AWS Series #2: AWS Security Layer— Login

LAKSHMI VENKATESH
Jun 17 · 7 min read

AWS Login: IAM, Cognito, Secrets Manager, MFA, Single Sign-On

After extensive analysis, your organization must be at a place where you have decided which cloud deployment model to go for and which cloud models to use be it Multi-Cloud or standalone and deployment options such as IAAS only or SAAS only or a mix of multiple services (most likely that will be the design), your next logical step is to use the Landing Zone of that particular cloud provider and create users and start work on Cloud.

Identity and Access Management (IAM):

Reference: AWS

Identity Access Management (IAM) is your first line of defence and Security point before you enter the Airport to onboard your Flight to touch the clouds! Let’s delve a bit deeper into the first Security touchpoints.

What will be covered:

What is IAM? Why do I need IAM? How will you access it — the tools? What is part of Access Management? IAM and Compliance Management? Benefits of IAM? How does it work? Advancements in IAM? What are the certifications held by IAM? Risk of IAM not being implemented? Challenges of IAM being implemented? If I am the Admin, how do I get the Reports of users and usage and violations? How do it enable and disable users? The Key terms.

The Authentication and the Authorisation:

IAM is a Web Service that helps you securely access AWS resources. Of the multiple hats IAM is wearing, its primary job is to “Authenticate” and “Authorize”.

Authenticate -> Login / Sign in

Authorize -> Check for Permissions to access resources

Authentication:

It is a process of confirming the identity of the “Principal” trying to access “AWS Resources”.

A Principal is an entity that can perform actions on the AWS Resources. Principal can be an AWS User or a Federated User who has been granted a login to AWS or has been attached an IAM Role or is an AWS Application with credentials.

IAM is the first check-point for AWS that authenticates this Principle to get into the Cloud Premises. ie., with a valid Boarding Pass you gain access to the Security Check Point, and once done you are good to go to proceed to your Boarding Gate.

There are multiple forms of Authentication enabled by IAM

1. Username and Password

2. MFA based authentication

3. AWS Secret Key

4. Access Key and Session Token

5. Single-Sign-On

6. Federated authentication (AD | LinkedIn | FB | Google)

7. Application | Process Logins

Authorization:

It is a process of “Permissioning” to let you access the “AWS Resources” that you are supposed to.

Each user will have a predefined set of permissions either provisioned individually or would have attached to a Role. In bigger organizations, where to say you have 5000 resources — first, you have to bucket the users and give them grants.

10 Different AWS Accounts for Organization. Below is the consolidated list of assignments.

you create groups and assign users to these groups — use UI / edit JSON file.

For the above scenario, you cannot assign individual users to assign the “Authorization”, the list will be endless. Like any other, IAM provides you the ability to create “Roles” that will enable you to define the permissions and lets you attach these permissions as Roles to individual users. Hence, before creating Roles, the first and primary activity you need to do is, create “Themes or Roles” — identify the buckets of users in the organizations and see what kind of access they will need. There will be north of 10- 20 Roles required for SME and about 150 or more for Large firms (guesstimate).

To be able to bucket the employees | users, you will create groups and the users will inherit the permissions from that group.

To simplify, this is how it works : Users -> Groups -> Policies -> Roles.

IAM Features

  1. Centralized control to the AWS Platform
  2. Shared access to your AWS Accounts
  3. Granular permissions
  4. Federated authentication (AD | LinkedIn | FB | Google)
  5. Password Rotation policy
  6. Token-based temporary login
  7. Compliant PCI DSS supported

Tools to perform

To perform the required operations IAM provides a standard set of tools for password management, Defining and attaching Roles, Creating and Deleting users, etc.,

Just access the AWS console login using the Root ID, for Administrator and. Create the users.

Compliance and IAM:

How is IAM Implemented

Reference: AWS

Key Terms:

  1. Access management
  2. Active Directory (AD)
  3. Biometric Authentication
  4. Context-aware network access
  5. De-provisioning
  6. Digital identity
  7. Entitlement
  8. Identity Lifecycle management
  9. Identity As A Service (IDAAS)
  10. Lightweight Directory Access Protocol (LDAP)
  11. Multi-Factor Authentication (MFA)
  12. Privileged account management
  13. Risk-Based Authentication (RBA)
  14. Security Principal
  15. Single Sign-On (SSO)
  16. User Behaviour Analytics

IAM Vendors: Okta | Atos | OneLogin and more.

IAM and AWS Services: We will see how to use IAM group/policy/roles as we go along.

Cognito:

Is IAM the only way to Authenticate. Well, Amazon Cognito handles authentication not on the AWS Services but for the AWS Services ie., for the Web App and Mobile Applications that you build. It does two things

1. Handle Authentication

2. Data stored locally for offline sync later

There are two key components

1. User Pools: User Pools are user directories, that provide Sign-Up and Sign-In Options.

2. Identity Pools: Enables you to grant your users access to other AWS Services. It is used to store user identities.

• Provides Authorization, Authentication, and user management for your web and mobile apps.

• Simple user identity and Data synchronization service that helps you securely manage and
synchronize app data for your users across mobile devices

• Can create unique identity using social sign-on (FB or Google) & support unauth guests

AWS Definition

Amazon Cognito Federated Identities is a web service that delivers scoped temporary credentials to mobile devices and other untrusted environments. It uniquely identifies a device and supplies the user with a consistent identity over the lifetime of an application.

Using Amazon Cognito Federated Identities, you can enable authentication with one or more third-party identity providers (Facebook, Google, Login with Amazon, or Sign in with Apple) or an Amazon Cognito user pool, and you can also choose to support unauthenticated access from your app. Cognito delivers a unique identifier for each user and acts as an OpenID token

Add Sign-up and Sign-in

With Cognito User Pools, you can easily and securely add sign-up and sign-in functionality to your mobile and web apps with a fully managed service that scales to support hundreds of millions of users.

Grant your users access to AWS Services

With Cognito Identity Pools, your app can get temporary credentials to access AWS services for anonymous guest users or for users who have signed in.

MFA

For increased security, configuring Multi-Factor Authentication (MFA) to help protect your AWS resources. MFA must be set as part of the IAM and this is one of the 5 checklists with important IAM configurations.

What is MFA?

  • Virtual m4a Devices
  • U2F Security key
  • Hardware MFA Devices
  • SMS text message-based MFA

Deactivating MFA Devices — If you have trouble signing in with a multi-factor authentication (MFA) device as an IAM user, contact your administrator for help.

Configuring MFA protected API access — With IAM policies, you can specify which API operation a user is allowed to call. In some cases, you might want the additional security of requiring users to be authenticated with AWS Multi-Factor Authentication

Reference: AWS

AWS Single Sign-on

• Centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place

• AWS organizations centrally across accounts.

• Maintains and configures all necessary configurations to accounts
centrally

• You can create and manage AWS SSO’s identity store

  • Benefits
    • Centrally manage access permissions with SSO
    • Create users in AWS SSO or connect to your existing identity system • Access accounts and applications in one place
    • Easy to use
Reference: AWS

Refer to the article by LAKSHMI VENKATESH on

Previous Article: Security Roadmap.

Parent Article: AWS. Series.

Nerd For Tech

From Confusion to Clarification

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/.

LAKSHMI VENKATESH

Written by

Application Development Head | Data Strategy | Big Data | Analytics & BI | Data Governance | Cloud

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/.