Day 13: AWS Identity

Day 13: AWS Identity

AWS Cloud Practitioner With Neel Patel

The Zero Trust Model: An Overview

The Zero Trust Model operates on the fundamental principle of "trust no one, verify everything." This approach acknowledges that traditional security measures, such as firewalls and VPNs, are insufficient in a landscape where malicious actors can bypass conventional access controls. Instead, Zero Trust shifts the focus to a new security perimeter: Identity.

What is the Primary Security Perimeter?

The primary security perimeter is the first line of defense and its controls that protect a company's cloud resources and assets.

  • Network-Centric (Old Way): Traditional security focused on firewalls and VPNs, given that most employees and workstations were within or connected through specific remote offices.

  • Identity-Centric (New Way): With the rise of bring-your-own-device and remote workstations, the security landscape has changed. Identity-based controls, such as Multi-Factor Authentication (MFA), become crucial since we cannot always trust if an employee is in a secure location.

While Identity-Centric security does not replace Network-Centric security, it complements and enhances it.

Zero Trust on AWS

AWS implements the Zero Trust Model using various tools and services. Here’s how:

IAM Policies

  • IAM Policies: JSON documents that grant permissions for specific actions by users, groups, or roles.

  • IAM Policy Conditions: Define restrictions based on factors like IP address (aws:SourceIp), region (aws:RequestedRegion), MFA status (aws:MultiFactorAuthPresent), and time of day (aws:CurrentTime).

AWS offers foundational tools for implementing Zero Trust but lacks built-in, intelligent identity controls. For advanced identity security, third-party services are often required.

AWS Services

  • AWS CloudTrail: Tracks all API calls, providing a log of user activities.

  • Amazon GuardDuty: Detects suspicious or malicious activity based on CloudTrail and other logs.

  • Amazon Detective: Analyzes, investigates, and identifies security issues using findings from GuardDuty.

Third-Party Identity Solutions

For more sophisticated and intelligent identity controls, consider third-party solutions like:

  • Azure Active Directory (Azure AD): Provides real-time risk detection with data points such as device, application, time of day, location, and MFA status.

  • Google BeyondCorp

  • JumpCloud

These services offer more advanced security controls for real-time detection compared to AWS's native offerings.

Directory Services

A directory service maps network resource names to their addresses, organizing and managing resources such as files, printers, users, and devices. Notable directory services include:

  • Domain Name Service (DNS)

  • Microsoft Active Directory

  • Azure Active Directory

  • Apache Directory Server

  • Oracle Internet Directory (OID)

  • OpenLDAP

  • Cloud Identity

  • JumpCloud

Identity Providers (IdPs)

Identity Providers (IdPs) manage user identity information and provide authentication services across federated networks. Examples include:

  • Facebook

  • Google

  • Twitter

  • LinkedIn

Key protocols include:

  • OpenID: A decentralized authentication protocol.

  • OAuth 2.0: An authorization framework that uses tokens instead of passwords.

  • SAML (Security Assertion Markup Language): An open standard for exchanging authentication and authorization data.

Single Sign-On (SSO)

SSO allows users to log in once and gain access to multiple systems without re-entering credentials. It simplifies IT management by centralizing user access across various applications and services.

LDAP vs. SSO

LDAP (Lightweight Directory Access Protocol) provides a central place to store usernames and passwords but requires users to log in multiple times. Most SSO systems use LDAP for backend authentication, though LDAP was not originally designed for web applications.

Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring additional verification methods beyond a password. Security keys, such as YubiKey, are a common MFA option.

AWS Identity and Access Management (IAM)

AWS IAM allows you to manage users, groups, and permissions to control access to AWS resources. Key components include:

  • IAM Policies: Define permissions in JSON format.

  • IAM Users: Individual accounts that log into AWS resources.

  • IAM Groups: Collections of users with shared permissions.

  • IAM Roles: Grant permissions to AWS resources for specific actions.

Principle of Least Privilege (PoLP)

PoLP dictates that users and applications should have only the permissions necessary to perform their tasks. This approach includes:

  • Just-Enough-Access (JEA): Providing the minimum permissions required.

  • Just-In-Time (JIT): Allowing temporary permissions for a limited duration.

Console Me is an open-source project that facilitates short-lived IAM policies to enforce JEA and JIT.

AWS Account Root User

The AWS Account Root User has full access to all resources and permissions. This account should only be used for specific tasks, and its use is generally discouraged for daily operations. Always enable MFA for the Root User and avoid using its access keys.

AWS Single Sign-On (AWS SSO)

AWS SSO allows you to manage access centrally across your AWS organization, supporting integration with identity sources like AWS SSO, Active Directory, and SAML 2.0 IdP.