IAM Roles / Resource Based Policies
When you assume a role you take on the permissions assigned to the role (and relinquish the permissions assigned to your IAM user account).
When using a resource-based policy the principal does not give up permissions assigned to their IAM user account.
Users can be granted permission to switch roles within an AWS account or to a role created in another AWS account.
Users are explicitly granted the permissions to assume the role.
MFA protection can be added to enforce an extra factor when assuming the role.
Can add an external ID to authenticate principals that attempt to assume a role.
Example APIs for assuming roles:
- AssumeRole – within / cross-account.
- AssumeRoleWithSAML – for users logging in with SAML.
- AssumeRoleWithWebIdentity – for users logging in with an IdP such as Cognitor, Facebook, Google etc. or OIDC IdPs.
- GetSessionToken – used for MFA.
- GetFederationToken – used by federated users to gain temporary credentials.
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.
An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
You can use an AWS managed policy or a customer managed policy to set the boundary for an IAM entity (user or role).
That policy limits the maximum permissions for the user or role.
SAML is an open standard used by many IdPs (e.g. Microsoft ADFS).
A trust is configured between AWS IAM and SAML (two way).
Enables federated single sign-on (SSO).
Enterprise identity provider (SAML compatible) used on-premises.
Users can log into the AWS Management Console or call the AWS API operations without you an IAM user account.
Uses the STS API: AssumeRoleWithSAML.
IAM roles are used and temporary credentials provided.
AWS recommend AWS Single Sign On (AWS SSO) for most new federation use cases.
Custom Identity Broker
Used in cases where the identity provider is not compatible with SAML 2.0
User is authenticated by local identity system then must call the AWS STS
API calls can be ither AssumeRole or GetFederationToken.
The temporary security credentials include permissions from the assumed role.
Web Identity Federation
AWS prefer you to use AWS Cognito for federation instead of using Web Identity Federation.
AWS Cognito acts as an identity broker and does federation work for you. It also allows anonymous access, data synchronization and MFA.
If you must use Web Identity Federation with AssumeRoleWithWebIdentity you must write code that interacts with a web IdP, such as Facebook.
The code must call the AssumeRoleWithWebIdentity API to trade the authentication token for AWS temporary security credentials.
Resource Access Manager
Share resources such as VPCs with other AWS accounts.
Any account or within an Organization.
Can share Transit Gateways, Route 53 Resolve Rules and License Manager Configurations.
Owner account creates a share.
Owner retains full ownership.
Defines the principal with whom to share.
If participant is inside an Organization with sharing enabled it automatically accepted.
Accounts not in an organization must accept an invite.
VPC owners create and manage the VPC and subnets and share with participants.
Participants can provision services into shared subnets.
Participants cannot modify or delete network objects (but can view them).
Participants cannot view or modify resources created by other participants.
AWS Single Sign-On (SSO)
Centrally managed SSO for multiple accounts and 3rd party applications.
Integrated with AWS Organizations.
Supports SAML 2.0 markup.
Provides centralized permission management.
Integrates with on-premises Microsoft Active Directory.
Can also integrate with AD Connector and with AWS Managed Microsoft AD.
With AWS SSO you don’t need to use a 3rd party IDP to provide login and integration with identity store.
AWS Certificate Manager (ACM)
Can generate certificates in ACM or upload your own.
ACM can load certificates on ELBs, CloudFront distributions an API Gateway APIs.
Can be used to offload encryption to an ELB that has an ACM certificate loaded.
Can create a private Certificate Authority (CA).
Certificates created by ACM are automatically renewed.
ACM is a regional service.
CloudHSM can be used for offloading SSL encryption.
Supported by Nginx and Apache web servers.
- The HSMs in your AWS CloudHSM cluster support quorum authentication, which is also known as M of N access control.
- With quorum authentication, no single user on the HSM can do quorum-controlled operations on the HSM.
- Instead, a minimum number of HSM users (at least 2) must cooperate to do these operations.
- With quorum authentication, you can add an extra layer of protection by requiring approvals from more than one HSM user.
AWS Shield (standard or premium).
AWS WAF for filtering using Web ACLs.
CloudFront and Route 53 for availability protection using the global edge network.
AWS Shield can be added to CloudFront for DDoS attack mitigation at the edge.
AWS Auto Scaling for scaling resources if an attack does reach them.
Separate static resources (e.g. S3/CloudFront) from dynamic ones (e.g. EC2/ELB).
AWS Managed Logs
Load balancer access logs to S3
CloudTrail logs to S3 and CloudWatch Logs
VPC Flow Logs to S3 and CloudWatch Logs
Route 53 access logs to CloudWatch Logs
S3 access logs to S3
CloudFront access logs to S3
AWS config to S3
Intelligent threat detection.
Uses machine learning algorithms.
- VPC Flow Logs
- CloudTrail Logs
- DNS Logs
- CloudWatch Event rules can be triggered and invoke Lambda or SNS.
Amazon Inspector tests the network accessibility of your Amazon EC2 instances and the security state of your applications that run on those instances.
Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices.
After performing an assessment, Amazon Inspector produces a detailed list of security findings that is organized by level of severity.
With Amazon Inspector, you can automate security vulnerability assessments throughout your development and deployment pipelines or for static production systems.
This allows you to make security testing a regular part of development and IT operations.
Amazon Inspector also offers predefined software called an agent that you can optionally install in the operating system of the EC2 instances that you want to assess.
The agent monitors the behavior of the EC2 instances, including network, file system, and process activity. It also collects a wide set of behavior and configuration data (telemetry).
Benefits of Inspector include:
- Configuration scanning and activity monitoring engine – Amazon Inspector provides an agent that analyzes system and resource configuration.
- Built-in content library – Amazon Inspector includes a built-in library of rules and reports.
- Automation through an API – Amazon Inspector can be fully automated through an API.
Amazon Inspector Rule and Packages
You can use Amazon Inspector to assess your assessment targets (collections of AWS resources) for potential security issues and vulnerabilities.
Amazon Inspector compares the behavior and the security configuration of the assessment targets to selected security rules packages.
In the context of Amazon Inspector, a rule is a security check that Amazon Inspector performs during the assessment run.
An Amazon Inspector assessment can use any combination of the following rules packages:
- Network Reachability – The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure.
- Common vulnerabilities and exposures – The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs).
- Center for Internet Security (CIS) Benchmarks – The CIS Security Benchmarks program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security.
- Security best practices for Amazon Inspector – Use Amazon Inspector rules to help determine whether your systems are configured securely.
AWS Web Application Firewall (WAF)
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.
Can allow or block web requests based on strings that appear in the requests using string match conditions.
For example, AWS WAF can match values in the following request parts:
- Header – A specified request header, for example, the
- HTTP method – The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods:
- Query string – The part of a URL that appears after a
?character, if any.
- URI – The URI path of the request, which identifies the resource, for example,
- Body – The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
- Single query parameter (value only) – Any parameter that you have defined as part of the query string.
- All query parameters (values only) – As above buy inspects all parameters within the query string.
Fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.
Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data.
Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations.
Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).
Macie’s alerts, or findings, can be searched and filtered in the AWS Management Console and sent to Amazon EventBridge, for easy integration with existing workflow or event management systems, or to be used in combination with AWS services, such as AWS Step Functions to take automated remediation actions.