AWS - Security and Identity
AWS - Security and Identity
- Identity Access Management (IAM) used to manage user, groups, permission, etc.
- Inspector is an agent on VM to monitor security and reporting.
- Certificate Manager managing SSL certificate.
- Directory service for Active directory service and other directory service.
- Web application firewall for application level protection.
- Artifacts list of access-controlled documents
1 - IAM
- It is used to manage users, permission and level of access to AWS console.
- IAM console to manage user account access.
- Identity federation: Linking to users multiple accounts like Facebook, Twitter, AD service etc.
- Multifactor authentication[MFA].
- Supports temporary access for users and devices.
- Custom password policy.
- Integrates other AWS services.
- Support PCI DSS[The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle branded credit cards from the major card schemes].
- IAM is not region specific unlike AWS services.
- Root account is email address that is used to sign up AWS.
- Login as with account gives root level access.
1.1 - MFA
- To make more secure authentication.
- Is an extra step in addition to username and password.
- MFA Flow: Users sign in to AWS, Enter username and password, In addition enter registered AWS MFA device code(like OTP authentication).
- Above setting can be done for AWS account and IAM users created under account.
- It can be also used to control access to AWS service API's.
- To activate MFA, click Manage MFA and choose between virtual or hardware MFA device option.
- Virtual MFA devices: Smartphone, PC and similar supported devices. Use your existing smartphone or tablet running any application that supports the open TOTP[Time-Based One-Time Password Algorithm] standard. Google authenticator app from playStore can be downloaded and follow the instruction as provided in registration process.
- Hardware MFA devices: Purchase supported devices. During registration process steps provided.
1.2 - Individual IAM user
- Click on manage user, then choose add user. Enter user name.
- Choose AWS access type(can one or both):
- Programmatic access - Enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools.
- AWS Management Console access - Enables a password that allows users to sign-in to the AWS Management Console.
- Autogenerated password OR
- Custom password
- Users must create a new password at next sign-in
- Users automatically get the IAMUserChangePassword policy[JSON script] to allow them to change their own password.
- Add user to group[if exists]
- Copy existing user permissions[simply search and assign]
- Attach existing policy directly[search and assign]
login to AWS services programmatically.
7. Another option provided is to email the credentials to user through email and download
it as csv file.
8. Message to note: This is the last time these credentials will be available to download.
However, you can create new credentials at any time.
1.3 - Creating group
- Creating a new group, start with group name and then choose policy.
- Can create new policy using JSON.
- Assign user under groups.
1.4 - Roles
- IAM roles are a secure way to grant permissions to entities that you trust. Examples of entities include the following:
- IAM user in another account
- Application code running on an EC2 instance that needs to perform actions on AWS resources
- An AWS service that needs to act on resources in your account to provide its features
- Users from a corporate directory who use identity federation with SAML
- IAM roles issue keys that are valid for short durations, making them a more secure way to grant access.
- AWS service
- Another AWS account
- Web identity
- Saml 2.0 federation
name, description and create.
Comments
Post a Comment