Authenticating Securing Access

Authenticating and Securing Access

IAM

Authentication vs Authorization

Authentication

Who is requesting access to the AWS account and the resources in it?

Establish the identity of the requester through credentials
The requester could be a person or an application

Authorization

After the requester has been authenticated, what should they be allowed to do?

Determine whether to allow or deny the request

Banking Analogy

Think of a bank that allows customers to access accounts online:

Authentication: Bank must ensure the person accessing the account is actually you (username, password, MFA)
Authorization: You can access your own account and pay bills with your money, but cannot access another customer’s account

“With authentication, you can use the identity of requesters to control who can use your AWS resources. With authorization, you can also use access management to control what resources requesters can use and in what ways.”

AWS Identity and Access Management (IAM)

IAM controls individual and group access to AWS resources with the following capabilities:

Fine-grained access control: Configure detailed permissions to AWS resources
Integration: Integrated into most AWS services for consistent access controls
Federation: Supports federation from corporate systems like Microsoft Active Directory and standards-based identity providers
Multi-factor authentication (MFA): Adds extra security layer requiring authentication codes
Granular permissions: Create accounts with only necessary permissions following least privilege

IAM Terminology

Term	Definition
IAM resource	User, group, role, policy and identity-provider objects stored in IAM
IAM entity	IAM resource objects that are used by AWS for authentication (users and roles)
IAM identity	IAM resource objects that can be authorized in policies to perform actions and access resources (user, group, or role)
Principal	Person or application that can sign in and make requests to AWS

IAM Components for Access Control

IAM User

A person or application that can authenticate with an AWS account. Given a permanent set of credentials that stay with the user until forced rotation occurs.

IAM Group

A collection of IAM users. Use groups to grant the same set of permissions to multiple users.

IAM Role

Similar to a user but doesn’t have long-term credentials. When assumed, provides temporary security credentials for the role session.

IAM Policy

A document that explicitly lists permissions. Can be attached to an IAM user, group, role, or any combination of these resources.

IAM Credentials for Authentication

Action	Credentials Needed
Sign in to AWS Management Console	Username and password
Run commands from AWS CLI	AWS access key*
Make programmatic calls to AWS	AWS access key*

*An AWS access key is a combination of an access key ID and a secret key.

Best Practices for Securing Access

Detailed Best Practices

Principle of least privilege: “Assign users, groups, and roles with the minimum necessary permissions to perform their tasks”
MFA: “Adds an extra layer of security for your root user by requiring a code that is generated by a hardware or software token during sign-in”
Temporary credentials: Use identity federation to provide access to AWS accounts by assuming IAM roles
Access key rotation: Use access key last used information to rotate and remove access keys regularly
AWS Organizations: Consolidate multiple AWS accounts to manage billing, access control, and resources centrally
AWS CloudTrail: “Have a record of all the actions that are taken in an account, which makes it easier to identify possible security risks”

Protecting the Root User

Root User Protection Strategy

For daily tasks, create an administrative user in AWS IAM Identity Center
Only use the root user for tasks that other users cannot perform

Steps to Set Up an Admin User

Log in as the root user, and set up MFA on the root user
Create a new admin user, add MFA, and download the programmatic keys
Log out as the root user
Log in as the admin user
Create user accounts with separate policies and permissions

Attach IAM policies to IAM groups
Assign IAM users to IAM groups

“An IAM user who is a member of an IAM group inherits the permissions that are attached to that group.”

IAM Roles

Characteristics

Provides temporary security credentials
Isn’t uniquely associated with one person
Can be assumed by a person, application, or service
Is often used to delegate access

Common Use Cases

EC2 applications: Application running on Amazon EC2 needs access to AWS resources
Cross-account access: IAM user in one AWS account needs temporary access to resources in another account
Mobile applications: Need access to AWS resources without storing credentials with the application
Federated users: External identities need to perform AWS tasks without creating IAM users

Three Examples of IAM Role Usage

Cross-account access: IAM user in AWS account 1 needs temporary access to an EC2 instance - create IAM role with necessary permissions that the user can assume
EC2 application access: Application on EC2 instance needs S3 bucket access - create IAM role, add to instance profile, attach profile to instance
Cross-account S3 access: IAM user in AWS account 2 needs S3 bucket access in AWS account 1 - create cross-account IAM role in account 1 defining account 2 as trusted entity

“When you use IAM roles, you don’t need to grant long-term security credentials to each entity that requires access to a resource.”

This section covered the fundamental concepts of authentication and authorization in AWS, focusing on IAM as the central service for managing access control through users, groups, roles, and policies while emphasizing security best practices and proper root user protection.