- Consulting
- Training
- Partners
- About Us
x
TABLE OF CONTENT |
1. Introduction |
2. Identity and Access Management (IAM) |
3. Top Features of IAM |
4. IAM Internals |
5. AWS CloudTrail |
6. AWS Shield |
7. AWS WAF |
8. Conclusion |
9. About CloudThat |
In my previous blog, we discussed the security aspects of an application and network for your infrastructure and steps to implement AWS services to achieve the desired goal. Today, we will learn in detail about all these services and explore their top features and benefits.
When we create an AWS account for the first time, we will begin with an AWS account root user that has full access to all AWS services and resources present in the AWS account. This root user can be accessed by logging in with the email address and password while creating the AWS account. It is recommended not to use the AWS root user for our daily tasks, even the administrative functions. Instead, we adhere to the best practice of using a root user only to create our first IAM user.
IAM provides the following features:
We can grant access permission to other people to administer and use resources in our AWS account without any need to share our password or access key.
We can grant different permission levels to other people to access various resources. As an example, we can provide some users with permission to have complete access to Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), Simple Storage Service (Amazon S3), and other AWS services. While for the other users, we can grant access with read-only access to Amazon VPC, provide permission to administer just some EC2 instances, or access billing information and nothing else.
We can use AWS IAM features to provide credentials for the applications on EC2 instances securely. We can use these credentials to provide permissions to our application to access other AWS resources or services like S3 buckets and DynamoDB tables.
We can add two-factor authentication to our AWS account and individual users for extra security. With MFA enabled, you or your users must provide a password or access key to log in to your AWS account and a code from the configured MFA device.
This feature allows users to have passwords elsewhere to get temporary access to our AWS account, for example, in a corporate network or an internet identity provider.
AWS Security Token Service (AWS STS) and AWS Identity and Access Management (IAM) are AWS account features offered at no additional charges. We will only get charged when using other AWS services with our IAM users.
IAM is responsible for below mentioned two processes:
IAM has a lot of internal items:
An AWS user is an account within an account. Being the owner of our AWS account, we can create new users that can provide access to different AWS resources like EC2 or S3, or ELB. In addition, we can assign access policies to the account and generate passwords and security credentials. Once we’ve forwarded login details to our team members, they will have everything necessary to start work.
It is strongly recommended to lock down our root AWS account and use a regular user account for your day-to-day activities. By lockdown, we mean to do the following:
The root user has full access and control of the AWS account. Someone with hostile intentions gets hold of our root user’s password, and the entire infrastructure is compromised. An IAM user, on the other hand, starts with no powers of any sort to perform an action. We can assign whatever permissions it will need to get its job done, but its reach is limited, which means an attack against it won’t necessarily be catastrophic.
IAM groups allow the grouping of users and delegating permissions to users. But groups don’t have their access credentials. Instead, any user who has been added to a group will use their own credentials to access the resources permitted by group policies.
Access for individual users can be defined by managing users and groups. However, permissions and rights can also be assigned to objects like EC2 instances and applications through roles.
A role is an identity with specified restrictions and permissions as a user and not the property of any user. The user privileges cannot be reached through regular login methods. Instead, an object, once properly authenticated, can temporarily switch to a role whose access policies are applied to the user, replacing any rights or restrictions that may have previously been applied.
An IAM policy defines clearly who may perform which actions and on what resources. For example, the policy code shown in the figure permits a specific user, Steve, with a unique Amazon Resource Name (ARN) identifier as Principal — to put objects into S3 bucket called the design team. The Action = put permission, and the ARN on the Resource line depicts the S3 bucket. The actual permission is enabled through the value given to Effect = Allow.
AWS (MFA) provides an added layer of security on top of the AWS Credentials. With MFA enabled, users can log in to their AWS account using AWS Management Console. They need to provide their username and password and an authentication code generated by their AWS MFA device, which they have registered. These multiple factors for authentication increase our AWS account’s security and the AWS resources we have created.
MFA can be enabled for our AWS account and as well as for individual IAM users that we have created in our AWS account. MFA is not chargeable.
Below devices are supported as MFA devices in AWS:
AWS CloudTrail is an auditing, governance, and compliance monitoring service offered by Amazon Web Services (AWS). It falls under the “Management and Governance” tool in AWS.
With CloudTrail enabled, AWS account owners can record and keep a log of every API call made for each resource in the AWS account. An API call can be made:
These actions can be taken from:
We can perform analysis on the logs as CloudTrail saves the API events in a secured and immutable format.
AWS CloudTrail is enabled for all users by default.
Amazon CloudTrail has many features which a monitoring and governance tool can expect. Below are the features:
CloudTrail is enabled by default when an AWS account is created, so AWS account administrators don’t have to enable CloudTrail manually. CloudTrail is the default trail provided by AWS. All the information in the CloudTrail is kept for 90 days in a rolling fashion.
AWS Shield is a managed service that protects from Distributed Denial of Service (DDoS) attacks for applications running on AWS. It provides always-on detection and automatic inline mitigation that minimizes application downtime and latency, so there would be no need to engage the AWS Support to benefit from DDoS protection.
AWS Shield Standard helps to protect your application from the most common attacks occurring at network and transport layer DDoS attacks that target your website or applications
Shield Advanced protection can also be added for the following resource types:
AWS WAF is a web application firewall and helps protect your web application or APIs against the common web exploits and other bots that may affect availability, compromise security, or even consume excessive resources. AWS WAF gives you control over how the traffic reaches your application by enabling you to create a few security rules that control both traffic and block common attack patterns, like SQL injections or cross-site scripting.
After creating an AWS WAF web access control list (web ACL), create, or update web distribution to associate distributions with the web ACL. You can also associate as many CloudFront distributions as you want with the same web ACL or different web ACLs.
Learn more about AWS Web Application Firewall: An Overview here.
These are the few AWS services that provide your application and infrastructure security. Using these services, you can control the security aspects of your infrastructure and have control over your users by giving them appropriate IAM permission.
Deploying AWS WAF and AWS Shield to your AWS environment is easy and will help you stay on top of your ever-increasing business security requirements.
CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding Security, IAM, or logging services on AWS, and I will get back to you quickly. To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings.
Voiced by Amazon Polly |
Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!
Click to Comment