== AUTHORISATION ==
Identity and Access Management (IAM)
- Users (one physical user = one AWS user) and Groups (groups contain only users, no subgroups)
- The permissions boundary for an IAM entity (user or role) sets the max permissions that the entity can have
- IAM Role
- Roles hand out automatic credentials and permissions
- Giving permissions to non-humans, such as services / applications
- Giving permissions to federated / outside users & groups
- Authorisations from identity providers (like AWS Cognito) are mapped to your IAM role(s), NOT users or groups
- to pass the role to service, the users need to have iam:PassRole permission; to see, using iam:GetRole
- Roles can only passed to what their trust allows, using “Trust Relationships”
- Roles hand out automatic credentials and permissions
- IAM Policies
- assign permissions, using JSON documents
- using “least privilege principle”
- consist of
- version
- id (optional)
- statement
- Sid (optional)
- Effect: Allow or Deny
- Principal: account/user/group/role
- Action: list of action, like S3:GetObject, S3:PutObject, iam:PassRole, iam:GetRole
- Resource: AWS resource
- Condition (optional)
- Permission Evaluation Flow
- If there’s explicit DENY, end flow with DENY
- Else, if there is an ALLOW, end flow with ALLOW
- Else, DENY
- Dynamic Policy, with variable as ${aws:username}
- Policy Management
- AWS Managed Policy
- Customer Managed Policy, has version control + rollback
- Inline Policy, strict 1-to-1 relationship with principal; would be also deleted while delete principal
- IAM Password Policy, set minimum length, require specific character types (number, upper/lower-case letters, non-alphabetic), expiration, and re-use forbidden
- Multi Factor Authentication (MFA)
== CERTIFICATE & KEYS ==
AWS Certificate Manager (ACM)
- manage SSL/TLS certificates, for in-flight encryption of websites (HTTPS)
- SSL refers to Secure Sockets Layer, used to encrypt connections
- TLS refers to Transport Layer Security, which is a newer version
- automatically renewal
- Elastic Load Balancers(Application Load Balancer & Network Load Balancer), CloudFront Distributions, API Gateway Calls
- Public and Private
AWS Private Certificate Authority (CA)
- including root and subordinaries certificates (X.509), trusted by only private Organisation
Encryption
- Best practice is to lock away or delete the root user access keys. Never store in an S3 bucket, even if encrypted
- Never ever store your secrets in plaintext, especially in your code!
- Encryption in flight
- SSL/TLS is for encrypting data in transit, not data at rest.
- SSL/TLS is synonymous with HTTPS traffic. It goes over port 443.
- Server-side encryption at rest
- Data is encrypted after being received by the server, and decrypted before being sent
- So the data stored is in an encrypted from
- Types
- SSE-C: use customer-provided keys and manage them yourself
- SSE-S3, SSE-SQS, SSE-DDB: Amazon manages the keys
- SSE-KMS: keys are managed in Amazon Key Management Service
- CloudHSM: generate and use your own encryption keys, held in the cloud in Amazon’s HSM
- Client-side encryption
- Data stored is also in an encrypted from
- but the is encrypted before sending to the server, and decrypted in client side after being received
AWS Key Management Service (KMS)
- AWS manages encryption keys for us
- Fully integrated with IAM for authorization
- Able to audit KMS Key usage using CloudTrail
- KMS Keys is the new name of KMS Customer Master Key (KMS CMK)
- Symmetric (AES-256 keys)
- AWS services default
- must call KMS API
- encrypt up to 4 KB of data through KMS
- to encrypt > 4KB with KMS Encrypt API call, need to use Envelope Encryption (aka GenerateDataKey API), let client side to Encrypt/Decrypt with DEK received
- GenerateDataKey: generates a unique symmetric data key (DEK)
- returns a plaintext copy of the data key
- AND a copy that is encrypted under the CMK
- GenerateDataKeyWithoutPlaintext
- Generate a DEK that is encrypted under the CMK
- Decrypt: decrypt up to 4 KB of data (also “Data Encryption Keys”)
- GenerateRandom: Returns a random byte string
- Encrypt data locally in your application (ie, Envelope Encryption) with KMS
- Use the GenerateDataKey operation to get a data encryption key.
- Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
- Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data.
- To Decrypt data locally:
- Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.
- Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.
- Envelope encryption is the practice of “encrypting plaintext data with a data key and then encrypting the data key under another key”. But, eventually, one key must remain in plaintext so you can decrypt the keys and your data. This top-level plaintext encryption key is known as the root key.
