KEMBAR78
AWS IAM & Cognito Guide for Security | PDF | Amazon Web Services | Cloud Computing
Scribd
Upload
41 views26 pages

AWS IAM & Cognito Guide for Security

Uploaded by

iransamir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views26 pages

AWS IAM & Cognito Guide for Security

Uploaded by

iransamir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

AWS Identities and User

Management

David Tucker
TECHNICAL ARCHITECT & CTO CONSULTANT
@_davidtucker_ davidtucker.net
Least Privilege Access
When granting permission for a user to access AWS
resources, you should grant them the minimum
permissions needed to complete their tasks and no more.
Introducing AWS Identity and Access
Overview Management (IAM)
Reviewing the IAM identity types
Enabling Multi-factor Authentication
(MFA)
Introducing Amazon Cognito
Introduction to AWS IAM
AWS Identity & Access Management (IAM)

Service that controls access to AWS


resources
Using the service is free
Manages both authentication and
authorization
Supports identity federation through
SAML providers including Active Directory
AWS IAM Identities

Users Groups Roles


Account for a single Allows you to manage Enables a user or AWS
individual to access permissions for a service to assume
AWS resources group of IAM users permissions for a task
Policies in AWS IAM

A JSON document that defines permissions for an AWS IAM


identity (principal)

Defines both the AWS services that the identity can access and
what actions can be taken on that service

Can be either customer managed or managed by AWS


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow", Statement is allowing an action
"Action": "s3:*",
"Resource": [ Enables all actions on S3
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
This is enables for this one bucket and its
] contents
},
{
"Effect": "Deny", Next is a Deny statement
"NotAction": "s3:*",
"NotResource": [ It denies all S3 actions for any bucket that
"arn:aws:s3:::bucket-name", is not the one listed here
"arn:aws:s3:::bucket-name/*"
]
}
]
}
AWS IAM Best Practices

Multi-Factor
Least Privilege Access
Authentication
Users should only be granted access
Provides additional security with to AWS resources that are required
either a physical or virtual device for their current tasks
that generates a token for login
Creating and Managing IAM Users
Demo
Creating an IAM user
Configuring permissions for IAM users
Creating an IAM group
Attaching permissions to an IAM group
Enabling Multi-factor Authentication
Demo
Enabling MFA for the root user
Enabling MFA for an IAM user
Amazon Cognito
Amazon Cognito
A managed service that enables you to handle
authentication and aspects of authorization for your
custom web and mobile applications through AWS.
Amazon Cognito
User directory service for custom
applications
Provides UI components for many
platforms
Provides security capabilities to control
account access
Enables controlled access to AWS
resources
Can work with social and enterprise
identity providers
Amazon Cognito Identity Providers

Google Amazon Facebook

Microsoft Active SAML 2.0


Directory Providers
Scenario Based Review
Scenario 1

Sylvia manages a team of DevOps


engineers for her company
Each member of her team needs to have
the same access to cloud systems
It is taking her a long time to attach
permissions to each user for access
What approach would help Sylvia
manage the team’s permissions?
Scenario 2

Edward works for a startup that is


building a mapping visualization tool
Their EC2 servers need to access data
stored within S3 buckets
Edward created a user in IAM for these
servers and uploaded keys to the server
Is Edward following best practices for
this approach? If not, what should he
do?
Scenario 3

William is leading the effort to transition


his organization to the cloud
His CIO is concerned about securing
access to AWS resources with a password
He asks William to research approaches
for additional security
What approach would you recommend to
William for this additional security?
Summary
Introduced AWS Identity and Access
Summary Management (IAM)
Reviewed the IAM identity types
Enabled Multi-factor Authentication
(MFA)
Introduced Amazon Cognito
Scenario 1

Sylvia manages a team of DevOps


engineers for her company
Each member of her team needs to have
the same access to cloud systems
It is taking her a long time to attach
permissions to each user for access
What approach would help Sylvia
manage the team’s permissions?
Solution: Use an IAM Group for the team
Scenario 2

Edward works for a startup that is


building a mapping visualization tool
Their EC2 servers need to access data
stored within S3 buckets
Edward created a user in IAM for these
servers and uploaded keys to the server
Is Edward following best practices for
this approach? If not, what should he
do?
Solution: Use an IAM Role with EC2
Scenario 3
William is leading the effort to transition
his organization to the cloud
His CIO is concerned about securing
access to AWS resources with a password
He asks William to research approaches
for additional security
What approach would you recommend to
William for this additional security?

Solution: Use Multi-factor Authentication


(MFA)

You might also like