AWS IAM

IAM (Identity & Access Management)

AWS security offering

Amazon Web Services (AWS) is the best cloud computing service provider to date. They share their security responsibilities with their clients so that their clients can securely run web and internet based operations. The main security resource offered by AWS is called IAM (Identity and Access Management).  It is time for another Artius IT Breakdown of this resource so that you can feel better about the safety of cloud computing.

AWS has a shared responsibility approach to your cloud environment. Shared responsibility means that Amazon takes care of the physical security of your remote servers that host your software.  It is like security officers partnering to secure a building. AWS holds your programs and data in supercomputers called remote servers all over the world. When your clients want to access your applications, the remote servers serve the information from AWS data centers. These data centers are protected by men with guns, guard dogs, and controlled access rooms. The actual servers are in air-cooled and dust-free rooms. On top of all that, to actually gain access to a data center requires specific authorization from AWS itself. Safe to say that a regular schmo off the streets is not going to be cruising around in a data center. So there you have it, the physical access to a data center is strict.

• 

What about the programmatic access to the servers in the data centers?  How is your data protected from hackers getting into the virtual environment of your remote servers? That is where the responsibility is shared with AWS and you. When you run your programs on AWS remote servers, then you are responsible for defining who has access to your data and software. This is where IAM comes into the picture.

IAM is a secure AWS access management resource. Access and authorization means “who are you, and should you be here?” You can get IAM by signing up for an AWS account. After you sign up for an AWS account, you can create additional users and groups under your account. Account holders can create and manage AWS users and groups, as well as define permissions that allow or deny access to other AWS resources within the account holders software.  It’s like buying a house and deciding who rents the rooms in the house, as well as which rooms in your house they can go to. This is all done at no extra charge to the account holder. You are only charged for the other AWS resources that your users or groups use under your account, but not for the actual IAM resource. You can decide who has access to your servers based on conditions like Multi-factor Authentication (MFA). Mobile access with mobile apps and web identity providers, as well as a corporate directory for on-premises solutions, are configurable in IAM too.  AWS also has documentation to guide you through the best practices for securing your cloud with IAM.

Fine-grained defining of who can or can not access your cloud computing resources is available through IAM. Users can be granted permission to your environment depending on certain conditions. Conditions like the time of day or the IP address accessing the resources.  It’s like saying certain people can go into a room in your house if they belong to a certain group, or if they come from a certain country. You can check to see if encryption is setup before access is granted or if MFA is enabled for the user accessing the account.

Multi-factor Authentication (MFA) is also available through IAM. MFA is using an additional device to verify your authorization. When your user logs into their account they will be sent an additional code on another device, typically mobile device, to enter before they are granted access to your environment. This is available at no extra cost.

If you or your users want to build mobile applications, and then manage the access to the applications through other mobile applications’ identity verification, use temporary security credentials. This is called STS (Security Token Service). Have you ever downloaded an app that asks you for access to your photos, or other information, or to sign up using facebook or instagram etc? That is the basic principle of  STS. instead of writing down your email, and password, you can be verified by exchanging your access token of one application with the application’s tokens you built. The good thing about STS is that it is not permanent. You can choose the length of time the access is allowed as well as if you want to store the tokens through a process called caching the access tokens.

IAM also gives you the ability to use your existing corporate directory to grant users access. This is good because you can save time by not creating a new user IAM account for each member in your corporation. The whole process is called federated access. Users will have access to the AWS management console as well as the AWS service APIs through a method called Single Sign-On (SSO). Microsoft Active Directory can be used as well as any other SAML 2.0 method. SAML stands for Security Assertion Markup Language and acts as a single sign-on point of entry.

IAM creates users with individual access credentials through access keys, passwords, MFA, and STS. You are able to manage roles and permissions to control which operations can be performed by which entities. AWS IAM gives you the ability to delegate permissions to AWS services that create and manage services on your behalf through service-linked roles. If you are looking to get started with AWS the right way, then you can read their best practices for

Users

Groups

Permissions

Auditing

Password

MFA

Roles

Sharing

Rotating Credentials

Conditions

AWS security gives you the ease of mind when migrating your applications and information to the cloud. This has been another Artius IT Breakdown. For more information contact Theophilus Tor at 337- 4 – BARNEY.