AWS Identity and Access Management PDF

Summary

This document discusses AWS Identity and Access Management (IAM). It details how IAM manages access to AWS services and resources, including security best practices. IAM controls user authentication and authorization for resource access.

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

AWS Identity and Access
Management
O 1AM enables users to securely control the access to AWS services and ).
resources

‘\§' o

Copyright © by EC-{

AWS Identity and Access Management
AWS identity and access management (IAM) is a web service that enables customer to securely
control the access to AWS services and resources. It helps in establishing the access rules and
permissions for specific users and applications. It controls who is authenticated (signed in) and
authorized (has permissions) for resource access.

2

[ Group: ) ( Group: ) Group:. Test )
{ Admins | | Developers | § ovmTest )

Y ’ & ™ e Y

[ Harry » Oliver ~~
A~ George 2

' )Y g
'd N s
r NN
[ Mike » Jack pe Jacob y -

s " s
DevAppl |/ TestAppl | ©._ J/J \.

Figure 10.40: lllustration of accounts

Module 10 Page 1348 EC-Council
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

IAM Features

Key features of IAM include
Shared access to AWS account/enhanced Security

Creating usernames and passwords for other users/groups to delegate access to specific
AWS service APIs and resources without sharing your password or access key.

Granular permissions

Granting different permissions to different people for various resources to provide
granularity to control user access to specific AWS services and resources.

Secure access to AWS resources for applications that run on Amazon EC2

Providing credentials for applications that run on EC2 instances to permit applications to
access other AWS resources.
Multi-factor authentication
Adding two-factor authentication to the user accounts for additional security.
Identity federation
Allowing users who already have passwords elsewhere and allowing users to have just
one password for on-premise and cloud environment work.
Identity information for assurance
Receiving log records if the users utilize AWS CloudTrail.

Payment Card Industry Data Security Standard

Supporting the Payment Card Industry Data Security Standard (PCI DSS) for
organizations that handle branded credit cards from major card schemes.
Integrated with AWS Services
Enabling the provision of access controls from a specific location in the AWS
management console, which will be implemented throughout the AWS environment.
Password Policy
Allowing to reset a password or rotate passwords remotely and setting rules for
password usage.

Policies and Groups

Use IAM groups for easier permission management and following the best I1AM
practices. IAM enables the organization of IAM users into IAM groups and applies a
policy to each group; individual users still possess their credentials.

Module 10 Page 1349 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

AWS IAM: Lock Your AWS Account Root User
Access Keys
(©]
Y 0 The access key (an access key ID and secret access key) is used to make programmatic requests to AWS

O The access key of AWS root user account gives full access to all AWS resources

To protect root user access key: _— —

v Do not create AWS root user
account access keys unless required
*

v Change the AWS root user account
access key regularly
Never share the AWS root user U
account password or access keys *
*

Use strong passwords for logging *

into the AWS Management Console -

Enable AWS MFA on AWS root user
account

AWS IAM: Lock Your AWS Account Root User Access Keys
The access key (an access key ID and secret access key) enables programmatic requests to AWS.
However, it is not recommended to use the AWS root user access key because it can provide
complete access to all resources of the AWS services. It should be noted that users cannot
reduce the permissions associated with their AWS root user access key.
Secure Root User Access Key
To protect the root user access key,
An AWS root user access key should not be created unless required. Instead, the email
address and password of the account should be used to sign in to the AWS management
console and create an administrative IAM user.
The AWS root user access key should be regularly changed or deleted.
Steps to delete or change the root user access keys:
o Go to the My Security Credentials page in the AWS management console.
o Sign in with the email address and password of your account.
o Manage access keys in the access keys section.
Never share the AWS root user password or access keys to avoid having to embed
them in an application.
Use strong passwords for logging in the AWS management console.
Steps to use strong passwords:
o Select the desired account name or number; next, select My Account on the upper
right corner of the AWS management console.

Module 10 Page 1350 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

o Select Edit on the right side of the page next to the Account Settings section.
o Select Edit to change the password on the Password line.
o AWS requires the password to satisfy the following conditions:
e The password should have a minimum of 8 and a maximum of 128 characters.

e The password should include at least three of the following character types:
uppercase, lowercase, numbers,and | @ #5 % * & * () [] {} | _+-= symbols.
e The password should not be identical to the AWS account name or email
address.
= Enable AWS MFA on the AWS root user account.
Steps for enabling MFA devices:
o Acquire any of the following MFA device. Note that only one MFA device can be
enabled per AWS root user account or IAM user.
e Virtual MFA device
e U2F device
e Hardware-based MFA device
e Mobile phone
o Enable the MFA device.
e |AM users with virtual or hardware MFA devices can enable their devices the
AWS management console, AWS CLI, or IAM API.

e For IAM users with U2F security keys or a mobile phone that can receive SMS
texts, the MFA device can be enabled from the AWS management console.
e For AWS root user accounts with any type of MFA device (except SMS MFA), the
device can be enabled from the AWS management console.

Dashboard

Details rtials for AWS ioentity and Access Managemert (1AM) users, use the 1AM Console
Groups To leam more about the Curly Credentals In ANS eral Reference

Users + Password

Roles - Muti-Factor Authentcation (MEA)
Policles
You use ANS MFA to increase the secunty of your S envvronments when you sgn in AWS websites When AWS MFA 15 enabled, you must provide not only a user name
gentity Providers and password but 3150 an authentication code from an AWS MFAdevice

Account Settings Activate MFA

Credential Report + Access Keys (Access Key D and Sacrat Access Key)

+ CloudFront Key Pairs
Encryption Keys
+ X509 Certficetes

+ Account Kentifier

Figure 10.41: Enabling AWS MFA on AWS root user account

Module 10 Page 1351 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.