Module 9
Last updated
Was this helpful?
Last updated
Was this helpful?
All users in the group inherit the permissions assigned to the group
SCP's can only be attached to OU's NOT roles
IAM policies can only be attached to roles
What if two people have the same job/role but they live in different countries
This authorization strategy defines permissions based on attributes.
It’s more flexible than policies that require you to list each individual resource.
Attributes are a key or a key-value pair
Granular permissions are possible without a permissions update for every new user or resource.
In AWS, these attributes are called tags
It’s a highly scalable approach to access control.
Tags can apply to IAM resources (users or roles) and AWS resources.
Fully auditble
AWS IAM Identity Center
Can create or connect identities once and manage access centrally across your AWS accounts
Provides a unified administration experience to define, customize, and assign fine-grained access
Provides a user portal to access all assigned AWS accounts or cloud applications
Used optionally in conjunction with IAM
STS
AWS STS is a web service (API) that enables you to request temporary, limited-privilege credentials
The credentials can be used by IAM users, federated users, or applications
Is sessions based and not Identity based
Cognito
uses other accounts like Gmail or Yahoo accounts to sign in
Cognitio is used for web and mobile apps
Multiple VPC's in a single account
Multiple Accounts with a single VPC each
SCP = Service control policy. Set limits for the amount of resources an account/site can use
Deny is always evaluated first
Multiple policy types can impact each other for access and creation of resources.
Have everyone's accounts, permissions, and root account things on one dashboard
AWS Control Tower facilitates the setup and governance of a secure, multi-account AWS environment.
AWS Control Tower benefits include the following:
Automated set up of a new well-architected multi-account environment based on best practices blueprints
Governance of AWS workloads with rules for security, operations, and internal compliance
Prescriptive guidance to govern your AWS environment at scale
The application encrypts data before sending it to AWS
AWS encrypts data on your behalf after receiving it.
Create and manage your own encryption keys
Services transparently encrypt your data before writing it to disk and transparently decrypt the data when you access it
The keys and algorithms are known only to you
The keys can be managed by AWS
WAF
Is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources
Sheild
Protects against distributed denial of service (DDoS) attacks for AWS resources, at the network and transport layers (layer 3 and 4), and the application layer (layer 7).
Macie
Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS
Recognizes PII
Inspector
Is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities.
Detective (Incident response)
Helps analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.
Detective automatically collects log data from your AWS resources.
Security Hub
Everything above will be sent to the security hub dashboard
It provides recommendations based on five categories of AWS best practices: cost optimization, security, fault tolerance, service limits, and performance improvement.
It evaluates your account to suggest improvements and optimizations for your resources
