Security token-based: This type of MFA requires you to assign an MFA device (hardware or virtual) to the IAM user or the AWS root account.
Rotating Access Keys
- As a security best practice, an administrator, regularly rotate (change) the access keys for IAM users in your account.
- You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords.
Changing Permissions for an IAM User
- You can change the permissions for an IAM user in your AWS account by changing its group memberships or by attaching and detaching managed policies.
- A user gets its permissions through one of the following methods:
○Direct policy attachment
- You can change permissions associated with a user through one of three techniques:
Add user to the group, copy permissions from existing user, attach
policies directly to user.