Securely manage identities and access to AWS services and resources
IAM Key features
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Related Services
Create a new Account
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Authentications
- Principals (IAM user, Federated user, Application, IAM role) – request action
- Credential types (Root, IAM username/password, Access or secret keys, MFA Multi-factor authentication)
- IAM user, AWS Service, and Federated user assume role to temporary access AWS resource
- IdP Identity Provider (ex. Active Directory) host and manage user database, establishes trust with AWS to authenticate users with SAML 2.0 or OpenID Connect (OIDC) protocols.
Status Reports
Console->IAM->Access reports
- Credential report: find non-used access keys and users updates every 4h
- Access Analyzer: Findings(tracking period, regional, [account or organization], $$$) two options (External Access/Unused Access), Actions [Archive | remediate]
- Organization activity requires Organizations
- Service Control policies (SCPs) requires Organizations
Amazon Resource Name (ARN)
ARN: Used to uniquely identify resources within AWS
aws:<partition[aws|aws-cn|aws-us-gov]>:<service>:<region>:<account id>:<additional specifics per resource>
Authorization
- Users and Groups
- Principle of Least privilege
- Groups are identities with permissions but not principals
- Security Credentials: Console->Account drop down list (top-right corner) ->Security Credentials (MFA, Access Keys, X.509 Certs, (root user: CloudFront Key pair for signing URLs)
- Policy types:
- Identity-based policy: for identities
- Resource-based policy: for resources
- Organizations SCP-Service Control Policy: Account level or Organization Unit (OU) level
- Access Control List (ACL): additional non-JSON resource access control policy attached to a resource controls principals access to the resource
- Permission Boundary: Limits allowable permissions, applicable to Entities only (users and roles)
- Session Policy: limits granted permission to a User or Role when accessing resources with CLI/API for that session
- Policy Structure: JSON document consists of (effect [Allow|Deny], {not}Principal*, Action, {not}Resource*, and Condition*) Use Policy Creation Tool
- PassRole Permission: Allows users to control roles assigned to AWS services
- ViaAWSService: a Boolean condition key allows or denies access when any AWS service makes a request to another service
- Policy Evaluation Logic: Evaluate for explicit deny->Evaluate for explicit Allow -> default implicit deny.
- Policies best practices: AWS Managed policies, MFA, Credentials rotation, Principle of Least privilege, Policy Simulation Tool,
AWS STS
- Assume Role With…:
- AssumeRole
- AssumeRoleWithSAML
- AssumeRoleWithWebIdentity: return security credential for mobile/web user who used web identity OAuth 2.0, Session duration up to max role limit, Identify user using CloudTrail
Control Tower
- Runs on top of AWS Organization
- Best choice for Organization startup (2 OU[Core, Custom], Stack Set, AWS Service Catalog, IAM Identity Center, 2 member Accounts(shared accounts) [Log {CloudTrail/Config logs},Audit{SNS, Config aggregator}], 1 management account landing zone)
- Audit Account: restricts access to other accounts, only programmatic access to review accounts by means of a role that is granted to Lambda functions only
- Governance Rules (Control Library)
- Proactive: CloudFormation hooks (PASS, FAIL, SKIP), scans
- Preventative: Policies (enforce or not enabled), disallow actions
- Detective: AWS Config (Clear, in violation, not enabled), non compliant
- Account Factory : Automatic creation of accounts
- Troubleshooting:
- user data :
curl http://169.254.169.254/latest/user-data - cloud-init log:
cat /var/log/cloud-init-output.log
- user data :
AWS Organizations
- Central account management
- Group-based account management
- Policy-based access to AWS Services
- Automated Account creation: via API
- Consolidated billing
- Service Control Policy SCP: applies to OU or member accounts
- Central auditing
Resource Access Manager RAM
Confused Deputy Prevention
- Cross Service Confused Deputy Problem: request external Id
Third Party Access
Integration with Identity Providers
- Open ID Connect (OIDC): Establish trust IdP, no custom sign-in code
- SAML 2.0: Federated authentication
- Active Directory
- Cognito
Lambda Authorizer for API Gateway
- Lambda function intercepts the request by API Gateway,
- Authorizer types:
- Token based: JWT Token
- Request parameter based: header params
- Lambda Validates the token with OAuth or SAML providers and returns IAM access policy or role
- API Gateway returns 403 ACCESS_DENIDED or evaluate the policy to call the service , and caches the settings
Implement secure, frictionless customer identity and access management that scales
References
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Key Features
- Web and Mobile Apps
- User pools
- Identity pools
References
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Amazon Cognito Components
- User pool: Authentication, user directory, standard tokens
- Identity pool: Authorization, AWS credentials, Federated identities, Guests
- Identities by other IdP Identity Providers(Google, Facebook, X, Amazon etc.)
User Pools
- Define User Authentication flow (registration, sign in, password resets, email/phone verifications, sign-out)
- Security Requirements (Password complexity, MFA Multifactor Authentication, Password enforcement policies, Scalable to millions of users)
- Standard & Custom Attributes [name,email] & [nickname, picture]
- Groups
- Scope: define access levels (read/write)
Authenticate with User Pools
- Social or Trusted IdP (Google, Amazon, Apple, Facebook etc.)
- OpenId Connect (OIDC)
- SAML 2.0 (Security Assertion Markup Language)
Autenticate with Identity Pools
- Identity pool: storage to store identities, associate identity to a unique identifier,
- Authentication done by external identity providers (exchange with JWT)
- Amazon Cognito returns STS credentials to the client to access AWS resources
JSON Web Token (JWT)
- Industry Standard of Token in JSON format compose of (Id, access, and refresh)
- Sections (Header — verification info, Payload –encoded user info, Signature –calculated )
- Token Types :
- ID token: Contains details about the user, and confirms the identity (Header, Claim (Sub, Aud, token_use, auth_time, origin_jti, Jti –JWT identifier), Signature
- Access Token: Authorize API operations of the user in the user pool –no user info (Header, Claim (sub, cognito-groups, token_use, scope, auth_time, iss, origin_jti, Jti), Signature
- Refresh Token: Default TTL 30d, (60m – 10y)
Amazon Cognito Authorizer for API Gateway
- Developer:
- Create user pool on Amazon Cognito
- Create an API Gateway authorizer with the user pool
- Integrate a REST API with the user poor
- End user:
- Request Authentication of Application with JWT (from Amazon Cognito)
- The application passes the request to API Gateway to access resource
- API Gateway:
- Challenges the JTW from user with AWS Cognito that owns the user pool
- Performs test of the identity token to access the resource
- Upon Successful verification, request granted permission to access the target resource
- Second Factors [SMS Text | Time-based one Time Password (TOTP)]
AWS STS
Linux:
export AWS_PROFILE=user1
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2
Windows:
set[x] AWS_PROFILE=user1
$aws configure [set|get region us-east-1] --profile user2
Configuration files
~/.aws/config
aws@LEOPARD:~/.aws$ cat config
[default]
region = us-west-2
output = json
[profile assume-role1]
role-arn = arn:aws:iam::123456789012:role/role1
source-profile = timy
role_session_name = role1_timy
[profile timy]
region = us-west-2
output = json ~/.aws/credentials
aws@LEOPARD:~/.aws$ cat credentials
[default]
aws_access_key_id = AAAaaaBBBbbb
aws_secret_access_key = XXX...xxx...XXX
[timy]
aws_access_key_id = CCCcccDDDddd
aws_secret_access_key = XXX...xxx...XXXX
aws_session_token = AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
Role Trust Relations
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::479788010133:user/bedrocky"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
