IAM

1. Users & Groups

IAM = Identity and Access Management, Global Service
Root account created by default, shouldn’t be used or shared
Users are people within your organization, can be grouped
Groups only contain users, not other groups
Users don’t have to belong to a group (one User can be assigned with Inline Policy), and user can belong to multiple groups
Users and Groups can be assigned JSON documents called policies which define the permissions of users
Least Privilege Principle: don’t give more permissions than a user needs

2. Policies & IAM Roles

Policy Structure:

• Version: policy language version, always include “2012-10-17”
• Id: an identifier for the policy (optional)
• Statement: one or more individual statements (required)
  • Sid: an identifier for the statement (optional)
  • Effect: whether the statement allows or denies access (Allow, Deny)
  • Principal: account/user/role to which this policy applied to
  • Action: list of actions this policy allows or denies
  • Resource: list of resources to which the actions applied to

AWS Policy Generator
AWS Policy Simulator

IAM Roles: we will assign permissions to AWS services with IAM Roles
IAM Security Tools:

• IAM Credentials Report (account level): list all your account’s users and the status of their various credentials
• IAM Access Advisor (user level): shows the service permissions granted to a user and when those services were last accessed

3. AWS EC2 Instance Metadata

• URL = “http://169.254.169.254/latest/meta-data/”
• can retrieve the IAM Role name from the metadata, but cannot retrieve the IMA Policy
• Metadata = info about EC2 instance
• Userdata = launch script of the EC2 instance

4. Security Token Service (STS)

• allows to grant limited and temporary access to AWS resources
• AssumeRole:
  • within your own account: for enhanced security
  • cross account access: assume role in target account to perform actions there
• AssumeRoleWithSAML: return credentials for user logged with SAML
• AssumeRoleWithWebIdentity: return credentials for user logged with idp(facebook login, google login), aws against using this, and using Cognito instead
• GetSessionToken: for MFA, from a user or AWS account root user
• SAML2.0 -> SSO -> Custom Identity Broker Application

5. Directory Services

Microsoft Active Directory:

• database of objects: user accounts, computers, printers, file shares, security groups
• centralized security management, create account, assign permissions
• objects are organized in trees
• a group of trees is a forest

AWS Directory Services:

• AWS Managed Microsoft AD:
  • create your own AD in AWS, manage users locally, supports MFA
  • establish trust connections with your on-premise AD
• AD Connector:
  • Directory Gateway (proxy) to redirect to on-premise AD
  • users are managed on the on-premise AD
• Simple AD:
  • AD-compatible managed directory on AWS
  • cannot be joined with on-premise AD

6. Organizations

Service Control Policies (SCP): whitelist or blacklist of IAM actions

• applied at the OU(Organization Unit) or Account level
• does not apply to Master Account
• applied to all the Users and Roles of the Account, including Root
• Service-linked Roles enable other AWS services to integrate with AWS Organizations and can’t be restricted by SCP
• SCP must have an explicit Allow (does not allow anything by default)