09. Authorisation, Certificate & Security

Identity and Access Management (IAM)

  • Users (one physical user = one AWS user) and Groups (groups contain only users, no subgroups)
  • The permissions boundary for an IAM entity (user or role) sets the max permissions that the entity can have
  • IAM Role
    • Roles hand out automatic credentials and permissions
      • Giving permissions to non-humans, such as services / applications
      • Giving permissions to federated / outside users & groups
    • Authorisations from identity providers (like AWS Cognito) are mapped to your IAM role(s), NOT users or groups
    • to pass the role to service, the users need to have iam:PassRole permission; to see, using iam:GetRole
    • Roles can only passed to what their trust allows, using “Trust Relationships”
  • IAM Policies
    • assign permissions, using JSON documents
    • using “least privilege principle”
    • consist of
      • version
      • id (optional)
      • statement
        • Sid (optional)
        • Effect: Allow or Deny
        • Principal: account/user/group/role
        • Action: list of action, like S3:GetObject, S3:PutObject, iam:PassRole, iam:GetRole
        • Resource: AWS resource
        • Condition (optional)
    • Permission Evaluation Flow
      • If there’s explicit DENY, end flow with DENY
      • Else, if there is an ALLOW, end flow with ALLOW
      • Else, DENY
    • Dynamic Policy, with variable as ${aws:username}
    • Policy Management
      • AWS Managed Policy
      • Customer Managed Policy, has version control + rollback
      • Inline Policy, strict 1-to-1 relationship with principal; would be also deleted while delete principal
  • IAM Password Policy, set minimum length, require specific character types (number, upper/lower-case letters, non-alphabetic), expiration, and re-use forbidden
    • Multi Factor Authentication (MFA)

IAM Security/Audit Tools

  • IAM Credentials Report (account-lv)
  • IAM Access Advisor (user-lv), for check/revise the permissions granted with usage

AWS Certificate Manager (ACM)

  • manage SSL/TLS certificates, for in-flight encryption of websites (HTTPS)
    • SSL refers to Secure Sockets Layer, used to encrypt connections
    • TLS refers to Transport Layer Security, which is a newer version
  • automatically renewal
  • Elastic Load Balancers(Application Load Balancer & Network Load Balancer), CloudFront Distributions, API Gateway Calls
  • Public and Private

AWS Private Certificate Authority (CA)

  • including root and subordinaries certificates (X.509), trusted by only private Organisation

Amazon Cognito

  • authentication for users with identity for mobile and web application
  • Benefit over IAM: “hundreds of users”, “mobile users” and “authenticate with SAML”
  • Cognito User Pools (CUP)
    • Authentication, Identity Verification
    • Provide sign-in functionality for user
      • A serverless database of “User”
      • Simple Login (User name/email + Password)
      • Password Recovery
      • Email/Phone verification
      • Multi-Factor authentication (MFA)
      • Federated identities with 3rd parties, Google/FB/SAML/OpenID, etc.
      • JWT(JSON Web Token) for login send backs
    • Integrated with API Gateway & Application Load Balancer
    • Lambda Triggers
      • Authentication Events (Sign-In)
      • Sign-Up
      • Messages
      • Token Creation
    • Hosted Authentication UI & Custom Domain
      • ACM certificate in “us-east-1”
      • must defined in the “App Integration” section
    • Adaptive
      • using risk score for each attempt; finally block or requires (second) MFA for suspicious logins
      • Integrated with CloudWatch Logs
    • JSON Web Token
      • Base64 encoded
      • Header, Payload(contains “sub”-UUID, email, phone, user name, etc.), and Signature
    • Authenicate Users on Application Load Balancer
      • Offload the authentication from applications to load balancer
      • Identity Provider (IdP): OpenID Connect compliant
      • AWS Cognito User Pools
      • Set up HTTPS listeners with “authenticate-oidc” or “authenticate-cognito” rules
      • OnUnauthenticatedRequest – authenticate(default), deny, allow
  • Cognito Identity Pools (CIP)
    • Authorisation, Access Control
    • Federated Identities
    • Temporary AWS credentials to AWS resources directly (or via API Gateway)
      • IAM policies via Security Token Service (STS), at least one “trust” policy
      • can be customised based on the user_id
    • Identity pool/sources
      • Public 3rd Parties (Google, Facebook, Apple, etc.)
      • OpenID Connect & SAML
      • AWS Cognito User Pools
      • Developer Authenticated Identities (custom Login server)
      • unauthenicate (guess) access
    • can partition users with IAM policy “variables”

AWS STS (Security Token Service)

  • request temporary limited-privilege (15mins to 1 hour) credentials for IAM users, or for users that you authenticate such as federated users from an on-prem directory
  • APIs
    • AssumeRole
    • AssumeRoleWithSAML
    • AssumeRoleWithWebIdentity -> using Cognito Identity Pools instead
    • GetSessionToken, for MFA (returns “Access ID”, “Secret Key”, “Session Token”, and “Expiration Date”)
    • GetFederationToken
    • GetCallerIdentity
    • DecodeAuthorizationMessage
  • STS for MFA, needs
    • using GetSessionToke api
    • in IAM Policy, need set in Conditions (in statement), as “aws:MultiFactorAuthPresent:true”
  • Federation: STS can be used Federation (typically with Azure AD). It uses SAML 2.0 for authentication to grant temporary access based on the AD creds
  • Single Sign-On: STS can be used to develop a custom identity broker for SSO to a service such as the AWS management console:
    1. Verify that the user is authenticated on the local IDP (AD)
    2. Call STS AssumeRole or GetFederationToken API to get temp credentials
    3. Pass the temp creds to AWS federation endpoint to request a sign-in token
    4. Construct a URL to the service that includes the token which can be provided to the user

AWS Directory Services

  • for MS Active Directory (AD), with AD Domain Services
    • AWS Managed Microsoft AD
      • an AD instance on AWS, connecting as “trust” with on-premise AD; users are managed on AWS locally; support MFA
    • AD Connector
      • as (Directory Gateway) proxy only, using on-premise AD to manage; support MFA
    • Simple AD
      • a seperate AD on AWS, no connection with on-premise AD

Encryption

  • Best practice is to lock away or delete the root user access keys. Never store in an S3 bucket, even if encrypted.
  • Data at rest
    • Client-side encryption can be done by 1) using a customer master key (CMK) stored in KMS, or 2) using a master key that you store in your application. You can’t use S3 managed keys client-side
    • Server-side encryption can be done in several ways
      • SSE-C: use customer-provided keys and manage them yourself (on-prem)
      • SSE-S3: Amazon manages the keys
      • SSE-KMS: keys are managed in Amazon Key Management Service
      • CloudHSM: generate and use your own encryption keys, held in the cloud in Amazon’s HSM
  • Data in motion
    • SSL/TLS is for encrypting data in transit, not data at rest.
    • SSL/TLS is synonymous with HTTPS traffic. It goes over port 443.

Amazon GuardDuty

  • use with CloudWatch+SNS to trigger notifications to services 

AWS CloudTrail

  • Audit trail of API calls
  • Logs Data Events (resource operations) aka Data Plane Operations
  • Logs Management Events (management operations on resources) aka Control Plane Operations
  • Use other tools such as VPC Flow Logs to capture network packets

AWS Accounts

  • To apply security restrictions across multiple AWS accounts, use Service Control Policy (SCP). For just a single account, use IAM policies.
  • You can migrate an account to another AWS organization, e.g.  if you divest a business unit