IAM

Identity & Access Management

A free FMS *(fully managed service) used to manage any type of authorisation to access resources on your AWS account. Control access with IAM users in AWS, or via Federation for 3rd Party authentication with OAuth

When you create IAM policies, follow the standard security advice of granting least privilege—that is, granting only the permissions required to perform a task. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege

IAM Best Practices

Only use AWS Root to change your credit card details, use MFA for access
Always grant Least privilege with Access Levels
Remove access from unnecessary credentials
More privileged users need MFA (either HW/SW)
Define strong PWD policy, set to change credentials often
Create individual IAM users. Never share accounts
Define or use Defined AWS Policies to delegate permissions to groups, or roles
Use Groups to assign permissions to IAM Users
Use Roles for applications on EC2 instances
Schedule reviews as part of governance
- of CloudTrail logs
- of AWS IAM Credentials report

*AWS Defined Access levels - List, Read, Write, or Permission Management

AWS Shared Responsibility Model

Amazon is responsible for the cloud
- Compute, Storage, Database, Networking
- Regions, Availability Zones, EdgeLocations
Companies are responsible for thier implementation on the cloud - the security and compliance on the AWS Cloud
- OS patch, Cloud Architecture NW, FW config
- App patching, IAM management
- Customer Data, Encryption client & server side, Network traffic encryption TLS & SSL

Company Cloud

The company IT has full responsibility for

Manage IAM
Design of Architecture to protect Data(at rest & in transit, and while being computed on the client and server side) with FW and NW config
Manage Applications
Attain Compliance with regulatory requirements, certification for industry standards, and Governance of IT

IaaS - EC2, EBS

You have to patch the OS, and ensure it's secure, and responsible for anything running on it.

PaaS - Container Services (RDS, eBeanstalk)

You responsible for NW & FW, Data, db Admin, Data Encryption at rest and during transport.

Abstract Services (S3, Glacier, DynamoDB, Lambda, SQS, SES)

You are responsible customer Data at client and server

Users, Groups & Roles

Use least privileged access by default. I.e. User has no access

IAM Users

Users are setup with credentials (can add an Alias for easy user access). Users can be identified in 3 different ways in AWS:

Name, Credential(PWD) & Alias - to access WorkSpaces(with credential), or CLI (with Access key)
- Users must be given {Programmatic "API, CLI" / Management Console} access
- Users can be assigned policies, group
- Can change own PWD
ARN - to use within AWS services
Unique Identifier - to access API, SDK's, PowerShell, or CLI (used programatically)

Note: never use the Root account unnecessarily. Change default PWD, and add MFA access for the root account.

If you want the URL for your users sign-in page to contain your company name (or other friendly identifier) instead of your AWS account ID, you can create an alias for your AWS account ID. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html

http://your_aws_account_id.signin.aws.amazon.com/console/
http://account_alias.signin.aws.amazon.com/console/ (Account level set at the IAM dashboard)

IAM Groups

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Groups can have permissions, or have AWS Policies. Each group contains users that gain the groups permissions

Admins
Devs
Testers

User can participate in multiple groups, but you can't have nested groups.

You can define Resource based security Groups. An EC2 security group acts as a firewall that controls the traffic allowed to reach one or more instances - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

IAM Roles

You can and should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an EC2 instance. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

Can use temporary credentials to do a 'temporary' function (set amount of time) - 3rd Line support to restore service
Roles can be assumed by users or resources (EC2 Instance to access S3)
Can give Another AWS Account permissions with roles to your resources
Can use Identity Federation using Cognito > OAuth (FB, Google), or Enterprise SSO (LDAP / Active Directory)

*You can have code running with a specific Role

AWS Organisations

Used for large Enterprises to be managed centrally, billed centrally under Service Control Policies (SCP's control access to AWS services within OU. The SCP overrides all other policies)

An Organisation Unit (OU) can have many AWS Accounts

User account management can be automated with API's.

Consolidated OU billing for multiple AWS accounts.

AWS Organizations provides consolidated billing so that you can track the combined costs of all the OU member accounts in your organization. See: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/useconsolidatedbilling-procedure.html

Setup multiple "company groups" with an AWS Account, and check that don't exceed monthly spend. They will all report under the same OU AWS Account via a consolidated bill

IAM Policies

By default new users have no access in AWS account. Everything has to be explicitly granted via XAML policies (define the version "date", effect "Allow", actions "S3:*", resources "via ARN", and optional conditions)

Notation(no AWS region info)

arn:aws:iam::account:resource{"user/Bob","goup/Dev","role/DymoDBAccess","instance-profile/Webserver","federated-user/Bob"}

Policies to control AWS Accounts PWD strength of Characters, length, valid for period, expiration, previous blocked PWDs

Force to contact Admin when locked out or PWD expired.

Policies for Users vs. Resources. The Resource has policy attached to the resource.

*ARN - Amazon Resource Name

Identity Federation

3rd Party OAuth(unlimited temporary credentials) is needed as there is limit to IAM users (max 5000)

Setup a AWS Role for Federated Users

Uses SAML 2.0 (Security Assertion Markup Language)

AWS CloudTrail*

Used to capture events on AWS Cloud to the resources, and can trigger SNS Topic alerts for security issues. All resource access is performed via AWS API so everything is logged. The logs are stored in a designated Bucket (that can be analysed by Amazon Athena, EMR etc).

Page updated

Report abuse