search

Module 9

hashtag
IAM Groups

circle-info

All users in the group inherit the permissions assigned to the group

hashtag
Example: Making groups reflect job roles

hashtag
Challenges with scaling RBAC

triangle-exclamation

SCP's can only be attached to OU's NOT roles

IAM policies can only be attached to roles

hashtag
Attribute Based Access Control

circle-info

What if two people have the same job/role but they live in different countries

ABAC
Benefits

This authorization strategy defines permissions based on attributes.

It’s more flexible than policies that require you to list each individual resource.

Attributes are a key or a key-value pair

Granular permissions are possible without a permissions update for every new user or resource.

In AWS, these attributes are called tags

It’s a highly scalable approach to access control.

Tags can apply to IAM resources (users or roles) and AWS resources.

Fully auditble

hashtag
Federating Users

  • AWS IAM Identity Center

    • Can create or connect identities once and manage access centrally across your AWS accounts

    • Provides a unified administration experience to define, customize, and assign fine-grained access

    • Provides a user portal to access all assigned AWS accounts or cloud applications

    • Used optionally in conjunction with IAM

  • STS

    • AWS STS is a web service (API) that enables you to request temporary, limited-privilege credentials

    • The credentials can be used by IAM users, federated users, or applications

    • Is sessions based and not Identity based

  • Cognito

    • uses other accounts like Gmail or Yahoo accounts to sign in

circle-info

Cognitio is used for web and mobile apps

hashtag
Example: Identity federation for AWS Management Console access

hashtag
Example: Identity federation for AWS Management Console using SAML

hashtag
Federation example

hashtag
Cognito Example

hashtag
Two ways for separating resource access

  1. Multiple VPC's in a single account

  2. Multiple Accounts with a single VPC each

hashtag
SCP's

circle-info

SCP = Service control policy. Set limits for the amount of resources an account/site can use

circle-info

Deny is always evaluated first

Multiple policy types can impact each other for access and creation of resources.

hashtag
AWS Control Tower

  • Have everyone's accounts, permissions, and root account things on one dashboard

  • AWS Control Tower facilitates the setup and governance of a secure, multi-account AWS environment.

  • AWS Control Tower benefits include the following:

    • Automated set up of a new well-architected multi-account environment based on best practices blueprints

    • Governance of AWS workloads with rules for security, operations, and internal compliance

    • Prescriptive guidance to govern your AWS environment at scale

hashtag
Data at rest encryption

Client-side encryption (CSE)
Server-side encryption (SSE)

The application encrypts data before sending it to AWS

AWS encrypts data on your behalf after receiving it.

Create and manage your own encryption keys

Services transparently encrypt your data before writing it to disk and transparently decrypt the data when you access it

The keys and algorithms are known only to you

The keys can be managed by AWS

hashtag
Client-side example

hashtag
Server-side example

hashtag
AWS Security tools

  • WAF

    • Is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources

  • Sheild

    • Protects against distributed denial of service (DDoS) attacks for AWS resources, at the network and transport layers (layer 3 and 4), and the application layer (layer 7).

  • Macie

    • Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS

    • Recognizes PII

  • Inspector

    • Is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities.

  • Detective (Incident response)

    • Helps analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.

    • Detective automatically collects log data from your AWS resources.

  • Security Hub

    • Everything above will be sent to the security hub dashboard

hashtag
Using AWS Security Hub with AWS Trusted Advisor

  • It provides recommendations based on five categories of AWS best practices: cost optimization, security, fault tolerance, service limits, and performance improvement.

  • It evaluates your account to suggest improvements and optimizations for your resources

PreviousModule 8NextModule 10

Last updated