1. Identity and Access Management (IAM): IAM is a web service that allows users to manage access to AWS resources. With IAM, users can create and manage users and groups, assign permissions and policies, and set up multi-factor authentication (MFA) to add an extra layer of security to their AWS accounts.
  2. AWS Single Sign-On (SSO): AWS SSO is a cloud-based service that makes it easy to manage access to multiple AWS accounts and business applications. With AWS SSO, users can centrally manage access to AWS accounts, as well as other third-party applications and services.
  3. AWS Organizations: AWS Organizations is a service that allows users to centrally manage and govern multiple AWS accounts. With AWS Organizations, users can create and manage accounts, apply policies and controls across accounts, and simplify billing and cost management.
  4. Resource-level permissions: AWS allows users to set granular permissions for specific AWS resources, such as EC2 instances or S3 buckets. This helps ensure that only authorized users can access and modify these resources.
  5. AWS Security Token Service (STS): STS is a web service that enables users to generate temporary security credentials that can be used to access AWS resources. These temporary credentials can be used by applications or users who need access to AWS resources for a short period of time, without requiring the use of long-term credentials.

Overall, AWS provides a range of access management capabilities to help users secure their AWS resources and data, and ensure that only authorized users have access to sensitive information.

Before going in detail, let’s test your knowledge.

1. What is the purpose of AWS Identity and Access Management (IAM)?
a. To manage access to AWS resources
b. To provide storage and compute resources
c. To monitor and analyze AWS resources
d. To provide network connectivity between AWS resources

2. How can you use IAM to control access to AWS resources?
a. By creating IAM policies
b. By creating Amazon EC2 instances
c. By creating Amazon S3 buckets
d. By creating Amazon RDS databases

3. What is the benefit of using AWS Single Sign-On (SSO)?
a. It allows users to access AWS resources from any device
b. It allows users to access multiple AWS accounts and business applications with a single set of credentials
c. It automatically scales AWS resources based on demand
d. It provides real-time monitoring and analysis of AWS resources

4. How can you use AWS Organizations to manage multiple AWS accounts?
a. By creating and managing AWS accounts
b. By applying policies and controls across accounts
c. By simplifying billing and cost management
d. All of the above

5. What is multi-factor authentication (MFA)?
a. A security mechanism that requires users to provide two or more forms of authentication
b. A type of database provided by AWS
c. A service that provides network connectivity between AWS resources
d. A tool for monitoring and analyzing AWS resources

Answers:

  1. a
  2. a
  3. b
  4. d
  5. a

IAM Terms

  • Resources – The user, group, role, policy, and identity provider objects that are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM.
  • Identities – The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.
  • Entities – The IAM resource objects that AWS uses for authentication. These include users and roles. Roles can be assumed by IAM users and roles in your or another account. They can also be assumed by users federated through a web identity or SAML.
  • Principals – A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.

Access and Federation

  • Grant other people permission to administer and use resources in your AWS account without sharing your password or access key.
  • Allow users with other passwords like Active Directory or an Internet identity provider—to get access to your AWS account.
  • Use any identity management solution that supports SAML 2.0.

Federation

  • Use single sign-on (SSO) to access your AWS accounts using credentials from your corporate directory.
  • It uses open standards, SAML 2.0,
  • SAML, exchanges identity and security information between an identity provider (IdP) and an application.

Sample Implementation

identify aws access management capabilities

In the diagram:

  1. An AD user (let’s call him Bob) browses to the AD FS sample site (https://Fully.Qualified.Domain.Name.Here/adfs/ls/IdpInitiatedSignOn.aspx) inside this domain.
  2. The sign-in page authenticates Bob against AD. If Bob is already authenticated or using a domain joined workstation, he also might be prompted for his AD user name and password.
  3. Bob’s browser receives a SAML assertion in the form of an authentication response from AD FS. Bob’s access is authorized based on his AD group membership or on AD user attributes configured on his account.
  4. Bob’s browser automatically posts the SAML assertion to the AWS sign-in endpoint for SAML (https://signin.aws.amazon.com/saml). The endpoint uses the AssumeRoleWithSAML API to request temporary security credentials and then constructs a sign-in URL for the AWS Management Console using those credentials.
  5. Bob’s browser receives the sign-in URL and redirects to the AWS Management Console.

AWS Access Management capabilities – Granular Permissions

  • Grant different permissions to different people for different resources.
  • May allow some users complete access or read-only access to some.
  • IAM is used to add specific conditions as
  • time of day to control how a user can use AWS
  • their originating IP address
  • using SSL, or not
  • Using multi-factor authentication device or not

AWS Security Token Service (STS)

  • It creates fine-grained session permissions
  • It specify IAM managed policies as session policies when a user assumes a role in AWS to create a session.
  • A session policy is a permissions policy which is passed during an AssumeRole operation.
  • It enables you to place further restrictions on a role’s permissions for that session.
  • Also centrally store and manage session permissions.
  • Apply the same session permissions for multiple sessions easily.

AWS Step Functions has four categories of permissions. Depending on what access you want to provide to a user, you can control access by using permissions in these categories.

  • Service-Level Permissions – Apply to components of the API that don’t act on a specific resource.
  • State Machine-Level Permissions – Apply to all API components that act on a specific state machine.
  • Execution-Level Permissions – Apply to all API components that act on a specific execution.
  • Activity-Level Permissions – Apply to all API components that act on a specific activity or on a particular instance of an activity.

Securing Application Access

You can use IAM features to securely give applications that run on EC2 instances the credentials that they need in order to access other AWS resources, like S3 buckets and RDS or DynamoDB databases.

Multi Factor Authentication

  • Add two-factor authentication to your account
  • Add MFA to individual users for extra security.
  • With MFA users must provide not only a password or access key, but also a code from a specially configured device.

Link for free practice test – https://www.testpreptraining.com/aws-certified-cloud-practitioner-free-practice-test

Menu