When we create an AWS account for the first time, we will begin with an AWS account root user that has full access to all AWS services and resources present in the AWS account. This root user can be accessed by logging in with the email address and password while creating the AWS account. It is recommended not to use the AWS root user for our daily tasks, even the administrative functions. Instead, we adhere to the best practice of using a root user only to create our first IAM user.
3. Top Features of IAM
IAM provides the following features:
Shared access to your AWS account
We can grant access permission to other people to administer and use resources in our AWS account without any need to share our password or access key.
We can grant different permission levels to other people to access various resources. As an example, we can provide some users with permission to have complete access to Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), Simple Storage Service (Amazon S3), and other AWS services. While for the other users, we can grant access with read-only access to Amazon VPC, provide permission to administer just some EC2 instances, or access billing information and nothing else.
Secure access to applications that run on Amazon EC2
We can use AWS IAM features to provide credentials for the applications on EC2 instances securely. We can use these credentials to provide permissions to our application to access other AWS resources or services like S3 buckets and DynamoDB tables.
Multi-factor authentication (MFA)
We can add two-factor authentication to our AWS account and individual users for extra security. With MFA enabled, you or your users must provide a password or access key to log in to your AWS account and a code from the configured MFA device.
This feature allows users to have passwords elsewhere to get temporary access to our AWS account, for example, in a corporate network or an internet identity provider.
Free to use
AWS Security Token Service (AWS STS) and AWS Identity and Access Management (IAM) are AWS account features offered at no additional charges. We will only get charged when using other AWS services with our IAM users.
4. IAM Internals
IAM is responsible for below mentioned two processes:
Authentication — are you the correct user you claim to be?
Authorization — are you allowed to perform such actions?
IAM has a lot of internal items:
Users are entities with the console login and password, API key or secrets, and other security credentials.
Groups —IAM Groups are used to manage the permissions for multiple entities as a single entity.
Roles — while the IAM group can delegate permissions to users, IAM Roles can manage permissions to entities like Lambda functions, EC2 instances, etc.
Policies are a set of permissions assigned to a user, group, or role.
An AWS user is an account within an account. Being the owner of our AWS account, we can create new users that can provide access to different AWS resources like EC2 or S3, or ELB. In addition, we can assign access policies to the account and generate passwords and security credentials. Once we’ve forwarded login details to our team members, they will have everything necessary to start work.
Protecting our Root User Account
It is strongly recommended to lock down our root AWS account and use a regular user account for your day-to-day activities. By lockdown, we mean to do the following:
Create a strong password and store it in a safe place
Create a user with somewhat limited power
Delete our root access keys (to prevent anyone from accessing and hijacking our root account)
Avoid logging in to the console using the root account
The root user has full access and control of the AWS account. Someone with hostile intentions gets hold of our root user’s password, and the entire infrastructure is compromised. An IAM user, on the other hand, starts with no powers of any sort to perform an action. We can assign whatever permissions it will need to get its job done, but its reach is limited, which means an attack against it won’t necessarily be catastrophic.
IAM groups allow the grouping of users and delegating permissions to users. But groups don’t have their access credentials. Instead, any user who has been added to a group will use their own credentials to access the resources permitted by group policies.
Access for individual users can be defined by managing users and groups. However, permissions and rights can also be assigned to objects like EC2 instances and applications through roles.
A role is an identity with specified restrictions and permissions as a user and not the property of any user. The user privileges cannot be reached through regular login methods. Instead, an object, once properly authenticated, can temporarily switch to a role whose access policies are applied to the user, replacing any rights or restrictions that may have previously been applied.
An IAM policy defines clearly who may perform which actions and on what resources. For example, the policy code shown in the figure permits a specific user, Steve, with a unique Amazon Resource Name (ARN) identifier as Principal — to put objects into S3 bucket called the design team. The Action = put permission, and the ARN on the Resource line depicts the S3 bucket. The actual permission is enabled through the value given to Effect = Allow.
Multi-factor Authentication (MFA)
AWS (MFA) provides an added layer of security on top of the AWS Credentials. With MFA enabled, users can log in to their AWS account using AWS Management Console. They need to provide their username and password and an authentication code generated by their AWS MFA device, which they have registered. These multiple factors for authentication increase our AWS account’s security and the AWS resources we have created.
