AWS IAM

  •  Users
    • Have long-term credentials
  • We can group them.
  • We can assign roles for short-term credentials using STS
    • This allows them temporary access to resources and perform actions using them.
    • STS is used to endorse roles to a user Which provides them with temporary credentials using assumeRole
  • Some examples of roles are as follows
    • EC2 Instance Roles
      • Uses the EC2 Metadata service. One role at a time per instance.
    • Service Roles
      • API Gateway,Code Deploy etc
    • Cross Account Roles
  • Policies
    • Policy is a Json document With Effect, Action, Resource, Conditions, Policy Variables.
    • Explicit deny, has precedence over explicit allow.
    • Define least privilege rules for maximum security.
      • Use Access advisor to see all permissions granted and when last accessed.
      • Use Access Analyser to analyse resources that are shared with external entity.
    • Some commonly used policies are
      • Administrator, access policy.
        • Allows access to everything.
      • Power user access.
    • There are basically three types of policies.
      • AWS managed policies
      • Customer Managed policies
      • Inline policies
        • Can be assigned to one particular user or one particular role.
        • Can evolve over time but can’t be shared across users across the roles.
      • Resource based policies
        • S3 bucket policies, or SQS queue policy etc.
      • Condition in IAM policies
        • “Condition”: {“Condition-Operator}”: “{Condition Key}”: “{Condition-Value}”}}
        • Operators
          • String
            • StringEquals
            • StringLike
          • Numeric
            • NumericEquals
            • NumericNotEquals
            • NumericLessThan
          • Date
            • DateEquals
            • DateNotEquals
            • DateLessThan
          • Boolean
            • Bool
          • IP Address
            • (NOT) IPAddress
          • ARNEquals,ARNLike
          • NULL
    • IAM Policy, variables and tags.
      • Example:${aws:username}
      • Different types of IAM variables are as follows
        • AWS Specific variables
          • AWS:currentTime,aws:TokenIssueTime,aws:principaltype,aws:SourceTransport,aws:SourceIP,aws:userId,ec2:SourceInstanceARN.
        • Service Specific Variables
          • S3:prefix,s3:max-keys,sns:endpoint,s3:x-amz-acl,sns:Protocol
        • Tag based policy variables
          • IAM:ResourceTag/key-name,aws:PrincipalTag/key-name
    • IAM Roles vs Resource Based Policies
      • Attach policy to a resource (example S3 bucket policy) versus attaching of a using a role as a proxy.
        • When we attach a role as proxy we assume a role(user, application or service),we give up our original permissions and take the permission assigned to the role.
        • When we use resource based policy then the principal doesn’t have to give up any permissions.
        • Resource based policy’s are supported by Amazon S3 buckets,SNS topics,SQS queues,Lambda functions, ECR,Backup,EFS,Glacier,Cloud 9,AWS Artefact, Secrets Manager,ACM,KMS,CloudWatch Logs,API Gateway,Event Bridge etc.
    • IAM permission boundaries
      • IAM permission boundaries are supported for users and roles(not groups).
      • Advanced feature to use a managed policy to set the maximum permissions an IAM entity can get.
      • Can be used in combination of AWS organisations SCP.
      • UseCases
        • Delegate responsibilities to non-administrators Within their permission boundaries, for example, create new IAM users.
        • Allow Developers To self assign policies and manage their own permissions while making sure they can’t escalate their privileges(make themselves admin)
        • Useful to restrict one specific user(Instead of whole account using organisation and SCP.
  • IAM Access Analyser
    • Find out which sources are shared externally.
      • S3 Buckets
      • IAM Roles
      • KMS keys
      • Lambda function and layers
      • SQS queues
      • Secrets manager secrets
    • We Define a ZoneOfTrust which can be an AWS account or AWS organisation.
    • Anything outside the zone of trust which has access to above resources are called as findings.
    • IAM access analyser Policy validation
      • Validates your policy against IAM policy, grammar and best practises.
      • General warnings, security warning, errors, Suggestions
      • Provides actionable recommendations.
    • IAM access analyser Policy generation
      • Generates IAM policy based on access activity.
      • Cloud trail logs Is reviewed to generate the policy with the fine-grained permissions and the appropriate actions and services.
      • Reviews cloud trail logs for up to 90 days.
  • Identity federation in AWS
    • Give users outside of AWS permissions to access AWS resources in your account.
    • You don’t need to create IAM users(User management is outside AWS)
    • Use cases
      • A corporate has its own identity system example active directory.
      • Web mobile application that needs to access to AWS resources.
    • Identity federation can be of following types
      • SAML 2.0
        • Security Assertion Markup Language 2.0(SAML 2.0).
        • Open standard used by many identity providers. Example ADFS.
        • Supports integration with Microsoft Active Directory Federation services(ADFS) or any SAML 2.0 compatible IDP’s With AWS.
        • Access to AWS console, AWS CLI, or AWS API using temporary credentials.
        • No need to create IAM users for each of your employees.
