SAA-C03: Authentication and Authorization - AWS IAM

root user

When an AWS account is established, the root user has full rights over all the services and resources associated with your account.

root user best practices

Heavily protect and delegate specific powers for day-to-day operations to other users

IAM Policies

policies are used to control the behavior of IAM identities/users

What format are policies generally written in?

JSON

How to lock down the root account?

• Delete any access keys associated with root

• Assign a long and complex password and store it in a secure password vault

• Enable MFA for the root account

• Wherever possible, don’t use root to perform administration operations.

• Create another user and give it the AdministratorAccess policy

Admin vs. root

AdministratorAccess does not have the power to create or delete account-wide budgets and enable MFA Delete on an S3 bucket.

My Security Credentials page (top-right corner in console)

where a user can manage the following:

• updating a password for console access

• activating or managing MFA

• Generating or deleting access keys for managing your AWS resources through the AWS CLI or programming SDKs

• Generating key pairs for authenticating signed URLs for your Amazon CloudFront distributions

• Generating X.509 certificates to encrypt Simple Object Access Protocol (SOAP)

• Retrieving your 12-digit AWS Account ID and, for use with legacy S3 ACLs, your canonical user ID

Access keys

provide authentication for programmatic or CLI-based access.

Access Keys - Best practices

• Rotate them regularly (60-90 days)

• Delete old keys that are no longer in use

• If a user doesn’t even use them, don’t assign keys to that user

IAM Groups

Groups of users that share the same permissions (Devs, Managers, Admins, etc)

IAM Roles

Temporary identity that a user or service seeking access to your account resources can request.

4 categories of trusted entities

1. AWS service

2. another AWS account via Account ID

3. web identity who authenticates using a login with Amazon, Cognito, Facebook or Google

4. SAML 2.0 Federation

Authentication Tools

• Amazon Cognito

• AWS Managed Microsoft AD (what crosslink uses with Identity Center)

• AWS SSO now known as Identity Center

• AWS Key Management Service

• AWS Secrets Manager

• AWS CloudHSM

• AWS Resource Access Manager (AWS RAM)

Amazon Cognito

Provides mobile and web app developers with two important functions:

• Through Cognito, add user sign-up and sign-in to your applications

• gives users temporary, controlled access to other services in your AWS account

AWS Managed Microsoft AD

Integration with Microsoft through AWS Directory Service, Amazon Cloud Directory and Cognito. We use that with Identity Center.

AWS Single Sign-On currently known as Identity Center

provides users with streamlined authentication and authorization through an existing Microsoft Active Directory or external ID provider. (xlink uses this to use one sign-on for 3 environments)

AWS Key Management Service

integrates with AWS services to create and manage your encryption keys

AWS Secrets Manager

Instead of hard coding your access keys into code, use Secrets Manager to store and rotate access keys for users and applications.

AWS CloudHSM (Hardware Security Module)

launches virtual compute device clusters to perform cryptographic operations on behalf of your web server infrastructure.

CloudHSM use cases

• Keys stored in dedicated, third-party dedicated HSMs under your exclusive control

• Federal Information Processing standards (FIPS) 140-2 compliance

• Integration with applications using Public Key Cryptography Standards(PKC)#11, Java JCE(Java Cryptography Extension), Microsoft CNG interfaces

• High-performance in-VPC cryptographic acceleration (bulk crypto)

AWS Resource Access manager (AWS RAM)

safely share resources with users in multiple accounts within a single organization or external accounts