MFA can be enabled for our AWS account and as well as for individual IAM users that we have created in our AWS account. MFA is not chargeable.
Need for AWS Multi-Factor Authentication
MFA helps to prevent unauthorized access to the AWS account
Root accounts and IAM users can be protected using MFA
If the password got compromised, the AWS account would be safe
When MFA is enabled for the root user, it only affects the root user credentials. IAM users are treated as individual identities in the AWS account with their individual credentials, and each personal identity can have its MFA configured
AWS Device Options for MFA
Below devices are supported as MFA devices in AWS:
Virtual MFA Device: It provides support for multiple tokens on a single device like Google Authenticator (Only for Phones), Authy (For Multi-Device)
Universal 2nd Factor (U2F) Security Key: Supports multiple roots and IAM users using a single security key. e.g., Yubikey by Yubico (Third Party)
Hardware Key for MFA Device: Provided by Gemalto (Third Party)
5. AWS CloudTrail
AWS CloudTrail is an auditing, governance, and compliance monitoring service offered by Amazon Web Services (AWS). It falls under the “Management and Governance” tool in AWS.
With CloudTrail enabled, AWS account owners can record and keep a log of every API call made for each resource in the AWS account. An API call can be made:
When a resource is being accessed from the AWS management console
when trying to access resources by using AWS CLI
whenever there is a REST API call made to an AWS resource
These actions can be taken from:
Human users (like when a user is trying to spin up an EC2 instance from the AWS console)
Applications (like when a bash script calls an AWS CLI command)
another AWS service (like when a Lambda function is writing to an S3 bucket)
We can perform analysis on the logs as CloudTrail saves the API events in a secured and immutable format.
AWS CloudTrail is enabled for all users by default.
AWS CloudTrail Features
Amazon CloudTrail has many features which a monitoring and governance tool can expect. Below are the features:
AWS CloudTrail is “Always On” and allows you to access the most recent data from 90 days
It provides event history to check the changes made to the AWS account
It provides a multi-region configuration
It provides Log file integrity validation and encryption
Data events, management events, and CloudTrail Insights
CloudTrail Event History
CloudTrail is enabled by default when an AWS account is created, so AWS account administrators don’t have to enable CloudTrail manually. CloudTrail is the default trail provided by AWS. All the information in the CloudTrail is kept for 90 days in a rolling fashion.
6. AWS Shield
AWS Shield is a managed service that protects from Distributed Denial of Service (DDoS) attacks for applications running on AWS. It provides always-on detection and automatic inline mitigation that minimizes application downtime and latency, so there would be no need to engage the AWS Support to benefit from DDoS protection.
AWS Shield Standard helps to protect your application from the most common attacks occurring at network and transport layer DDoS attacks that target your website or applications
Benefits of AWS Shield
It provides Seamless integration and deployment to our application.
It provides customizable protection from attacks.
It provides Managed Protection and Attacks Visibility
Using AWS Shield is cost-efficient
Shield Advanced protection can also be added for the following resource types:
AWS Route 53 hosted zones
AWS Global Accelerator accelerators
Elastic Load Balancing (ELB) load balancers
AWS EC2 with Elastic IP addresses
7. AWS WAF
AWS WAF is a web application firewall and helps protect your web application or APIs against the common web exploits and other bots that may affect availability, compromise security, or even consume excessive resources. AWS WAF gives you control over how the traffic reaches your application by enabling you to create a few security rules that control both traffic and block common attack patterns, like SQL injections or cross-site scripting.
After creating an AWS WAF web access control list (web ACL), create, or update web distribution to associate distributions with the web ACL. You can also associate as many CloudFront distributions as you want with the same web ACL or different web ACLs.
Benefits of WAF
Agile protection against web attacks
Save time with managed rules
Improved web traffic visibility
Ease of deployment & maintenance
Easily monitor, block, or rate-limit bots
Security integrated with how you develop an application
These are the few AWS services that provide your application and infrastructure security. Using these services, you can control the security aspects of your infrastructure and have control over your users by giving them appropriate IAM permission.
Deploying AWS WAF and AWS Shield to your AWS environment is easy and will help you stay on top of your ever-increasing business security requirements.
9. About CloudThat
CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.