        • Need to set up a trust between AWS IAM and SAML 2.0 identity provider(both ways).
        • Under the hood: Uses the STS API Assume Role with SAML.
        • SAML2.0 Federation is the “old way”, Amazon Single Sign On(AWS SSO) federation is the new managed and simpler way.
      • Custom Identity broker
        • If our identity provider is not compatible with SAML2.0, then we have to use a custom identity broker.
        • The identity broker, authenticate users and requests temporary credentials from AWS.
        • The identity broker must determine the appropriate IAM role.
        • Uses the STS API to assume role or get federation token.
      • Web identity federation with Amazon Cognito
        • Preferred method for web identity federation.
        • Create IAM roles using cognito with the least privilege needed.
        • Build dust between OIDC IDP and AWS.
        • Cognito benefits
          • Supports anonymous users.
          • Supports MFA
          • Data synchronisation.
        • Cognitive replaces a token vending machine(TVM).
        • After being authenticated with web identity Federation, you can identify the users with an IAM policy variable.
      • Web identity Federation without Amazon Cognito
        • Not recommended by AWS.
          • Use cognito instead.
        • Client gets security credentials using assume role with web identity API on validation of security token.
      • Single sign on(SSO)
  • Microsoft active directory and AWS directory services.
    • Microsoft Active Directory(AD)
      • Found on any window server with AD domain services.
      • Database of objects: Uses accounts, computers, printers, file shares, Security groups.
      • Centralised security management, create account, assign permissions.
      • Objects are organised in trees.
      • A group of trees is called as forest.
    • Active Directory Federation services(AD federation services)
      • ADFS provides single sign on across applications.
      • SAML across third-party: AWS console, dropbox, office, 365 et cetera
    • AWS directory services
      • AWS managed Microsoft Active Directory.
        • Create your own active directory in AWS, manage users locally, supports MFA.
        • Establish “trust” connections with your own premises, active directory.
        • Managed service: Microsoft active directory in your AWS VPC.
        • EC2 windows instances:
          • EC2 Windows instances can join the domain and run traditional AD applications Like SharePoint et cetera.
          • Seamlessly Domain join Amazon, EC2 Instances from multiple accounts And VPC’s.
        • Integrations
          • RDS for SQL server: AWS workspaces, Quick site..
          • AWS SSO to provide access to third-party applications.
        • Stand alone repository in AWS Or joined to on premises active directory.
        • Multi availability on deployment of Active Directory in 2 availability zones, Number of domain controller can be increased for scaling.
        • Automated backups.
        • Automated Multi-region replication of your directory.
        • Connect to on-premises Active Directory.
          • Ability to connect on premises active directory to AWS managed, Microsoft active directory.
          • Must establish a direct connect(DX) or VPN connection.
          • Can set up three kinds of forest trust
            • One way trust
              • AWS => On-Premise
            • One way trust
              • On-Premise => AWS
            • Two way forest trust
              • AWS <=> On-Premise
          • Forest trust is different than synchronisation(replication is not supported).
      • AWS directory services / Active Directory connector
        • Directory Gateway(proxy) to redirect to on premises, active directory, Support, MFA.
        • Users are managed on the premises active directory.
        • Active directory Connector is a directory gateway To redirect directory Requests to your on-premises, Microsoft active directory.
        • No caching capability
        • Manage users solely on-premise, no possibility of setting up a trust.
        • VPN or direct connect
        • Doesn’t work with SQL server, doesn’t do, seamless joining, can’t share directory.
      • Simple active directory
        • Active directory compatible manage directory on AWS.
        • Cannot be joined with on premises Active directory.
        • Simple active directory is an inexpensive active directory – compatible service with common directory features.
        • Support joining EC2 Instances, manage users and groups.
        • Does not support MFA, RDS SQL server, AWS SSO.
        • Small: 500 users, large: 5000 users
        • Powered by Samba4, Compatible with Microsoft AD.
        • Lower cost, low scale, basic AD compatible all LDAP compatibility.
        • No trust relationship.
  • Active directory replication(Architecture)
    • You may want to create a replica of your active directory on easy to in the cloud to minimise latency in case Direct connect or VPN goes down.
    • Establish a trust between the AWS managed to Microsoft AD and EC2.
  • AWS organisations
    • Helps us to maintain user accounts.
    • Root organisation Unit(OU) is the Top most in hierarchy
      • Management account
      • Member account(OU for Dev)
      • OU for prod.
        • Contains OU for other Different accounts like HR, Finance et cetera.
    • There is a role “ OrganisationAccountAccessRole” which is Automatic automatically created for every member account.