- GenerateDataKey: generates a unique symmetric data key (DEK)
- Asymmetric (RSA & ECC key pairs)
- Public (Encrypt) and Private Key (Decrypt) pair
- Symmetric (AES-256 keys)
- Types of KMS Keys
- AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (DynamoDB)
- AWS Managed Key (free): aws/service-name, automatic renew every 1 year
- Customer managed keys created in KMS: $1 / month, can be renewed automatic & on-demand
- Customer managed keys imported: $1 / month, only manual rotation
- AWS Encryption SDK has already implemented Envelope Encryption
- the feature – Data Key Caching, can reuse the data keys, with LocalCryptoMaterialsCache
- Request Quotas: if got ThrottlingException, use exponential backoff (backoff and retry); and all cryptographic operations (aka Encrypt and Decrypt), they share a quota
- To hugely reduce the cost on S3 encryption, use “S3 Bucket Key”
CloudHSM
- Compared with KMS, AWS provisions encryption with dedicated hardware (HSM = Hardware Security Module)
- Encryption keys are managed on client side
- Good option to use with SSE-C encryption
- CloudHSM clusters are spread across Multi AZ (HA)
AWS System Manager (SSM) Parameter Store
- Secure storage for configuration and secrets
- Version tracking of configurations / secrets
- Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords
- Parameter policies are only available for parameters in the Advanced tier
- Expiration – deletes the parameter at a specific date
- ExpirationNotification – sends an event to Amazon EventBridge (Amazon CloudWatch Events) when the specified expiration time is reached.
- NoChangeNotification – sends an event to Amazon EventBridge (Amazon CloudWatch Events) when a parameter has not been modified for a specified period of time.
AWS Secrets Manager
- Capability to force rotation of secrets every X days
- Automate generation of secrets on rotation (uses Lambda)
- Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
- Mostly meant for RDS integration
== AUTHENTICATION ==
Amazon Cognito
- authentication for users with identity for mobile and web application
- Benefit over IAM: “hundreds of users”, “mobile users” and “authenticate with SAML”
- Cognito User Pools (CUP)
- Authentication, Identity Verification
- Provide sign-in functionality for user
- A serverless database of “User”
- Simple Login (User name/email + Password)
- Password Recovery
- Email/Phone verification
- Multi-Factor authentication (MFA)
- Federated identities with 3rd parties, Google/FB/SAML/OpenID, etc.
- JWT(JSON Web Token) for login send backs
- Integrated with API Gateway & Application Load Balancer
- Lambda Triggers
- Authentication Events (Sign-In)
- Sign-Up
- Messages
- Token Creation
- Hosted Authentication UI & Custom Domain
- ACM certificate in “us-east-1”
- must defined in the “App Integration” section
- Adaptive
- using risk score for each attempt; finally block or requires (second) MFA for suspicious logins
- Integrated with CloudWatch Logs
- JSON Web Token
- Base64 encoded
- Header, Payload(contains “sub”-UUID, email, phone, user name, etc.), and Signature
- Authenicate Users on Application Load Balancer
- Offload the authentication from applications to load balancer
- Identity Provider (IdP): OpenID Connect compliant
- AWS Cognito User Pools
- Set up HTTPS listeners with “authenticate-oidc” or “authenticate-cognito” rules
- OnUnauthenticatedRequest – authenticate(default), deny, allow
- Cognito Identity Pools (CIP)
- Authorisation, Access Control
- Federated Identities
- Temporary AWS credentials to AWS resources directly (or via API Gateway)
- IAM policies via Security Token Service (STS), at least one “trust” policy
- can be customised based on the user_id
- Identity pool/sources
- Public 3rd Parties (Google, Facebook, Apple, etc.)
- OpenID Connect & SAML
- AWS Cognito User Pools
- Developer Authenticated Identities (custom Login server)
- unauthenicate (guess) access
- can partition users with IAM policy “variables”
- Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data.
