AWS Certified Solutions Architect – Associate (SAA-C02) – Identity and Access Management

Published by michal on

Identity & Access Management (AIM)
  • AIM is all about managing access to AWS
    • It doesn’t support OS, services, or application access management
  • It is what people can do within AWS
    • E.g. launch instance etc.
  • It supports users, groups, and roles (app-users)
  • It’s free, however
    • AWS services implemented by the users incur charges
IAM Concepts
  • Resources
    • Things on which actions can be taken
      • E.g. EC2 instance, EBS volume etc.
  • Principles
    • Things that take action
      • Users, groups, roles
    • Also called identities
    • An entity that can perform an action
    • A person or service with permissions
      • AWS Management Console
      • AWS API/CLI
  • Policies
    • JSON authorization rules
    • Identity-based, group-based or resource-based

The principle is authorized to take action on the resource.

IAM provides identity and access management for access to the AWS Management Console. Utilization of IAM doesn’t cost, but actions do.

Users
  • IAM users are entities created in AWS
  • A person or service with permissions
    • AWS Management Console
    • AWS API/CLI
  • User credentials consist of a name and password and up to two access keys
    • Access keys are used with the API or CLI
    • Users can be members of groups
Group
  • A collection of AIM users
  • Permissions should be managed at the group level
  • Users can be added and removed from groups
  • Groups are not used to log in
Role
  • An identity granted permissions
    • A set of actions someone, something can take
  • Roles are not permanently assigned
  • Can be limited in their capabilities
  • Assumable by any entity with the need for it
  • Compatible with federated users
    • Users from other identity provider systems
    • Mapped to a role
    • Allows for SSO (single sign-on)
Users vs. Roles
  • Create user accounts when
    • You’re the only person working with the account
    • Multiple people need permanent access
    • One or more users require CLI access (e.g. devs)
  • Create roles when
    • Applications need access to an AWS service
    • Multiple phone apps make a request to AWS
    • Existing company users need federated access
AWS Root User
  • Email address used to create the AWS subscription
  • Unlimited capabilities
  • Not recommended for everyday use
    • God mode account
  • Create an IAM admin user and safely store the root user account
Root Access Tasks
  • Modifying the root user
  • Change the AWS support plan
  • Close AWS account
  • Create a CloudFront key pair
  • Enabling MFA on S3
  • Restoring application permissions for other IAM users
Authentication
  • Validation of credentials
    • Credentials provide identity
  • A claim + proof of claim
    • Username + password
  • Single or multi-factor
  • Authentication of persons (users), processes (roles)
Authentication in AWS
  • Required to manage AWS
  • AWS Console
    • Username + password
  • AWS API/CLI
    • Access key + secret key
Authorization Policies
  • Rules that determine allowed actions or access
  • Used throughout AWS
  • Use JSON (via GUI generator or coded directly)
  • Vary by objects
  • Validation of actions
  • Identity-based policies
    • Used with users, groups, and roles
  • Recourse-based policies
    • Used for cross-account access
      • For accounts from different AWS subscriptions

Authorization is provided by AWS Policies.

Policy Processing
  • By default, all requests are denied
  • Explicit allows overrides the default
  • Permission boundaries can override explicit allows
  • Explicit deny override explicit allow
  • Default: DENY > ALLOW
Actions or Operations
  • The request is authenticated
    • Action or operation is processed
  • The request is authorized
    • Linked to the service
  • Processed against a resource
  • Includes CRUD
Multi-Factor Authentication (MFA)
  • Best practice to follow
  • Couples username and password with another factor including
    • Something you know
    • Something you have
    • Something you are
    • Something you receive, e.g. virtual token or SMS
  • Can be enabled for the root account and users
Key Rotation
  • Best practice suggest rotating keys
    • Access Key ID
    • Secret Access Key
  • Key rotation only applies to user accounts
  • Key rotation process
    • 1. Create a secondary access key in addition to the one you use
    • 2. Update all applications to use the new access key and validate that the applications are working
    • 3. Change the state of the previous access key to inactive
    • 4. Validate the applications are will working as expected
    • 5. Delete the inactive key
Key Listing/ Creating
aws iam List-Access-Keys --user-name mike
aws iam Create-Access-Key --user-name mike

Multiple Permissions
  • Permissions can come from multiple sources including user, group and boundary policies
  • Users permissions apply to users, group permissions apply to the collection of users
  • Permission boundaries constraint user to a limited set of permissions regardless of what permissions the may receive from a group
  • All allow policies are cumulative
  • All deny policies are overriding
AWS Compliance Programs
  • AWS has been externally attested or certified to comply with many programs including
    • HIPAA, PCI-DSS, ISO, and government compliance requirements
  • For more info go to http://aws.amazon.com/compliance
Shared Responsibility Model
  • AWS provides the security of the cloud
    • Physical, network, hyper-v, managed services etc.
  • The customer provides security in the could
    • Gues OS, applications, data, confining of VPC and apps
Passwords
  • Default password policy
    • Minimum of 8 characters
    • Maximum of 128 characters
    • At least 3 of 4 character types
      • Uppercase, lowercase, numbers, special characters
  • Best practices
    • Change password periodically
      • Use a unique password for AWS – avoid common words
    • IAM – Account Settings – Password Policy – Custom
Credential Rotation
  • To limit the attack window
  • Requiring periodic password changes limits the time for a password cracking attack
  • Users are reminded of the importance of security each time they must change their password
  • If varying systems require password changes at varying times, password rotation can help reduce the reuse of passwords across systems
Least Privilege (POLP)
  • Grant only the access needed
    • Granting more access to created vulnerabilities
      • Opens doors to mistakes
    • Opens the door to attackers
Review Permissions
  1. Policy Summary
  2. Service Summary
  3. Action Summary
CloudTrail
  • Logging service with a 90 days default history
    • Governance – make sure we do what we should
    • Compliance – make sure we proof what we should do
    • Auditing – evaluate whether we should be doing it
  • Event histories
    • Management console
    • AWS SDK
    • Command Line (CLI)
Categories: AWSCertificationCloud
Tags:

Related Posts

Architecture AWS Cloud Scalability

AWS: Scaling EC2 Groups with SQS

Overview Scale EC2 groups based on CloudWatch Alarms using SQS capacity metrics Create CloudWatch Alarms Create scale-in and scale-out alarms using the SQS ApproximateNumberOfMessagesVisible metric Create AutoScaling policies Add/ Remove capacity units (EC2 instances) based on Read more…

Architecture AWS Cloud Disaster Recovery (DR) High-Availability (HA)

AWS: RDS Multi-AZ, Multi-Region and Read Replicas

Multi-AZ Deployments The main purpose is high availability – failover It happens automatically in the background It can be enabled on the database creation or after Synchronous replication (except for Aurora — asynchronous) Always span Read more…

AWS Cloud Data

AWS: Amazon Athena

Amazon Athena Overview Amazon Athena is an interactive query service (serverless) that allows analyzing data in Amazon S3 using SQL Athena used Data Catalogue that stores the S3 DDL Athena is based on Presto – Read more…