      • Whenever a management account wants to perform administrative actions in member account, it assumes it’s “ OrganisationAccountAccessRole”.
      • This role is also called as IAM role for the account.
      • IAM role Grants Full administrator permissions in the member account to the management account.
      • Used to perform admin tasks in the member accounts. Example creating IAM users.
      • Could be assumed by IAM users in the management account.
      • Automatically added to all new member accounts created with AWS organisations.
      • Must be created manually if you invite an existing member account.
    • Includes consolidated billing feature, SCP.
    • Invited accounts must approve enabling all features.
    • Ability to apply an SCP to prevent member accounts from leaving the organisation
    • Can’t switch back to consolidated features only.
  • Multiple account strategies
    • Create accounts per department, per cost Center, per dev/test/prod, based on regulatory restrictions(using SCP), For better resource isolation(ex VPC), To have separate per account Service limits, isolated account for logging.
    • Multi account versus one account, multi VPC.
    • Use tagging standards for billing purposes
    • Enable cloud trail on all accounts, send logs to Central S3 account.
    • Send cloud watch logs to Central logging account.
    • Strategy to create an account for security.
    • AWS organisation-Feature models.
  • Consolidated billing features:
    • Consolidated billing across all accounts-Single payment method.
    • Pricing benefits from aggregated usage(Volume discount for EC2, S3, etc)
  • AWS organisations – reserved instances
    • For billing purposes, the consolidated billing feature of AWS organisation treats all the accounts in the organisation as one account.
    • All the accounts in the organisation can receive the hourly , cost benefit Of reserved instances that are purchased by any other account.
    • The payer account (management account) Of an organisation can turn off reserved instances, discount and saving plans, discount sharing for any accounts In that organisation, including the payer account.
    • This means that reserved instances and saving plans. Discounts aren’t shared between any accounts that have sharing turned off.
    • To share and reserved instance or saving plans Discount with an account, both accounts must have sharing, turned on.
  • Moving accounts
    • Remove the member account from the AWS organisation.
    • Send an invite to the member account from the AWS organisation.
    • Accept the invite To the new organisation from the member account.
  • AWS organisation policies
    • Service control policies(SCP)
      • Define allowlist or blacklist IAM actions.
      • Applied at the OU or Account Level
      • Does not apply to the management account.
      • SCP Is applied to all the users and roles In the account, including root user.
      • The SCP does not affect service linked roles.
        • Service linked role enable other AWS services To integrate with AWS organisations and can’t be restricted by SCP’s.
      • SCP must have an explicit allow(Does not allow anything by default).
      • Use cases:
        • Restrict access to certain services. For example, EMR.
        • Enforce RCI compliance by explicitly disabling services.
    • Service control policies are often applied in hierarchy Where root(Management Account) Has Full access.
      • An account policy then derived from the root with deny rules for a resource Will deny access to that resource.
      • We can further derive a policy from above policy which can deny access to other resources and access to resources denied in parent policy.
    • SCP works on strategy of blocklist and allowlist.
    • IAM policy evaluation logic(sequence of checks)
      • We proceed to next check only if we find allow yes, in the previous check.
      • The sequence of checks is as follows
        • Deny evaluation.
        • Organisation SCP’s
        • Resource based policies.
        • Identity based policies
        • IAM permission boundaries
        • Take access decision.
      • If all the above policies allow we have access to our action.
    • Using SCP to restrict creating resources without appropriate tags
      • Prevent IAM users/roles in the affected member accounts From creating resources if they don’t have specific tags.
      • Example restrict launching an EC2 instance if it does not have the “project” and “cost centre” tags.
  • Restricting tags with IAM policies
    • You can restrict specific tags On AWS resources.
    • Using the aws: Tag Keys Condition key.
      • Validate the tag keys Attached to a resource against the tag keys in the IAM policy.
    • Example: Allow IAM users Create EBS volumes only if it has the “ENV” and “costCenter” tags.
    • Use either ForAllValues(Must have all keys) or ForAnyValue(Must have any of these Keys at a minimum).
  • AWS Organisations – Tag policies.
    • Helps you standardize tags Across resources in an AWS organisation.
    • Ensure consent tag, Audit tag resources maintain Proper resource categorisation.
    • You define tag keys and Their allowed values.
    • Helps with AWS cost allocation tags and attribute based access control.
    • Prevent any non-compliant tagging operation on specific services and resources.
    • Generate a report that list all tagged/non-compliant resources.
  • AWS Organisations – AI services, opt out policies
    • Certain AWS AI services May use your content for continuous improvement of Amazon, AI/ML services.