AWS Directory Services
- for MS Active Directory (AD), with AD Domain Services
- AWS Managed Microsoft AD
- an AD instance on AWS, connecting as “trust” with on-premise AD; users are managed on AWS locally; support MFA
- AD Connector
- as (Directory Gateway) proxy only, using on-premise AD to manage; support MFA
- Simple AD
- a seperate AD on AWS, no connection with on-premise AD
- AWS Managed Microsoft AD
== SECURITY ==
IAM Security/Audit Tools
- IAM Credentials Report (account-lv)
- IAM Access Advisor (user-lv), for check/revise the permissions granted with usage
- IAM Policy Simulator evaluates the policies that you choose and determines the effective permissions for each of the actions that you specify
AWS STS (Security Token Service)
- request temporary limited-privilege (15mins to 1 hour) credentials for IAM users, or for users that you authenticate such as federated users from an on-prem directory
- APIs
- AssumeRole
- AssumeRoleWithSAML
- AssumeRoleWithWebIdentity -> using Cognito Identity Pools instead
- GetSessionToken, for MFA (returns “Access ID”, “Secret Key”, “Session Token”, and “Expiration Date”)
- GetFederationToken
- GetCallerIdentity
- DecodeAuthorizationMessage
- STS for MFA, needs
- using GetSessionToke api
- in IAM Policy, need set in Conditions (in statement), as “aws:MultiFactorAuthPresent:true”
- Federation: STS can be used Federation (typically with Azure AD). It uses SAML 2.0 for authentication to grant temporary access based on the AD creds
- Single Sign-On: STS can be used to develop a custom identity broker for SSO to a service such as the AWS management console:
- Verify that the user is authenticated on the local IDP (AD)
- Call STS AssumeRole or GetFederationToken API to get temp credentials
- Pass the temp creds to AWS federation endpoint to request a sign-in token
- Construct a URL to the service that includes the token which can be provided to the user
For On-Premier applications
- Applications running outside of an AWS environment will need access keys for programmatic access to AWS resources. For example, monitoring tools running on-premises and third-party automation tools will need access keys.
- However, if the resources that need programmatic access are running inside AWS, the best practice is to use IAM roles instead. An IAM role is a defined set of permissions—it’s not associated with a specific user or group. Instead, any trusted entity can assume the role to perform a specific business task.
- Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
- In order to use the AWS SDK for your application, you have to create your credentials file first at ~/.aws/credentials for Linux servers or at C:\Users\USER_NAME\.aws\credentials for Windows users and then save your access keys.
AWS Web Application Firewall (WAF)
- Allow all requests except the ones that you specify
- Block all requests except the ones that you specify
- Count the requests that match the properties that you specify
- Prevent SQL-Injection and cross-site scripting attacks
Amazon GuardDuty
- use with CloudWatch+SNS to trigger notifications to services
- GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS environment.
- Threat Detection – Utilizes machine learning and anomaly detection to identify potentially malicious activity such as unauthorized access, data exfiltration, or compromised instances.
- Security Findings: Provides detailed security findings with severity levels and recommendations for remediation.
- Automated Response: Can be configured to automatically trigger responses or notifications based on detected threats.
AWS Firewall Manager
- simplifies your AWS WAF and AWS Shield Advanced administration and maintenance tasks across multiple accounts and resources.
Amazon Macie
- discover and protect sensitive data (Personal Identifiable Information, PII) by machine learning and pattern matching, on S3 bucket
- Data Discovery – Automatically scans and classifies data stored in Amazon S3 buckets to identify sensitive data such as personally identifiable information (PII) or intellectual property.
- Data Classification – Assigns sensitivity labels to data based on its content and context, helping you understand the level of risk associated with different types of data.
- Security Monitoring – Continuously monitors data access and usage patterns to detect suspicious or unauthorized behavior, such as unusual access patterns or data leaks.
- Compliance Reporting – Provides reports and dashboards to help you demonstrate compliance with data protection regulations such as GDPR, HIPAA, or PCI DSS.
AWS CloudTrail
- Audit API calls made by users / services / AWS console, under AWS account(s)
- history of events / API calls
- Console
- SDK
- CLI
- AWS services
- useful to find AWS resources changes (when and how)
- history of events / API calls
- export logs to CloudWatch Logs or S3
- A trail can be applied to All Regions (default) or a single Region.
- Event Type
- Management Events (default enabled): management operations on resources, can separate as Read and Write
- Data Events (default disabled): resource activities
- Insights Events: to detect unusual activities (by analyze “Write” events)
- Event Retention as 90 days. Can be export to S3 and use Athena for further analysis.
== COMPLIANCE ==
AWS Config
- auditing and recording compliance of your AWS resources
- tracks resource inventory, config history and config change notifications for the purpose of security and compliance. Assess, audit and evaluate the configurations of AWS resources.
- Questions that can be solved by AWS Config:
- Is there unrestricted SSH access to my security groups?
