Module 9
IAM Groups
Example: Making groups reflect job roles
Challenges with scaling RBAC
SCP's can only be attached to OU's NOT roles
IAM policies can only be attached to roles
Attribute Based Access Control
This authorization strategy defines permissions based on attributes.
It’s more flexible than policies that require you to list each individual resource.
Attributes are a key or a key-value pair
Granular permissions are possible without a permissions update for every new user or resource.
In AWS, these attributes are called tags
It’s a highly scalable approach to access control.
Tags can apply to IAM resources (users or roles) and AWS resources.
Fully auditble
Federating Users
AWS IAM Identity Center
Can create or connect identities once and manage access centrally across your AWS accounts
Provides a unified administration experience to define, customize, and assign fine-grained access
Provides a user portal to access all assigned AWS accounts or cloud applications
Used optionally in conjunction with IAM
STS
AWS STS is a web service (API) that enables you to request temporary, limited-privilege credentials
The credentials can be used by IAM users, federated users, or applications
Is sessions based and not Identity based
Cognito
uses other accounts like Gmail or Yahoo accounts to sign in
Example: Identity federation for AWS Management Console access
Example: Identity federation for AWS Management Console using SAML
Federation example
Cognito Example
Two ways for separating resource access
Multiple VPC's in a single account
Multiple Accounts with a single VPC each
SCP's
Multiple policy types can impact each other for access and creation of resources.
AWS Control Tower
Have everyone's accounts, permissions, and root account things on one dashboard
AWS Control Tower facilitates the setup and governance of a secure, multi-account AWS environment.
AWS Control Tower benefits include the following:
Automated set up of a new well-architected multi-account environment based on best practices blueprints
Governance of AWS workloads with rules for security, operations, and internal compliance
Prescriptive guidance to govern your AWS environment at scale
Data at rest encryption
The application encrypts data before sending it to AWS
AWS encrypts data on your behalf after receiving it.
Create and manage your own encryption keys
Services transparently encrypt your data before writing it to disk and transparently decrypt the data when you access it
The keys and algorithms are known only to you
The keys can be managed by AWS
Client-side example
Server-side example
AWS Security tools
WAF
Is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources
Sheild
Protects against distributed denial of service (DDoS) attacks for AWS resources, at the network and transport layers (layer 3 and 4), and the application layer (layer 7).
Macie
Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS
Recognizes PII
Inspector
Is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities.
Detective (Incident response)
Helps analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.
Detective automatically collects log data from your AWS resources.
Security Hub
Everything above will be sent to the security hub dashboard
Using AWS Security Hub with AWS Trusted Advisor
It provides recommendations based on five categories of AWS best practices: cost optimization, security, fault tolerance, service limits, and performance improvement.
It evaluates your account to suggest improvements and optimizations for your resources
Last updated
Was this helpful?