      • Example Amazon Lex, Amazon, comprehend, Amazon poly et cetera.
    • You can opt out of having your content stored or used by AWS AI services.
    • Create an opt out policy that enforced this setting across all member accounts and AWS regions.
    • You can opt out of all AI services or selected services.
    • Can be attached to organisation root, Specific OU, Individual member account.
  • AWS organisation – backup policies
    • AWS backup enables you to create backup plans that define how to backup your AWS resources.
    • JSON documents THAT DEFINE BACKUP PLANS ACROSS AN AWS ORGANISATION.
    • Gives you granular Control over backing up your resources(Example, backup, frequency, time window, backup region).
    • Can be attached to organisation root, Specific OU or individual member account.
    • Immutable back up plans appear in the member account accounts(View Only).
  • AWS IAM Identity Centre
    • Successor to AWS single sign on.
    • One login(Single sign on) For Following entries
      • AWS accounts in AWS organisation.
      • Business cloud applications(Salesforce, Box, Microsoft 365 et cetera).
      • SAML2.0 enabled applications.
      • EC2 windows instances.
    • Identity providers
      • Built in identity store in IAM identity centre.
      • Third-party active directory(AD), One login, Okta, et cetera.
    • We set up identity centre in the management account.
      • We can allow permission sets on OU’s To the users in identity centre.
      • Permissions can be granted at following levels
        • Multi-account permissions
          • Manage access across AWS accounts in your AWS organisation.
          • Permission sets are a collection of one or more IAM policies assigned to users and groups to define AWS access.
        • Application assignments
          • SSO across to many SAML 2.0 business applications(Salesforce, Box, Microsoft 365).
          • Provide required URL’s, certificates, and metadata
        • Attribute Based Access Control(ABAC)
          • Fine grained Permissions based on users attributes stored in IAM, identity centre or identity store.
          • Example, cost centre, title, local et cetera.
  • AWS Control Tower
    • Easy way to set up and go on a secure and Complaint multi-account AWS environment Based on best practises.
    • Benefits
      • Automate the set up of your environment in a few clicks.
      • Automate ongoing policy management using Ground rails.
      • Detect policy violations and remediate them.
      • Monitor compliance Through an interactive dashboard.
    • AWS control tower runs on top of AWS organisations.
      • It automatically sets up AWS organisations to organise accounts and implement SCP’s(Service control policies)
    • AWS control tower has account factory
      • Automates account, provisioning and deployments
    • Enables you to create pre-approved base lines and configuration options For AWS accounts in your organisation Example, VPC default configuration, Subnets,Region)
      • Uses AWS service catalogue to provision new AWS accounts.
    • AWS Control Tower-Detect and remediate policy violations
      • Guardrail
        • Provides ongoing Governance for your control tower environment(AWS Accounts)
        • Preventive using SCP’s(Disallow Creation of keys for the root user).
        • Detective-Using AWS config(Example detect whether MFA for the root user is enabled)
        • AWS Control Tower Guardrails levels
          • Mandatory
            • Automatically enabled and enforced by AWS control tower.
            • Example, disallow public read access to the log archive account.
            • Strongly recommend
              • Based on AWS best practises(Optional)
              • Example, enable encryption for EBS volumes attached to EC2 instances.
          • Elective
            • Commonly used by enterprise.
            • Example, disallow delete actions without MFA on S3 buckets.
  • AWS Resource access manager(RAM)
    • Share AWS resources that you own with other AWS accounts.
    • Share with any account or within your organisation.
    • Avoid resource duplication
    • VPC Subnets
      • Allow to have all the resources launched in the same subnets.
      • Must be from the same AWS organisations.
      • Cannot share security groups and default VPC.
      • Participants can manage their own resources.
      • Participants can’t view, modify, delete resources that belong to other participants or the owner.
    • Resources that can be shared
      • AWS transit gateway.
      • Route 53(Resolver rules, DNS firewall rule groups)
        • Helps you scale forwarding rules to your DNS. In case you have multiple accounts and VPC.
      • License manage configurations
      • Aurora DB clusters.
      • ACM Private certificate authority.
      • Code build project
      • EC2(Dedicated hosts, Capacity reservation)
      • AWS glue(Catalogue, database, table)
      • AWS resource groups.
      • AWS network firewall policies.
      • Systems Manager, Incident Manager(Contacts, Response plans).
      • AWS outposts(outpost, site)
  • RAM - Managed prefix list
    • A set of one or more CIDER blocks.
    • Makes it easier to configure and maintain security groups and route tables.
  • Customer managed Prefix list
    • Set of CIDR’s That you define and are managed by you.
    • Can be shared with Other AWS accounts or AWS organisations.
    • Modify To update many security groups at once.
  • AWS manage prefix list
    • Set of CIDR’s For AWS services.
    • You can’t create, modify, share, or delete them.