- Do my buckets have any public access?
- How has my ALB configuration changed over time?
- You can receive alerts (SNS notifications) for any changes
- AWS Config is a per-region service
- Can be aggregated across regions and accounts
- Possibility of storing the configuration data into S3 (analyzed by Athena)
- Config Rules
- AWS managed config rules
- custom config rules (must be defined in AWS Lambda)
- Rules can be evaluated / triggered
- Upon config change
- and/or: at regular time intervals
- AWS Config Rules does not prevent actions from happening (no deny)
- Configuration Recorder
- Stores the configurations of your AWS resources as Configuration Items
- Configuration Item – a point-in-time view of the various attributes of an AWS resource. Created
whenever AWS Config detects a change to the resource (e.g., attributes, relationships, config.,
events…) - Custom Configuration Recorder to record only the resource types that you specify
- Must be created before AWS Config can track your resources (created automatically when you enable AWS Config using AWS CLI or AWS Console)
- Remediations
- Automate remediation of non-compliant resources using SSM Automation Documents
- Use AWS-Managed Automation Documents or create custom Automation Documents
- Tip: you can create custom Automation Documents that invokes Lambda function
- You can set Remediation Retries if the resource is still non-compliant after auto-remediation
- Notifications
- Use EventBridge to trigger notifications when AWS resources are non-compliant
- Ability to send configuration changes and compliance state notifications to SNS (all events – use SNS Filtering or filter at client-side)
- Aggregators
- The aggregator is created in one central aggregator account
- Aggregates rules, resources, etc… across multiple accounts & regions
- If using AWS Organizations, no need for individual Authorization
- Rules are created in each individual source AWS account
- Can deploy rules to multiple target accounts using CloudFormation StackSets
- Conformance Pack
- Collection of AWS Config Rules and Remediation actions
- Packs are created in YAML-formatted files (similar to CloudFormation)
- Deploy to an AWS account and regions or across an AWS Organization
- Pre-built sample Packs or create your own Custom Conformance Packs
- Can include custom Config Rules which are backed by Lambda functions to evaluate whether your resources are compliant with the Config Rules
- Can pass inputs via Parameters section to make it more flexible
- Can designate a Delegated Administrator to deploy Conformance Packs to your AWS Organization (can be Member account)
- Organizational Rules
- manage across all accounts within an AWS Organization
| Organizational Rules | Conformance Packs | |
|---|---|---|
| Scope | AWS Organization | AWS Accounts and AWS Organization |
| Evaluation Type | Evaluate resources against predefined rules that are defined and enforced at Organization level | Evaluate resources against predefined rules that are defined and enforced at the Account level |
| Rules Count | One rule | Many rules at a time |
| Compliance Level | Managed at the Organizational level | Managed at the Account level |
Policy evaluation logic
- Authentication – AWS first authenticates the principal that makes the request, if necessary. This step is not necessary for a few services, such as Amazon S3, that allow some requests from anonymous users.
- Processing the request context – AWS processes the information gathered in the request to determine which policies apply to the request.
- How AWS enforcement code logic evaluates requests to allow or deny access – AWS evaluates all of the policy types and the order of the policies affects how they are evaluated. AWS then processes the policies against the request context to determine whether the request is allowed or denied.
- Evaluating identity-based policies with resource-based policies
- Any deny -> overrides the allows
- Allows are union combination
- Evaluating identity-based policies with permissions boundaries
- Any deny -> overrides the allows
- Allows are intersection only
- Evaluating identity-based policies with AWS Organizations SCPs or RCPs
- an account that is a member of an organization and accesses a resource that doesn’t have a resource-based policy configured
- the resulting permissions are the intersection of the user’s policies, service control policies (SCPs), and resource control policy (RCP)
- Any deny -> overrides the allows
- Allows are intersection only
AWS Accounts
- To apply security restrictions across multiple AWS accounts, use Service Control Policy (SCP). For just a single account, use IAM policies.
