Identity & Access Management Flashcards
AWS Definition and 4 key areas.
Amazon Web Services. Comprehensive Collection of Infrastructure Services.
- Compute
- Storage
- Database
- Networking Services
AWS Platform Capabilities
Offered as a pay-as-you-go service.
- Mobile Services
- Analytics
- Machine Learning
Root User
User account you use to sign in to AWS Management Console.
AWS Management Console
- Create
- Configure
- Monitor
AWS SDK
AWS Software Development Kit. Available for these languages: Allows user to interact with AWS MC through code. 1. Java 2. .NET 3. JavaScript 4. PHP 5. Python 6. Others
Specialty SDKs
- AWS Mobile SDK
2. AWS Internet of Things (IoT) Device SDK
AWS CLI
Command Line Available for different OS: 1. Windows 2. Linus/Unix 3. macOS *Also a PowerShell option if you prefer over the Amazon CLI.
Authentication
Verifying Identity.
Involves the method or process, action used for verifying identity of user or process.
Authorization
Determining access level.
Determines access level of an authenticated user/process to various resources like files, services, applications, data, and others.
AWS IdP
AWS can be used as an Identity Provider.
Entails storing identities and providing method used for authentication. Applies to AWS Services, AWS infrastructure and non-AWS applications (web/mobile)
AWS Planes of Access
2 planes of access.
- Control plane - allows access to perform operations on instances. Managed through API operations.
- Data plane - controls access to sign in to compute instances. (Secure Shell & Remote Desktop.
Policies (related to access)
JSON docs with 3 key value pairs.
- Effect - if the user or group is allow/denied to execute associated API
- Action - if API is allowed/denied
- Resource - defines where API is allowed/denied
AWS Federation
Federation allows user to centrally manage access to AWS Resources.
2 components:
1. Identity provider - “Who are you?”
2. Identity consumer - Stores reference of identity, grants access based on Identity Provider. (Granular)
SAML
Security Assertion Markup Language.
- Provides federation between and entity and service provider.
- Option in AWS
- Both exchange meta data using an XML document
OIDC
Open ID Connect.
- Supersedes SAML
- easier to configure than SAML
- uses tokens (instead of assertions) to provide access
3 types of OIDC tokens
Open ID Connect
- ID
- Access - access to API
- Refresh - obtain new ID token
AWS AD
Active Directory is a common identity provider.
- Used to establish trust between AD domain controller and AWS Directory Service for Microsoft AD.
- Domain controller may be on premise or in cloud.
AWS STS
Security Token System. - Creates and provides trusted users with temporary security credentials. Consists of: 1. Access key ID 2. Secret Access Key 3. Security Token
Amazon Cognito
Managed Service for handling mobile and web applications.
- Integrates with AWS STS to identify users and provide them with consistent identity over lifetime of an application.
- Useful b/c many business already have Microsoft AD and it’s easier to integrate with Cognito that implement a new identity store.
Ways to implement Microsoft AD on AWS (4).
- Running AD on an EC2 instance.
- Use an AD Connector to connect to AWS Services with an existing, on-premise Microsoft AD
- Create a Simple AD. (Microsoft AD that provides compatability with AWS Directory Services.)
- Deploying AWS Managed Microsoft AD . (Actual Microsoft Windows server managed by AWS on AWS servers.)
AWS Management Console
A web-based console that encompasses a set of service consoles for managing AWS.
- Access Service Consoles (S3 buckets, EC2, CloudWatch, AmazonAccount)
- Can choose region
- Access to Billing and common troubleshooting topics
- Create shortcuts to other consoles
- Can change password
- Compatible with tables and phones
- Can download app store, iTunes, google play
AWS Root account
AWS Root account created when user signs-up.
- Can use this root account to manage AWS account and services.
- Very powerful. AWS deletes root account access keys automatically.
- Never use this for day-to-day interactions with AWS
Root Account capabilities (5)
- Change account name
- Change root user email / password
- Change contact information
- Change local currency
- Add alternate account contacts (alternate contact information)
Logic behind multiple AWS Accounts (4).
Want to design strategy to maximize security and align with business/ governance requirements.
- Ex - Centralized security Management - would require 1 AWS account.
- Ex - Separate Environments (Dev, Test, Prod) - would require 3 accounts.
- Ex - Different Departments (esp. Autonomous Departments) - Each department would have an AWS account. Then each could have it’s own policies/ projects.
- Independent projects - Can create multiple AWS accounts (one for common services like AD) and then each project would get it’s own account and different access to resources. (Could have a common billing account for all projects).
