AWS Identity and Access Management PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 03_ocred.pdf
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 06_ocred.pdf
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 04_ocred_fax_ocred.pdf
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 05_ocred_fax_ocred.pdf
- AWS Cloud Foundations & IAM PDF
- AWS SAA-C03 Exam Questions PDF
Summary
This document discusses AWS Identity and Access Management (IAM). It details how IAM manages access to AWS services and resources, including security best practices. IAM controls user authentication and authorization for resource access.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing AWS Identity and Access Management O 1AM enables users to securely control the access to AWS service...
Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing AWS Identity and Access Management O 1AM enables users to securely control the access to AWS services and ). resources ‘\§' o Copyright © by EC-{ AWS Identity and Access Management AWS identity and access management (IAM) is a web service that enables customer to securely control the access to AWS services and resources. It helps in establishing the access rules and permissions for specific users and applications. It controls who is authenticated (signed in) and authorized (has permissions) for resource access. 2 [ Group: ) ( Group: ) Group:. Test ) { Admins | | Developers | § ovmTest ) Y ’ & ™ e Y [ Harry » Oliver ~~ A~ George 2 ' )Y g 'd N s r NN [ Mike » Jack pe Jacob y - s " s DevAppl |/ TestAppl | ©._ J/J \. Figure 10.40: lllustration of accounts Module 10 Page 1348 EC-Council Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing IAM Features Key features of IAM include Shared access to AWS account/enhanced Security Creating usernames and passwords for other users/groups to delegate access to specific AWS service APIs and resources without sharing your password or access key. Granular permissions Granting different permissions to different people for various resources to provide granularity to control user access to specific AWS services and resources. Secure access to AWS resources for applications that run on Amazon EC2 Providing credentials for applications that run on EC2 instances to permit applications to access other AWS resources. Multi-factor authentication Adding two-factor authentication to the user accounts for additional security. Identity federation Allowing users who already have passwords elsewhere and allowing users to have just one password for on-premise and cloud environment work. Identity information for assurance Receiving log records if the users utilize AWS CloudTrail. Payment Card Industry Data Security Standard Supporting the Payment Card Industry Data Security Standard (PCI DSS) for organizations that handle branded credit cards from major card schemes. Integrated with AWS Services Enabling the provision of access controls from a specific location in the AWS management console, which will be implemented throughout the AWS environment. Password Policy Allowing to reset a password or rotate passwords remotely and setting rules for password usage. Policies and Groups Use IAM groups for easier permission management and following the best I1AM practices. IAM enables the organization of IAM users into IAM groups and applies a policy to each group; individual users still possess their credentials. Module 10 Page 1349 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing AWS IAM: Lock Your AWS Account Root User Access Keys (©] Y 0 The access key (an access key ID and secret access key) is used to make programmatic requests to AWS O The access key of AWS root user account gives full access to all AWS resources To protect root user access key: _— — v Do not create AWS root user account access keys unless required * v Change the AWS root user account access key regularly Never share the AWS root user U account password or access keys * * Use strong passwords for logging * into the AWS Management Console - Enable AWS MFA on AWS root user account AWS IAM: Lock Your AWS Account Root User Access Keys The access key (an access key ID and secret access key) enables programmatic requests to AWS. However, it is not recommended to use the AWS root user access key because it can provide complete access to all resources of the AWS services. It should be noted that users cannot reduce the permissions associated with their AWS root user access key. Secure Root User Access Key To protect the root user access key, An AWS root user access key should not be created unless required. Instead, the email address and password of the account should be used to sign in to the AWS management console and create an administrative IAM user. The AWS root user access key should be regularly changed or deleted. Steps to delete or change the root user access keys: o Go to the My Security Credentials page in the AWS management console. o Sign in with the email address and password of your account. o Manage access keys in the access keys section. Never share the AWS root user password or access keys to avoid having to embed them in an application. Use strong passwords for logging in the AWS management console. Steps to use strong passwords: o Select the desired account name or number; next, select My Account on the upper right corner of the AWS management console. Module 10 Page 1350 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing o Select Edit on the right side of the page next to the Account Settings section. o Select Edit to change the password on the Password line. o AWS requires the password to satisfy the following conditions: e The password should have a minimum of 8 and a maximum of 128 characters. e The password should include at least three of the following character types: uppercase, lowercase, numbers,and | @ #5 % * & * () [] {} | _+-= symbols. e The password should not be identical to the AWS account name or email address. = Enable AWS MFA on the AWS root user account. Steps for enabling MFA devices: o Acquire any of the following MFA device. Note that only one MFA device can be enabled per AWS root user account or IAM user. e Virtual MFA device e U2F device e Hardware-based MFA device e Mobile phone o Enable the MFA device. e |AM users with virtual or hardware MFA devices can enable their devices the AWS management console, AWS CLI, or IAM API. e For IAM users with U2F security keys or a mobile phone that can receive SMS texts, the MFA device can be enabled from the AWS management console. e For AWS root user accounts with any type of MFA device (except SMS MFA), the device can be enabled from the AWS management console. Dashboard Details rtials for AWS ioentity and Access Managemert (1AM) users, use the 1AM Console Groups To leam more about the Curly Credentals In ANS eral Reference Users + Password Roles - Muti-Factor Authentcation (MEA) Policles You use ANS MFA to increase the secunty of your S envvronments when you sgn in AWS websites When AWS MFA 15 enabled, you must provide not only a user name gentity Providers and password but 3150 an authentication code from an AWS MFAdevice Account Settings Activate MFA Credential Report + Access Keys (Access Key D and Sacrat Access Key) + CloudFront Key Pairs Encryption Keys + X509 Certficetes + Account Kentifier Figure 10.41: Enabling AWS MFA on AWS root user account Module 10 Page 1351 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.