- You can migrate an account to another AWS organization, e.g. if you divest a business unit
AWS Organizations
- OrganizationAccountAccessRole
- IAM role which grants full administrator permissions in the Member account to the
Management account - Used to perform admin tasks in the Member accounts (e.g., creating IAM users)
- Could be assumed by IAM users in the Management account
- Automatically added to all new Member accounts created with AWS Organizations
- Must be created manually if you invite an existing Member account
- IAM role which grants full administrator permissions in the Member account to the
- Multi Account Strategies
- Create accounts per department, per cost center, per dev / test / prod, based on regulatory restrictions (using SCP), for better resource isolation (ex: VPC), to have separate per-account ser vice limits, isolated account for logging,
- Multi Account vs. One Account Multi VPC
- Use tagging standards for billing purposes
- Enable CloudTrail on all accounts, send logs to central S3 account
- Send CloudWatch Logs to central logging account
- Strategy to create an account for security
- Service Control Policies (SCPs)
- Define allowlist or blocklist IAM actions
- Applied at the OU or Account level
- Does not apply to the Management Account
- SCP is applied to all the Users and Roles in the account, including Root user
- The SCP does not affect Service-linked roles
- Service-linked roles enable other AWS services to integrate with AWS Organizations
and can’t be restricted by SCPs.
- Service-linked roles enable other AWS services to integrate with AWS Organizations
- SCP must have an explicit Allow from the root through each OU in the direct path to the target account (does not allow anything by default)
- Use cases:
- Restrict access to certain services (for example: can’t use EMR)
- Enforce PCI compliance by explicitly disabling services
- Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features.
- SCPs do not grant permissions to the IAM users and IAM roles in your organization. No permissions are granted by an SCP. An SCP defines a permission guardrail, or sets limits, on the actions that the IAM users and IAM roles in your organization can perform. To grant permissions, the administrator must attach policies to control access, such as identity-based policies that are attached to IAM users and IAM roles, and resource-based policies that are attached to the resources in your accounts.
- The effective permissions are the logical intersection between what is allowed by the SCP and resource control policies (RCPs) and what is allowed by the identity-based and resource-based policies.
- Feature Modes
- Consolidated billing features:
- Consolidated Billing across all accounts – single payment method
- Pricing benefits from aggregated usage (volume discount for EC2, S3…)
- All Features (Default):
- Includes consolidated billing features, SCP
- Invited accounts must approve enabling all features
- Ability to apply an SCP to prevent member accounts from leaving the org
- Can’t switch back to Consolidated Billing Features only
- Consolidated billing features:
- Reserved Instances
- For billing purposes, the consolidated billing feature of AWS Organizations treats all the accounts in the organization as one account.
- This means that all accounts in the organization can receive the hourly cost benefit of Reserved Instances that are purchased by any other account.
- The payer account (Management account) of an organization can turn off Reserved Instance (RI) discount and Savings Plans discount sharing for any accounts in that organization, including the payer account
- This means that RIs and Savings Plans discounts aren’t shared between any accounts that have sharing turned off.
- To share an RI or Savings Plans discount with an account, both accounts must have sharing turned on
- Moving Accounts
- STEP ONE: Remove the member account from the AWS Organization
- STEP TWO: Send an invite to the member account from the AWS Organization
- STEP THREE: Accept the invite to the new Organization from the member account
AWS Control Tower
- Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices
- Benefits:
- Automate the set up of your environment in a few clicks
- Automate ongoing policy management using guardrails
- Detect policy violations and remediate them
- Monitor compliance through an interactive dashboard
- AWS Control Tower runs on top of AWS Organizations:
- It automatically sets up AWS Organizations to organize accounts and implement SCPs (Service Control Policies)
- Account Factory
- Automates account provisioning and deployments
- Enables you to create pre-approved baselines and configuration options for AWS accounts in your organization (e.g., VPC default configuration, subnets, region, …)
- Uses AWS Service Catalog to provision new AWS accounts
- Guardrail
- Detect and Remediate Policy Violations
- Provides ongoing governance for your Control Tower environment (AWS Accounts)
- Preventive – using SCPs (e.g., Disallow Creation of Access Keys for the Root User)
- Detective – using AWS Config (e.g., Detect Whether MFA for the Root User is Enabled)
- Example: identify non-compliant resources (e.g., untagged resources)
- Guardrails Levels
- Mandatory
- Automatically enabled and enforced by AWS Control Tower
- Example: Disallow public Read access to the Log Archive account
- Strongly Recommended