IAM
Identity Access Management. Enables the creation of multiple users (w/ different security credentials)
1. IAM user can be authorized to create new users, manage/ delete existing users.
IAM users can be… (3)
- Person
- Service
- Application (that requires AWS resources through MC, CLI, or APIs)
IAM Groups
Identity Access Management groups contain multiple users under 1 IAM account.
- users can be grouped based on functional aspects, organizational requirements, geographical, projects, etc..
- IAM group is given permission to access resources by giving policies, these are inherited by IAM users belonging to a group
- Even if one user, best practice to assign a group for access
IAM user represents…
A unique identity with unique, long-term credentials.
Main IAM credential types (2)
- Those for signing-in to AWS MC
2. Those used for programmatic access to AWS API
IAM Credentials vs. AWS Credentials
- Username/password for both
- AWS: username = email address
- IAM: more flexibility
- AWS account password: can be anything you define
- IAM password: can be forced to comply with rules you define
MFA
Multi-Factor Authentication. AWS MFA offers extra level of security.
- username/password + authentication code from MFA device
- can also require and MFA in order for users to be able to delete S3 objects
Identity Federation
Some users may have identities outside of AWS, ex: Corporate directory, they may need access to AWS resources.
Identity Federation
System of trust between two parties for the purpose of authenticating users and convenying the information needed to authorize their access to resources.
- In this system an IdP is responsible for user authentication.
- Ex: Some users may have identities outside of AWS, ex: Corporate directory, they may need access to AWS resources.
Can you have multiple users with IAM?
Yes. Each can have their own security credentials and all are centrally managed under 1 AWS account.
Give me an example of an IAM role for EC2.
Applications running on EC2 instances that require access to AWS Services.
- Ex: Developer running application on an EC2 instance that needs read-only access to an S3 bucket.
- Admin can create a suitable role. This includes policies that grant read permissions to the bucket and allows the developer to launch the EC2 instance.
- Therefore, the admin doesn’t have to create access to the bucket for the developer and the developer doesn’t have to share their crednetials.
- The developer would launch the EC2 instance and associate the new rule with the instance.
- When the application runs, it retrieves credentials from the instance metadata on EC2 instance and using role credentials it accesses S3 bucket with read-only.
Cross-account access
- Enables IAM users from different AWS accounts to gain access to another AWS account.
- In trusting account, create an IAM policy that grants trusted account with access to specific resources.
Explain how IAM roles address Identity Federation.
- Creates an Identity Broker
- This ID broker (IDB) goes between the corporate user and the AWS resources.
- Enterprise user accesses the IDB application, the application authenticates user against the corporate identity store
- the IDB application has permissions to allow it access to the AWS security token service to request temporary security credentials.
- Enterprise users can access the API and Amazon MC.
AWS Regions
Separate geographical regions.
- Each region maintains it’s own copy of AWS services
- Each AWS Region comprises multiple data centers
- These are grouped together to form availabilty zones
- Enables AWS to provide highly available resources
Data center vs Availability Zone
Data centers are grouped together to form availability zones.
Visibility Zones
Physically separated from each other, designed to operated independently from each other.
Availability Zones (connection)
- Connected by low latency, high throughput redundant networking
API
Application Programming Interface
- Software intermediary that allows two applications to talk to one another.
Endpoint (API)
URL that enables API to gain access to resources on a server.
AWS Regions MC vs CLI / SDK
- US East (N. Virginia) MC = us-east-1 (CLI / SDK)
- US West (Oregon) = us-west-2
- EU (London) = eu-west-2
- Asia Pacific (Tokyo) = ap-northeast-1
IAM Services that aren’t limited to a specific region
Region = global
- API endpoint for the IAM service = same
- ex: @iam.amazonaws.com
Choosing Regions
Factors:
- Availability of services required by organization / applications. (Not all services are in all regions.)
- Latency
- Cost - price per region, but don’t want to sacrifice service, availabilty, latency
- Data Residency - allows us to stay compliant within a region
- Choose a region that as at least most services
- What to choose regions that are closer to users, this will decrease latency when making API calls
- business continuity, choosing regions for disaster recovery
- choose a target region for recovery based on proximity
What are the 2 IAM roles automatically created when you set up the account?
- AWSServiceRoleForSupport
2. AWSServiceRoleForTrustedAdvisor
After creating new AWS account…
- Create 1st IAM user
- require password reset
- Create a group for Admins
- Assign this user to the Admin group
- Sign out sign back in not as root user but as IAM user
Security Status 5 Steps when first create an account.
- Delete your root access keys (this should be done automatically?)
- Activate MFA on your root account.
- Create individual IAM users
- Use groups to assign permissions
- Apply an IAM password policy.
