Securing Access To Cloud Resources: AWS Academy Cloud Security Foundations

Securing Access to Cloud Resources
AWS Academy Cloud Security Foundations
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introduction
Module objectives
At the end of this module, you should be able to do the following:
• Authorize access to Amazon Web Services (AWS) services by using AWS
Identity and Access Management (IAM) users, groups, and roles.
• Differentiate between different types of security credentials in IAM.
• Authorize access to AWS services by using identity-based and resource-based
policies.
• Identify other AWS services that provide authentication and access management
services.
• Centrally manage and enforce policies for multiple AWS accounts.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
Module overview
Sections Demo
• IAM fundamentals • Amazon S3 Cross-Account
• Authenticating with IAM Resource-Based Policy
• Authorizing with IAM Lab
• Examples of authorizing with IAM • Using Resource-Based Policies to

Secure an S3 Bucket
• Additional authentication and access
management services Knowledge check
• Using AWS Organizations
Bank business scenario (1 of 3)
Shared responsibility model
IAM fundamentals
AWS Identity and Access Management (IAM)
• Securely shares and controls individual and group
access to your AWS resources
• Integrates with many other AWS services
AWS Identity and
• Supports federated identity management Access
Management (IAM)
• Supports granular permissions
• Supports multi-factor authentication (MFA)
• Provides identity information for assurance
What IAM provides
• Authentication
• Who is requesting access to the AWS account and
the resources in it?
• It’s important to establish the identity of the requester
through credentials.
• The requester could be a person or an application;
IAM calls them principals.
• Authorization
• After the requester has been authenticated, what
should they be allowed to do?
• IAM checks for policies that are relevant to the
request to determine whether to allow or deny the
request.
IAM overview
User Group Role IAM policy

A person or application A collection of IAM An identity used to The document that
that can authenticate users who are granted grant a temporary set defines which
with an AWS account identical authorization of permissions to make resources can be
AWS service requests accessed and the level
of access to each
resource
IAM terminology
• IAM entity: Used by AWS for authentication (users and
roles)
• IAM identity: Used to identify and group
• You can attach a policy to an IAM identity (user, group, or role).
• IAM resource: The user, group, role, policy, and identity
provider objects that are stored in IAM
• You can add, edit, and remove resources from IAM.
• Principal: A person or application that uses the AWS
account root user, IAM user, or IAM role to sign in and
make requests to AWS
Requests in IAM
A request is made any time a principal attempts to use the AWS Management
Console, application programming interface (API), or AWS Command Line Interface
(AWS CLI).
The request contains the following information:
• Actions or operations: What the principal wants to perform
• Resources: The object upon which the actions or operations are performed
• Principal: The person or application that sends a request by using a user or role
• Environment data: The IP address, user agent, Secure Sockets Layer (SSL) enabled status, or
time of day
• Resource data: Data related to the resource being requested
Service endpoints
• To connect to an AWS service, you must use
the URL of the entry point for that service,
known as an endpoint.
• The AWS software development kits (SDKs)
and AWS CLI use the default endpoint for
each service in an AWS Region.
• You can specify alternate endpoints for API
requests based on configuration
requirements.
Key takeaways: • IAM is a web service that helps you
securely control access to AWS resources.
IAM fundamentals
• Authentication deals with who is requesting
access. Authorization determines what they
have access to.
• IAM uses users, groups, roles, and policies
to provide authentication and authorization
to AWS resources.
Authenticating with IAM
IAM roles
• IAM role characteristics
• It provides temporary security credentials.
• A role is not uniquely associated with one person.
• A person, application, or AWS service can assume a
role.
• A role is often used to delegate access.
• The AWS Security Token Service (AWS STS) issues
temporary security credentials.
• Common use cases
• Applications that run on Amazon Elastic Compute
Cloud (Amazon EC2)
• Cross-account access for an IAM user
• Mobile applications
IAM credentials for authentication
Multi-factor authentication (MFA)
• Adds an extra layer of protection on top of your user name
and password
• Users prompted for an authentication code
• Can be hardware based or a virtual device
• Activate MFA for:
• AWS Management Console users
• AWS API users (requires temporary security credentials)
• Examples of MFA devices:
• Security keys (YubiKey, Gemalto)
• Applications (Google Authenticator, Authy)
• Hardware devices
Authentication scenario
Key takeaways: • A best practice is to attach IAM policies to
IAM groups, and then assign IAM users to
Authenticating these IAM groups.
with IAM • IAM roles use temporary security
credentials.
• AWS STS provides temporary credentials
for roles.
• MFA adds an extra layer of protection on
top of your user name and password.
Authorizing with IAM
Principle of least privilege
Best practices:
• Start by granting the
minimum AWS account
permissions that are
needed for the job role.
• Grant additional access as
needed.
Policies and permissions
Identity-based and resource-based policies
Identity-based policies Resource-based policies

