Module 3: Securing access Flashcards
AWS shared responsibility model
Security of the cloud => AWS
Security in the Cloud => Customer
Design principles of the security pillar
1) Implement a strong identity foundation
2) Protect data in transit and at rest
3) Apply security at all layers
4) Keep people away from data
5) Maintain traceability
6) Prepare for security events
7) Automate security best practices
How to implement identity foundation
Use policies to grant or deny access to AWS resources.
Use the principle of least priviledge.
How can you implement encryption?
By using Transport Layer Security (TLS)
How to protect data in transit and at rest?
Use encryption using TLS
Authentication (Who)?
Important to identify who is accessing. The who can be a person or an application
How do you protect data at rest
Through client side encryption which encrypts data before it is sent or server side encryption that encrypts data after it is sent but before it is stored
Authorization
Do we allow or do we deny the request once we know who
What is IAM
Identity and Access Management
What do you do with Identity and Access Management (IAM)
configure access, grant credentials to user and groups. Distribute it accross services.
Integration with Microsoft active directory and other identity providers.
Support MFA
IAM Resource
Is the user group policy or identity provider object stored in IAM
IAM entity
The object used for authentification. They include user and roles
IAM identity
An identity identifies user and groups or role. You can attach policies to identities
IAM principal
Person or application using the account to authenticat and make requests. (The who behind it (app or user))
IAM user
entity you create that represent the person or application interacting with AWS services
IAM Group
Collection of users. Use groups to grant same set of permissions to multiple users
IAM Role
Similar to user but short term credentials for the duration of the session
IAM Policy
Document explicitely listing permissions
Credentials needed for signing into the AWS management console
Username and password
Credentials needed to run commands in the Command Line Interface (CLI)
AWS access Key
Make programmatic calls to AWS
AWS Access Key
What is an AWS Access Key?
Combination of access key ID and a secret access key
Best practice for security
1) Least priviledge
2) Enable MFA
3) Require human users to acces AWS with temporary credentials
4) Rotate access key for use care requiring lng term credentials
5) Use strong, Complex passwords
6) Secure local credentials
7) Use AWS Organizations
8) Enable Cloud trails
9) Protect the root user
Lest priviledge
Grant the strictly minimal permissions to perform tasks
Enable MFA
Just do it. A lot of types exist
Human access with temporary credentials
Do this through entity assigning roles to the accounts
Rotate access key
For programmatic access so that they change regularly
Strong passwords
Duh. Password manager…
Secure credentials
Password manager again
Use organization
To consolidate billing, and access control
Enable Cloudtrail
Create logs to record the access to the ressources
Protect the root user
Limit the use of the root user as much as possible it has complete access to everything
How to protect the root user
Do not use it. Create an admin user with permissions to most task
How to set up an admin user
Log in as root and set up MFA for it
Create admin and add MFA download the key
Log out of the root user
Log in to the admin user
Create your user accounts
Use case for roles
Assign role to another AWS accounts needing ressources on yours.
Assign roles to user outside of your company
Assign role to a mobile app because it is not good to have credentials in there
Assign role to an app running on an EC2 because you don’t want to store the credentials there either
2 types of policies
identity based policies
Ressources based policies
Identity based policies
Attached to IAM User. What ressources can access the user
Resource based
Attached to an AWS resource. What user can access the ressource
Format of a policy
JSON
Process to allow access
Is there eyplicit denial policy?=> If not then goes to check is there an explicit allow => If yes then allow.Otherwise denies all.
IAM policy document structure
Version
Statement
Effect
Principal
Action
Resource
Condition
Policy version
Version of the policy language you want to use
Policy Statement
Defining what is allowed or denied based on conditions
Policy effect
Allow or deny
Policy Principal
Account, user or role concerned by the policy
Policy Action
Action allowed .”s3:GetObject” for example
Policy Resource
Resources that the policy action applies to
