IAM – Identity & Access Management
Securely control your access to AWS resources and services
Allows you to create and manage user identities, and grants permissions to those users to access AWS resources
Allows you to create groups for multiple users who have similar permissions
Not suitable for application authentication
It is global and doesn’t need to be moved to another region
helps define Policies,in JSON format
All permissions are implicitly denied when default is set
The most restrictive policy wins
IAM Rolehelps grants and delegate user access without the need to create permanent credentials
AWS services and IAM users can take on temporary security roles to obtain temporary credentials that can be used for AWS API calls
Needs a Trust policy to determine who can access what and a Permission policy to determine what the user/service can access
Use with Security Token Service, (STS), a lightweight Web service that provides temporary, restricted privilege credentials for IAM users and authenticated federated customers
IAM role scenariosService access for e.g. EC2 to access S3 and DynamoDB
Users can access each other’s accounts from the same account.
AWS account owner and user
For enhanced security, you can use a Third Party AWS account to access the user.
Identity Providers & FederationAssumeRoleWithWebIdentity – Web Identity Federation, where the user can be authenticated using external authentication Identity providers like Amazon, Google or any OpenId IdP
AssumeRoleWithSAML Identity Provider using SAML 2.0. The user can authenticate using on-premise Active Directory, Open Ldap, or any SAML 2.0 compliant IdP
AssumeRole (recommended), or GetFederationToken — For other Identity Providers use Identity Broker to authenticate temporary Credentials
IAM Best PracticesDo nothing else than billing with Root account
Individual IAM users
To assign permissions to IAM users, use groups
Give the least privilege
Apply to EC2 using IAM roles
Instead of sharing credentials, delegate using roles
Rotate credentials frequently
For greater granularity, use Policy conditions
CloudTrail allows you to keep track of your activity
For IAM users, enforce a strong IAM password policy
All unused credentials and users should be removedKey Management Service – KMS
This managed encryption service allows you to create and control encryption keys that enable data encryption.
Provides a highly-available key storage, management and auditing solution to encrypt data across AWS services and within applications.
Uses hardware security modules (HSMs), to validate and protect the KMS keys using the FIPS 140-2 Cryptographic Modul Validation Program.
Integrates seamlessly with many AWS services to make encryption data in those services simple.
Multi-region keys are AWS KMS keys that can be used in different AWS regions. Multi-Region keys are not global and each multi-region key needs to be replicated and managed independently.CloudHSM
Secure cryptographic key storage for customers through the availability of hardware security modules (HSMs), in the AWS cloud
You can manage your encryption keys with FIPS 140-2 Level 3 validated HSMSs.
One tenant, dedicated device to securely store, manage, and generate cryptographic keys for data encryption
You are within the VPC (not EC2-classic), and isolated from the rest.
VPC peering can be used to connect to CloudHSM via multiple VPCs
Integrated with Amazon Redshift, Amazon RDS for Oracle
CloudHSM can be used to encrypt EBS volumes, S3 objects encryption, and key management. However, custom scripting is required.
It is not fault-tolerant. You would need to create a cluster if one key fails.
It allows for rapid scaling by adding or removing HSM capacity as needed, with no upfront costs.
Automatically load balance requests and securely duplicate keys stored in any HSM to all other HSMs