- Based on AWS best practices (optional)
- Example: Enable encryption for EBS volumes attached to EC2 instances
- Elective
- Commonly used by enterprises (optional)
- Example: Disallow delete actions without MFA in S3 buckets
- Mandatory
- Landing Zone
- Automatically provisioned, secure, and compliant multi-account environment based on AWS best practices
- Landing Zone consists of:
- AWS Organization – create and manage multi-account structure
- Account Factory – easily configure new accounts to adhere to config. and policies
- Organizational Units (OUs) – group and categorize accounts based on purpose
- Service Control Policies (SCPs) – enforce fine-grained permissions and restrictions
- IAM Identity Center – centrally manage user access to accounts and services
- Guardrails – rules and policies to enforce security, compliance and best practices
- AWS Config – to monitor and assess your resources’ compliance with Guardrails
- Account Factory
- You can react to new accounts created using EventBridge
- Account Factory Customization (AFC)
- Automatically customize resources in new and existing accounts created through Account Factory
- Custom Blueprint
- CloudFormation template that defines the resources and configurations you want to customize in the account
- Defined in the form on a Service Catalog Product
- Stored in a Hub Account, which stores all the Custom Blueprints (recommended: don’t use the Management account)
- Also available pre-defined blueprints created by AWS Partners
- Only one blueprint can be deployed to the account
- Account Factor y for Terraform (AFT)
- Helps you provision and customize AWS accounts in Control Tower through Terraform using a deployment pipeline
- You create an account request Terraform file which triggers the AFT workflow for account provisioning
- Offers built-in feature options (disabled by default)
- AWS CloudTrail Data Events – creates a Trail & enables CloudTrail Data Events
- AWS Enterprise Support Plan – turns on the Enterprise Suppor t Plan
- Delete The AWS Default VPC – deletes the default VPCs in all AWS Regions
- Terraform module maintained by AWS
- Works with Terraform Open-source, Terraform Enterprise, and Terraform Cloud
- Customizations for AWS Control Tower (CfCT)
- GitOps-style customization framework created by AWS
- Helps you add customizations to your Landing Zone using your custom CloudFormation templates and SCPs
- Automatically deploy resources to new AWS accounts created using Account Factory
- Note: CfCT is different from AFC (Account Factory Customization ; blueprint)
- AWS Config Integration
- Control Tower uses AWS Config to implement Detective Guardrails
- Control Tower automatically enables AWS Config in enabled Regions
- AWS Config Configuration History and snapshots delivered to S3 bucket in a centralized Log Archive account
- Control Tower uses CloudFormation StackSets to create resources like Config Aggregator, CloudTrail, and centralized logging
- Config Conformance Packs – enables you to create packages of Config Compliance Rules & Remediations for easy deployment at scale
- Deploy to individual AWS accounts or entire and AWS Organization
AWS IAM Identity Center
- successor to AWS Single Sign-On
- centralizes access management across AWS accounts and applications
- One login (single sign-on) for all your
- AWS accounts in AWS Organizations
- Business cloud applications (e.g., Salesforce, Box, Microsoft 365…)
- SAML2.0-enabled applications
- EC2 Windows Instances
- Identity providers
- Built-in identity store in IAM Identity Center
- 3rd party: Active Director y (AD), OneLogin, Okta…
- issues temporary security credentials for users to access AWS resources
- Fine-grained Permissions and Assignments
- Multi-Account Permissions
- Manage access across AWS accounts in your AWS Organization
- Permission Sets – a collection of one or more IAM Policies assigned to users and groups to define AWS access
- Application Assignments
- SSO access to many SAML 2.0 business applications (Salesforce, Box, Microsoft 365…)
- Provide required URLs, cer tificates, and metadata
- Attribute-Based Access Control (ABAC)
- Fine-grained permissions based on users’ attributes stored in IAM Identity Center Identity Store
- Example: cost center, title, locale…
- Use case: Define permissions once, then modify AWS access by changing the attributes IAM
- User attributes are mapped from the IdP as key-value pairs
- Multi-Account Permissions
- External IdPs
- SAML 2.0: authenticate identities from external IdP
- Users sign into AWS access por tal using their corporate identities
- Suppor ts Okta, Azure AD, OneLogin…
- SAML 2.0 does NOT provide a way to query the IdP to learn about users and groups
- You must create users and groups in the IAM Identity Center that are identical to the users and groups in the External IdP
- SCIM: automatic provisoning (synchronization) of user identities from an external IdP into IAM Identity Center
- SCIM = System for Cross-domain Identity Management
- Must be supported by the external IdP
- Perfect complement to using SAML 2.0
- SAML 2.0: authenticate identities from external IdP
- Multi-Factor Authentication (MFA)
- Every Time They Sign-in (Always-on)
- Only When Their Sign-in Context Changes (Context-aware) – analyzes user behavior (e.g., device, browser, location…)
Amazon Inspector
- an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.