What does a particular identity have access to? Who has access to a particular resource?
Carlo Resource Read Write List Resource User Read Write List
s Resource X Allow Allow Allow X Ana Allow Allow Allow
Akua Allow Allow Allow
Richar Resource Read Write List
d Mary Allow N/A Allow
Resource Y Allow N/A N/A
Mateo N/A N/A Allow
Resource Z Allow N/A N/A
Resource User Read Write List
Managers Resource Read Write List
Y Paulo Allow Allow Allow
Resource X N/A N/A Allow
Nikki Allow N/A N/A
Resource Y N/A N/A Allow
Mateo N/A Allow Allow
Resource Z N/A N/A Allow
Managed and inline IAM policies
Evaluation logic for IAM policies
Key takeaways: • Permissions to access AWS account
services and resources are defined in IAM
Authorizing with policy documents.
IAM • Attach IAM policies to IAM users, IAM
groups, or IAM roles.
• Follow the principle of least privilege when
you grant account access.
• When IAM determines permissions, an
explicit deny will always override any allow
statement.
Examples of authorizing with IAM
Example: Identity-based policy
Example: Cross-account, resource-based policy
Example IAM policy: Allow statement
Example IAM policy: Deny statement
An explicit deny statement takes precedence over an allow statement.
Example IAM policy: Permissions boundary
Demonstration:
Amazon S3
Cross-Account
Resource-Based
Policy
Additional authentication and
access management services
Identity federation
• Identity federation is a system of trust between two parties to
authenticate users and convey information that is needed to authorize
resource access.
• Identity providers are responsible for user authentication.
• Service providers are responsible for resource access.
• Two AWS services are available to provide federation to AWS
accounts and applications:
• AWS Single Sign-On (AWS SSO)
• AWS Identity and Access Management (IAM)
AWS Single Sign-On (AWS SSO)
• Create or connect identities once and manage access
centrally across your AWS accounts.
• AWS SSO provides a unified administration experience to
define, customize, and assign fine-grained access. AWS Single Sign-On
(AWS SSO)
• Users are provided a user portal to access all their
assigned AWS accounts or cloud applications.
• You can flexibly configure access to run parallel to or
replace AWS account access management by using IAM.
AWS Directory Service
• AWS Directory Service for Microsoft Active Directory, also
called AWS Managed Microsoft AD
• Facilitates directory-aware workloads and AWS resources
to use managed Active Directory in the AWS Cloud AWS Directory
Service
• Provides the ability to extend your existing Active
Directory to AWS by using your existing on-premises user
credentials to access cloud resources
• Supports Active Directory SSO to AWS applications by
using a single set of credentials
Amazon Cognito
• Integrates user sign-up, sign-in, and access control with
web and mobile applications
• Provides a secure identity store that can scale to millions
of users with Amazon Cognito user pools Amazon Cognito
• Offers user sign-in through enterprise identity providers
and social identity providers such as Apple, Google,
Facebook, and Amazon
• Provides the ability to create unique identities for your
users and federate them with identity providers through
Amazon Cognito identity pools
Using AWS Organizations
AWS Organizations
• Account management service that you can use to
consolidate multiple AWS accounts into a centrally
managed organization
• Includes account creation and management as well as AWS Organizations
consolidated billing capabilities
• Provides for hierarchical grouping of accounts
• Supports centralized policy control over AWS services and
API actions using service control policies (SCPs)
• Integrates with IAM and other services
Example: SCP
Prevent member accounts from leaving the organization:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [ "organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
Lab: Using
Resource-Based
Policies to Secure
an S3 Bucket
Lab: Tasks
1. Accessing the console as an IAM user
2. Attempting read-level access to AWS services
3. Analyzing the identity-based policy applied to the IAM user
4. Attempting write-level access to AWS services
5. Assuming an IAM role and reviewing a resource-based policy
6. Understanding resource-based policies
Begin Lab: Using Resource-Based Policies to Secure an S3 Bucket
Duration: 60 minutes
Lab debrief: Key
takeaways
Module wrap-up
Module summary
In this module, you learned how to do the following:
• Authorize access to AWS services by using IAM users, groups, and roles.
• Differentiate between different types of security credentials in IAM.
• Authorize access to AWS services by using identity-based and resource-based
policies.
• Identify other AWS services that provide authentication and access management
services.
• Centrally manage and enforce policies for multiple AWS accounts.
Complete the knowledge check
Sample exam question
How would a system administrator add an additional layer of login security to protect a user's access to
the AWS Management Console?
Choice Response
A Use Amazon Cloud Directory.
B Audit AWS Identity and Access Management (IAM) roles.
C Activate multi-factor authentication (MFA).
D Enable AWS CloudTrail.
Sample exam question answer
How would a system administrator add an additional layer of login security to protect a user's access to
the AWS Management Console?
The correct answer is C.

The keywords in the question are additional layer of login security.
Thank you
Corrections, feedback, or other questions?

