AWS Identity and Access Management (Part 1)

By /

If you would like to read the next part in this article series please go to AWS Identity and Access Management (Part 2).

Identity and Access Management (IAM) go hand in hand with attaining a secure environment, for AWS this is no different. To secure your AWS cloud, IAM plays a critical role.

In this two-part article we will look at IAM for AWS and best practices to obtain the paramount level of security when utilising AWS.

Introduction

IAM, a necessary security restraint that facilitates control of individuals accessing resources, consequently the appropriate individuals for the appropriate reasons access resources at the appropriate time and in the appropriate manner. With IAM AWS users can be created and managed (through allowing or denying access accordingly).

In the assorted technology and multiuser environments we operate in today and the increasing necessity to meet everyday compliance, operative and industry needs, this type of control is critical.

A primary concern for many organisations when starting out with AWS was the idea that only a single Access Key was required to gain access to the account and resources but IAM alleviates this trepidation. Organisations might be tempted to share access when using a single key, sharing and security in the same sentence is a bad idea, so it’s best practice to use separate auditable accounts for access instead of one shared account.

Security will always be a foremost enterprise concern-as it should be, but the AWS IAM puts enterprise in good stead to manage potential security risk more effectively.

What is IAM?

IAM is Identity and Access Management and typically is a framework and process for the management of digital identities.

The process is typically a business process that is part of a framework that is based around identity management technology that is used to create, capture, manage and record user information and related access details and permissions in an automated system.

These solutions may include directory services, access control, permissions, workflows, SSO and other like technologies that help in the facilitation of the management and control of digital user identities.

Why we need this technology

Organisations have a requirement to manage the creation and definition of Identities as well as the permission-set associated with digital identities.

As systems migrate to the cloud, platforms are no longer bound to our premise. It is key to have systems that allow organisations to manage their identities in the cloud so that permission to data and resources in the cloud can be managed as an attribute of digital identities.

User access is a key focus of a digital identity so that applications, digital resources and access control to such resources can be managed. Organisations need to ensure that the rule of least privilege is being applied at all times. Once the digital identity has been created, in most cloud platforms, identities can be grouped into roles and the roles then assigned to the resource for concise and simple management.

The challenge is to be able to manage both internal and external users as well as resources and access to these separate resources in a simple manner. Administrators need to be able to authenticate, authorise and validate users so that access to private resources are securely managed. The old rule of RBAC (Role Based Access Control) still applies, where in larger organisations users are aligned to a role and thus a group and then the group assigned to the resource.

Services also form part of the resource pool and the ability to assign users, groups and roles to a service is key when managing identity and access management.

The AWS IAM solution

The AWS IAM service is available to users at no extra cost, when utilising AWS (all that is required is an AWS account). With this very important feature users/enterprises can benefit from the advantages of an effective IAM discipline and achieve a secure AWS infrastructure.

Although AWS have made available an IAM solution, users are still required to be knowledgeable of its functioning and correct usage and best practice to achieve comprehensive benefit from the feature allowing enterprises the agility they require within their business.

The IAM can be accessed through APIs and through the AWS Management Console. IAM integrates with a wide range of Amazon cloud services and many third party tools are available to support it, if deemed necessary.

AWS IAM Features

AWS integrates the required business and technical skills to offer an IAM solution that can cover a range of capabilities to facilitate successful security control and manage enterprise risk when using their Amazon cloud-based services. Producing a solution that is both functional and well suited.

AWS IAM operates to:

  • Manage IAM users and their access
  • Manage IAM roles and their permissions
  • Manage federated users and their permissions

The features included in the IAM solution provided by AWS include the following.

  1. Central control of users and security credentials though a unified console.
    Use IAM to control user’s security credentials, user credentials can be created, rotated or retracted (The security credentials can include access keys, password and multi-factor authentication)
  2. Credential lifecycle management
    Password policies can be created to enable self-service password rotation. Policies can also be created in a method that determines the manner in which the password is created and the interval of password rotation, decided by the organisation according to their particular requirements. This may also include starters and leavers and expiry of accounts that are related to third parties.  
  3. Multi-factor authentication
    Use the multi-factor authentication features to better secure your AWS environment
  4. Credential reports
    Reports of IAM user credentials for AWS can be generated enabling improved visibility into credential usage and user status. These reports prove useful for both compliance and auditing purposes.
  5. Central control of user access
    Use IAM to control the data that a user can or can’t access and under which conditions it can or can’t be done from a central point.
  6. Shared AWS resources
    Use IAM to allow data to be shared between allocated users for local and remote users.
  7. Permissions centred around organisation groups
    Use IAM to allocate, restrict or deny access, through updating permissions, based on groups or job requirement within the organisation. From a resource perspective this is a live and effective way to provide access control for AWS hosted resources to both local and remote users.
  8. Central control of AWS resources
    Use IAM to control AWS data centrally
  9. Control over resource creation
    Use IAM to manage where AWS data can be created, this prevents data sprawl and also allows for more control.
  10. Networking controls
    Through using SSL, AWS resources can be accessed by users within the organisations network and affords the capability of secure remote working.
  11. Single AWS billing
    One AWS account covers all user activity within the organisation, simplifies billing.
  12. Switching roles by using the AWS Management Console
    This is a new feature for AWS IAM. Users, using a single set of credentials, can now switch roles directly in the AWS Management Console enabling access of resources across multiple AWS accounts.

Conclusion

IAM is an important security control for CIOs, Management and IT professionals and to business in its entirety. A successful IAM capability is essential to maintain compliance, secure intellectual property and support technical professionals to make sure that business value is achieved. Through this the business can operate securely but still with efficiency.

Amazon stay abreast of user and enterprise requirements hence continue to update and develop the features and capabilities made available to users and enterprise as deemed necessary to improve satisfaction and achieve the best from the solution.

Look out for part two of this article addition to become familiar with the best practices, when utilising AWS IAM, your organisation should aim to follow to ensure the AWS IAM solution runs smoothly.

If you would like to read the next part in this article series please go to AWS Identity and Access Management (Part 2).

About The Author

Ricky Magalhaes is a cyber-security expert and strategist for the past 17 + years working with the world’s leading brands. Ricky is on multiple advisory boards for vendors, customers and cyber security industry bodies and periodically works with leading analyst firms to help device strategy and advise on cyber security. Ricky Magalhaes is a seasoned cyber security strategist, architect and cyber expert, Ricky has trained government agencies and a myriad of governmental agencies on various information security disciplines and has speaks at national and international embassies, conferences on behalf of cyber software vendors.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top