AWS Login: IAM, Cognito, Secrets Manager, MFA, Single Sign-On
After extensive analysis, your organization must be at a place where you have decided which cloud deployment model to go for and which cloud models to use be it Multi-Cloud or standalone and deployment options such as IAAS only or SAAS only or a mix of multiple services (most likely that will be the design), your next logical step is to use the Landing Zone of that particular cloud provider and create users and start work on Cloud.
Identity and Access Management (IAM):
Identity Access Management (IAM) is your first line of defence and Security point before you enter the Airport to onboard your Flight to touch the clouds! Let’s delve a bit deeper into the first Security touchpoints.
What will be covered:
What is IAM? Why do I need IAM? How will you access it — the tools? What is part of Access Management? IAM and Compliance Management? Benefits of IAM? How does it work? Advancements in IAM? What are the certifications held by IAM? Risk of IAM not being implemented? Challenges of IAM being implemented? If I am the Admin, how do I get the Reports of users and usage and violations? How do it enable and disable users? The Key terms.
The Authentication and the Authorisation:
IAM is a Web Service that helps you securely access AWS resources. Of the multiple hats IAM is wearing, its primary job is to “Authenticate” and “Authorize”.
Authenticate -> Login / Sign in
Authorize -> Check for Permissions to access resources
It is a process of confirming the identity of the “Principal” trying to access “AWS Resources”.
A Principal is an entity that can perform actions on the AWS Resources. Principal can be an AWS User or a Federated User who has been granted a login to AWS or has been attached an IAM Role or is an AWS Application with credentials.
IAM is the first check-point for AWS that authenticates this Principle to get into the Cloud Premises. ie., with a valid Boarding Pass you gain access to the Security Check Point, and once done you are good to go to proceed to your Boarding Gate.
There are multiple forms of Authentication enabled by IAM
1. Username and Password
2. MFA based authentication
3. AWS Secret Key
4. Access Key and Session Token
6. Federated authentication (AD | LinkedIn | FB | Google)
7. Application | Process Logins
It is a process of “Permissioning” to let you access the “AWS Resources” that you are supposed to.
Each user will have a predefined set of permissions either provisioned individually or would have attached to a Role. In bigger organizations, where to say you have 5000 resources — first, you have to bucket the users and give them grants.
10 Different AWS Accounts for Organization. Below is the consolidated list of assignments.
For the above scenario, you cannot assign individual users to assign the “Authorization”, the list will be endless. Like any other, IAM provides you the ability to create “Roles” that will enable you to define the permissions and lets you attach these permissions as Roles to individual users. Hence, before creating Roles, the first and primary activity you need to do is, create “Themes or Roles” — identify the buckets of users in the organizations and see what kind of access they will need. There will be north of 10- 20 Roles required for SME and about 150 or more for Large firms (guesstimate).
To be able to bucket the employees | users, you will create groups and the users will inherit the permissions from that group.
To simplify, this is how it works : Users -> Groups -> Policies -> Roles.
- Centralized control to the AWS Platform
- Shared access to your AWS Accounts
- Granular permissions
- Federated authentication (AD | LinkedIn | FB | Google)
- Password Rotation policy
- Token-based temporary login
- Compliant PCI DSS supported
Tools to perform
To perform the required operations IAM provides a standard set of tools for password management, Defining and attaching Roles, Creating and Deleting users, etc.,
Just access the AWS console login using the Root ID, for Administrator and. Create the users.
Compliance and IAM:
How is IAM Implemented
- Access management
- Active Directory (AD)
- Biometric Authentication
- Context-aware network access
- Digital identity
- Identity Lifecycle management
- Identity As A Service (IDAAS)
- Lightweight Directory Access Protocol (LDAP)
- Multi-Factor Authentication (MFA)
- Privileged account management
- Risk-Based Authentication (RBA)
- Security Principal
- Single Sign-On (SSO)
- User Behaviour Analytics
IAM Vendors: Okta | Atos | OneLogin and more.
IAM and AWS Services: We will see how to use IAM group/policy/roles as we go along.
Is IAM the only way to Authenticate. Well, Amazon Cognito handles authentication not on the AWS Services but for the AWS Services ie., for the Web App and Mobile Applications that you build. It does two things
1. Handle Authentication
2. Data stored locally for offline sync later
There are two key components
1. User Pools: User Pools are user directories, that provide Sign-Up and Sign-In Options.
2. Identity Pools: Enables you to grant your users access to other AWS Services. It is used to store user identities.
• Provides Authorization, Authentication, and user management for your web and mobile apps.
• Simple user identity and Data synchronization service that helps you securely manage and
synchronize app data for your users across mobile devices
• Can create unique identity using social sign-on (FB or Google) & support unauth guests
Amazon Cognito Federated Identities is a web service that delivers scoped temporary credentials to mobile devices and other untrusted environments. It uniquely identifies a device and supplies the user with a consistent identity over the lifetime of an application.
Using Amazon Cognito Federated Identities, you can enable authentication with one or more third-party identity providers (Facebook, Google, Login with Amazon, or Sign in with Apple) or an Amazon Cognito user pool, and you can also choose to support unauthenticated access from your app. Cognito delivers a unique identifier for each user and acts as an OpenID token
Add Sign-up and Sign-in
With Cognito User Pools, you can easily and securely add sign-up and sign-in functionality to your mobile and web apps with a fully managed service that scales to support hundreds of millions of users.
Grant your users access to AWS Services
With Cognito Identity Pools, your app can get temporary credentials to access AWS services for anonymous guest users or for users who have signed in.
For increased security, configuring Multi-Factor Authentication (MFA) to help protect your AWS resources. MFA must be set as part of the IAM and this is one of the 5 checklists with important IAM configurations.
What is MFA?
- Virtual m4a Devices
- U2F Security key
- Hardware MFA Devices
- SMS text message-based MFA
Deactivating MFA Devices — If you have trouble signing in with a multi-factor authentication (MFA) device as an IAM user, contact your administrator for help.
Configuring MFA protected API access — With IAM policies, you can specify which API operation a user is allowed to call. In some cases, you might want the additional security of requiring users to be authenticated with AWS Multi-Factor Authentication
AWS Single Sign-on
• Centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place
• AWS organizations centrally across accounts.
• Maintains and configures all necessary configurations to accounts
• You can create and manage AWS SSO’s identity store
• Centrally manage access permissions with SSO
• Create users in AWS SSO or connect to your existing identity system • Access accounts and applications in one place
• Easy to use
Refer to the article by LAKSHMI VENKATESH on
Previous Article: Security Roadmap.
Parent Article: AWS. Series.