Comments

Post a Comment

Popular posts from this blog

High Level Diagrams(HLD's)

Image
High Level Diagram for Building a Serverless application using Step Functions, API Gateway, Lambda, and S3 in AWS HLD for Building and Troubleshooting a Serverless Web
Read more

AWS Summaries

Database Summary  RDS(OLTP) SQL My SQL Post Gre SQL Oracle Aurora Maria DB Dynamo DB(No SQL) Redshift OLAP Elastic cache Memcached Redis RDS runs on virtual machines We cannot log into this operating systems however Patching of our RDS Operating system and DB is Amazons responsibility. RDS is not server-less. Aurora surverless is seven less which is an exception. Dynamo DB is server-less. There are two types of backups for RDS Automated backups Database snapshots Read replicas Can be multi availability zones. Use to increase performance Must have backups turned on. Can be in different regions. Can be MySQL,PostgreSQL,Maria DB, Oracle, Aurora, SQL Server is not supported. Can be promoted to master, this will break read replica. Multi availability zone Used for DRG only and not performance. You can force a fail over from one availability zone to another by re-booting the RDS instance. Encryption at Rest Is supported for My SQL, Oracle, SQL server, Postgre SQL, Maria DB and Aurora. En...
Read more

Exam Tips

AWS CLI Least Privilege Always give your users, the minimum amount of access required to do the job. Use Groups Create IAM policy groups and assign your users to the groups. Group permissions are assigned using IAM policy documents. Secret access key You only see this ones. If you lose it you can delete the access key and secret access key and regenerate them. You need to run AWS configure again. Don’t share key pairs Each developer should have their own access Key ID and secret access Key. Just like passwords, they should not be shared. Supports Linux, Windows, macOS You can install CLI on your Mac, Linux, or Windows PC. You can also use it on EC2 instances. AWS CLI Pagination If you see errors like “ timed out”, or errors related to too many results being returned. Adjust the pagination of CLI results to avoid errors generated by too many results. aws S3 api list-objects - - bucket my-bucket  - - page-size 100. The CLI still retrieves the full list, but performs a large number of...
Read more