AWS ‐ IAM (Identity & Access Management)
- Secure access control to Authenticate and Authorize users with our accounts
- Login with Root user to create account credentials and create another aws account
- Never use root account to launch any aws resources as root user is a powerful user
- Verifying the identity of the user
- Specify Access control policies
- To control access to resources and services
Below users can be provided permissions to access aws resources
- AWS Root Users - with unlimited privileges, it has Total access, login using email and password
- IAM Users - Native to aws, Created, stored and managed within aws
- It uses Access key and password for accessing the resources
- Newly created user has no permissions by default, it has to configured to accordingly
- User can have one aws account, can access across regions
- Service Accounts - used to perform actions on aws resources on behalf of other users/services
- Federated Users - Users Authenticated via external providers (Active Directory, Facebook, Google), these users not stored in aws database, managed by external providers
- IAM User Groups - collection of IAM users, governed by policies
- IAM Roles- An IAM role is an identity that grants permissions to users, it has permissions to enable users what action can they perform on aws resources
- IAM Temporary credentials - short lived & limited privileged credentials, it lives for limited time and expires automatically after
- Logging with AWS CloudTrail
- Record of actions - to capture actions performed on the console or api calls for IAM
In Order to manage the permissions - Policies can be created and assigned to AWS Identities
- Explicit Deny - anything denied everything denied
- Deny By Default
- AWS Resources denies permissions unless explicitly allowed permissions
- Each part of request must be granted
- It contains Information about Who (the principal), Which Resource, What Conditions
- Policy Attached to IAM identity or AWS Resource
- Policy is evaluated whenever request is made
- Policy changes take effect immediately
- Policy objects are stored as JSON documents
- Permissions are required to be enabled between services (service to service access)
-
Identity Based Policy
- These policies directly attached to IAM user groups or roles to specify the actions allowed to perform
-
Resource based Policy
- Specified to resources to specify allowed actions
-
Permissions boundaries
- Defines maximum permissions to user groups or roles or other policies
-
Service Control Policies (SCPs)
- To define the policies at the root level of the organization
-
ACL
- To specify permissions for Amazon S3 objects not for any other aws services
-
Session Policies - to specify permissions aws session tokens created
-
Policy can be versioned
-
3 Pillars of Security
- Availability
- Confidentiality
- Integrity
-
Resilience - Regions & Availability Zones Isolated from each other - Provides Availability, Fault Tolerance and Scalability
-
Infrastructure security
-
Configuration & Vulnerability analysis - AWS has procedures and ways to check the vulnerabilities
-
Secure Root User Keys
- Enable MFA
- Do not use for any regular purpose, use this only on emergency purposes
- Store the keys securely
- Regularly Monitor the use of root account for any suspicious activity
-
Create Individual users - with the minimum required permissions to perform their tasks
-
Create user groups
-
Enforce least privileges
-
Use AWS managed policies - created and managed by aws security experts, regularly updated for security
-
Validate policies regularly to check if it meets the requirements
-
Use Customer managed policies
- to meet the customer specific security requirements
-
Secure the access keys
-
Rotate the credentials periodically
-
Delete unused credentials
-
Monitor regularly
- Used to generate and validate IAM policies
- It is a fully managed user authentication and identity management service
- It is the user directory in cognito
- Users can sign on to web and mobile apps using cognito, it allows Social Networks and SAML Identity Providers
- SDK APIs can be used to access profiles, integrate users into apps
- To signup and signin Use amazon cognito UI or custom web ui
- Using Amazon Cognito hosted UI - provides default construction of the signup/sign in flow, this flow also handles and validates the response token received from the IDP
- Custom workflows can be triggered when a user signs in, using the lambda fns
- Amazon Pinpoint Analytics - to send the user notifications, emails and perform other engagement, marketing campaign
- AWS account is required for the new user, then onboard onto user pool
- the new user belongs to the aws region that he was assigned to, but user data can be shared to other region if required
- Cognito Generates - Access Token, Refresh Token (long living between 1 hr to 10 yrs)
- During Signin - User can create Social Sign-in or create SAML identity provider sign-in option
- As a result of the authentication process, tokens are returned (ID Token, Access Token, Refresh Token)
- ID Token - contains identity of the authenticated user, user claims such as Name, Email
- Access Token - is issued to grant access the resource
- Refresh Token - is a long lived token to refresh the access token when expired
- Integrates with Microsoft Active Directory (AD) with the aws services
- AD or LDAP apps in the cloud
-
There are constraints in integrating the Managed Ms AD,
-
the account should be in the same region in order for the integration to be seamless
-
AD should be created within the VPC with atleast 2 subnets in place
-
Variants
- Standard Edition - upto 5000 AD objects
- Enterprise Edition - upto half million AD objects
- Directory is schema based structure keep the objects in a hierarchical structure
- AD Objects Schema can be considered similar to Tables and columns in a table
- Classes - Table
- Attributes - Columns in a table
- Object Identifier (OID) - uniqueness of attribute
- Schema is important to keep the integrity and interoperability
- Directory based aws store, it is not directory replacement for Ms AD
- It is designed to support multi-tenancy and automatic scaling (support hundreds of millions of objects)
- Supports Directory objects organized into multilevel hierarchy
https://docs.aws.amazon.com/clouddirectory/latest/developerguide/directory_objects.html
https://docs.aws.amazon.com/clouddirectory/latest/developerguide/directory_objects_links.html
- Allows Securely share the aws resources with resource, users, roles
- It is a collection aws resources and All resources should be in same aws region
- All resources in the group should match query criteria (Specification)
- Tag Based Query
- Specify resources based on tags, key-value pair
- CloudFormation based Query
- Stack-based query, specify resources based on the stacks (based on single cloudformation stack, not multiple cloudformation stacks)
- Word or phrases
- To identify and organize resources
- key and optional value
- Limitation upto 50 user tags
- support read-only tags (system tags, cannot be modified or deleted by user)
- Centralized portal to managing sso users, aws accounts and third part apps
- Easier to access and permissions management
-
It uses SAML federation
- Security assertion markup language - a xml based mechanism to exchange information about user identity
- SAML 2.0 is the industry standard
-
Configuration
- configure the permission sets
