-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)
The fundamental Cloud Security concepts were covered in documents 1-8 and can be found here.
This document addresses another important aspect of cloud security – Identity Management. As the concepts and terms might be different between cloud providers, this document concentrates on AWS and provides an overview of some of the key security services and resources it provides to cloud architects.
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
Identities in AWS are managed using a service called AWS IAM (Identity and Access Management).
This service is available globally across all AWS regions, so that each user/group/policy/role are configured once and applied from any region around the world.
This is the initial administrator identity inside an AWS account. This account has full privileges over the entire AWS account, including the ability to close/disable the entire AWS account.
It is strongly recommended to create an additional IAM account with full admin privileges and protect the Root user credentials with a strong password and MFA (Multi Factor authentication).
An identity with specific permissions and policies. Role can be assigned to a user, group or even EC2 machine.
A permission document in JSON format that defines what an identity is allowed or denied from performing.
MFA (Multi-Factor Authentication)
AWS IAM support the ability to configure strong authentication using either virtual or software device (using Google Authenticator) or using a hardware OTP (One time password generator) device.
For best practice, it is strongly recommended to enable MFA for any privileged identity inside an AWS account.
AWS allows connecting to resources using either SDK (programmatic access) or using command line tools.
In order to achieve this goal, AWS allows access using a combination of “access key” and “secret access key” as credentials.
For best practice, it is strongly recommended to remove unused access keys and rotate active access keys on a schedule interval (according to the organization policy).
AWS Introduction to IAM
IAM Best Practices
Best Practices for Managing AWS Access Keys
IAM Business Use Cases
Best practices for using AWS access keys
13 AWS IAM Best Practices for Security and Compliance
5 Advanced IAM Best Practices
Best Practices for Using AWS Identity and Access Management (IAM) Roles