Contact us at https://support.aws.amazon.com/#/contacts/aws-academy.
All trademarks are the property of their owners.
Image source files for
development use only
55
IAM roles
• IAM role characteristics
• It provides temporary security credentials.
AWS Cloud
• A role is not uniquely associated with one person. Application has
EC2 instance permissions to
• A person, application, or AWS service can assume a
access the S3
role. bucket
Application
• A role is often used to delegate access. 3
S3 bucket
• The AWS Security Token Service (AWS STS) issues
The EC2 instance photos
temporary security credentials. 2
assumes the role
• Common use cases
• Applications that run on Amazon Elastic Compute 1
Cloud (Amazon EC2) IAM role IAM policy grants
(Get-pics) Policy access to the
• Cross-account access for an IAM user attached photos bucket
• Mobile applications
IAM credentials for authentication
User name and password Access key ID and secret access key
(console access) (programmatic access)
AWS
CLI
ACCESS KEY ID
AWS Management AKIAIOSFODNN7EXAMPLE
Option
Console SECRET KEY
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
API Option
access
Principle of least privilege
Best practices:
Full
access
• Start by granting the
minimum AWS account
permissions that are
needed for the job role.
Read
IAM group only • Grant additional access as
members needed.
IAM policies with
permissions
Policies and permissions
Full S3 bucket 1
access
Read
S3 bucket 2
IAM only
group
members
IAM policies
with permissions
Example: Identity-based policy
{
"Version": "2018-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:*LoginProfile", These are
the actions
"iam:*AccessKey*",
allowed by
"iam:*SSHPublicKey*" the policy
],
These are the AWS
"Resource": resources that the allowed
"arn:aws:iam::account-id-without-hyphens:user/${aws:username}" actions can be performed on
}
}
Example: Cross-account, resource-based policy
{
"Version": "2018-10-17",
"Statement": {
"Sid": "AccountBAccess1",
Who can make the
"Principal": {"AWS": "111122223333"}, request (Account B)
"Effect": "Allow",
Actions allowed
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET", Resources shared by
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" Account A
]
}
}
Managed and inline IAM policies
IAM policies
Managed Inline policies
policies
• Are standalone, identity-based • Are embedded in a principal
policies entity (for example, user,
• Can be attached to multiple group, or role)
users, groups, and roles Managed Inline
Features: • Are useful for a strict 1:1

• Reusability relationship between a policy
• Central change management and the entity
• Versioning and rollback AWS managed Customer managed
• Permissions management that
can be delegated to others
• Provides the use of
permissions boundaries
Evaluation logic for IAM policies
Deny (explicit deny)
Ye
s
Evaluate all Explicit Explicit

Allow
applicable policies deny? No allow? Ye
s
No
Deny
Example IAM policy: Allow statement
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["dynamodb:*","s3:*"],
"Resource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/coursenotes",
"arn:aws:s3:::course-notes-web",
"arn:aws:s3:::course-notes-mp3/*"]
},
{ Allows the entity to perform
"Effect":"Deny", any DynamoDB or S3 action
"Action":["dynamodb:*","s3:*"], on this DynamoDB table and
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/coursenotes",
these S3 buckets
}
]
}
Example IAM policy: Deny statement
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["dynamodb:*","s3:*"],
"Resource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/coursenotes",
},
{
"Effect":"Deny", Ensures that the entity
"Action":["dynamodb:*","s3:*"], can’t perform any action
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/coursenotes",
on any DynamoDB table
"arn:aws:s3:::course-notes-web", or S3 bucket except the
"arn:aws:s3:::course-notes-mp3/*"] tables and buckets that
} the policy specifies
]
}
An explicit deny statement takes precedence over an allow statement.
Example IAM policy: Permissions boundary
{ {
"Version": "2012-10-17", 1 "Version": "2012-10-17", 2
"Statement": [ "Statement": {
{ "Effect": "Allow",
"Effect": "Allow", "Action": "iam:CreateUser",
"Action": [ "Resource": "*"
"s3:*", }
"cloudwatch:*", }
"ec2:*"
],
"Resource": "*"
}
]
} If policy 1 is attached to a user… …followed by policy 2, then any attempt to
create a user in IAM will fail because of the
boundary restrictions placed by policy 1.

Securing Access To Cloud Resources: AWS Academy Cloud Security Foundations

Uploaded by

Copyright:

Available Formats

You might also like

Securing Access To Cloud Resources: AWS Academy Cloud Security Foundations

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Securing Access To Cloud Resources: AWS Academy Cloud Security Foundations

Uploaded by

Copyright:

Available Formats

Securing Access to Cloud Resources

AWS Academy Cloud Security Foundations

• Authorizing with IAM Lab

• Examples of authorizing with IAM • Using Resource-Based Policies to

• Using AWS Organizations

User Group Role IAM policy

Identity-based policies Resource-based policies

An explicit deny statement takes precedence over an allow statement.

A Use Amazon Cloud Directory.

B Audit AWS Identity and Access Management (IAM) roles.

C Activate multi-factor authentication (MFA).

D Enable AWS CloudTrail.

The correct answer is C.

Corrections, feedback, or other questions?

Features: • Are useful for a strict 1:1

Deny (explicit deny)

Evaluate all Explicit Explicit

An explicit deny statement takes precedence over an allow statement.

You might also like