IAM Roles for Services

 IAM Roles

  • Some AWS services will need to perform actions on your behalf.
  • To do so, we will assign permissions to AWS services with IAM Roles
  • Common roles:
    • EC2 Instance Roles
    • Lambda Function Roles
    • Roles for CloudFormation

IAM Security Tools:

  • IAM Credentials Report (account-level)
    • a report that lists all your account's users and the status of their various credentials.
  • IAM Access Advisor (user-level)
    • Access advisor shows the service permissions granted to a user and when those services were last accessed.
    • You can use this information to revise your policies.

Credential Reports:

It will provide complete detail of users and permissions associated to them.

Access Advisor is renamed as Last access and it is present for every user created in IAM.

IAM Guidelines and Best Practices

  • Don't use the root account except for AWS account setup.
  • Assign users to groups and assign permissions to groups
  • Create a strong password policy
  • Use and enforce the use of Multi Factor Authentication (MFA)
  • Create and use Roles for giving permissions to AWS services
  • Use Access Keys for Programmatic Access (CLI/SDK)
  • Audit permissions for your account using IAM Credentials Report & IAM Access Advisor
  • Never share IAM users and Access Keys

Shared Responsibility Model for IAM

  • AWS
    • Infrastructure (global network security)
    • Configuration and vulnerability analysis
    • Compliance validation
  • You
    • Users, Groups, Roles, Policies management and monitoring
    • Enable MFA on all accounts
    • Rotate all your keys often
    • Use IAM tools to apply appropriate permissions
    • Analyze access patterns and review permissions

IAM Section - Summary

  • Users : Mapped to a physical user, has a password for AWS console
  • Groups : contains only users
  • Policies : JSON document that outlines permissions for users or groups
  • Roles : AWS services
  • Security : MFA + Password Policy
  • AWS CLI : manage your AWS services using the command line
  • AWS SDK : manage your AWS services using a programming language
  • Access Keys : access AWS using the CLI or SDK
  • Audit : IAM Credential Reports and IAM Access Advisor (Last Accessed) 

Comments

Post a Comment

Popular posts from this blog

Machine Learning

Image
 Machine Learning Amazon Rekognition Find objects, people, text, scenes in images and videos using ML Facial analysis and facial search to do user verification, people counting Create a database of "familiar faces" or compare against celebrities Use cases: Labeling Content Moderation Text Detection Face Detection and Analysis (gender, age ranges, emotions...) Face Search and Verification Celebrity Recognition Pathing (ex: for sports game analysis) Amazon Transcribe Automatically convert speech to text Uses a deep learning process called automatic speech recognition (ASR) to convert speech to text quickly and accurately Automatically remove Personally Identifiable Information (PII) using Redaction Supports Automatic Language Identification for multi-lingual audio Use cases: transcribe customer service calls automate closed captioning and subtitling generate metadata for medis assets to create a fully searchable archive Amazon Polly Turn text into lifelike speech using deep lea...
Read more

Cloud Computing and IT

Image
Cloud Computing and IT How Website work?   Server composed of: Compute, memory, storage(file or database), network - Routers, switch, DNS server. IT terminology: Network: cables, routers and servers connected with each other. Router: A networking device that forwards data packets between computer networks. They know where to send your packets on the internet. Switch: takes a packet and send it to the correct server/client on your network. Problems: Pay rent for datacenter Pay for power, cooling and maintenance Adding and replacing hardware takes time Scaling is limited Hire 24/7 team to monitor the infrastructure Plan for taking care of disasters. eg: Earth-Quake, Power-Supply issue etc... Demand: How to externalize all above task? Solution: Cloud Cloud Computing: (on-demand/pay-as-you-go/) Cloud computing is the on-demand delivery of compute power, database storage, applications and other IT resources. Cloud services are pay-as-you-go pricing. Provision exactly the right type and ...
Read more

Cloud Monitoring

Image
 Cloud Monitoring Amazon CloudWatch Metrics CloudWatch provides metrics for every services in AWS Metric is a variable to monitor ( CPUUtilization, Networking...) Metrics have timestamps Can create CloudWatch dashboards of metrics Important Metrics EC2 instances: CPU Utilization, Status Checks, Network (not RAM) Default metrics every 5 minutes Option for Detailed Monitoring ($$$): metrics every 1 minute EBS volumes: Disk Read/Writes S3 buckets: BucketSizeBytes, NumberOfObjects, AllRequests Billing: Total Estimated Charge (only in us-east-1) Service Limits: how many you've been using a service API Custom mertics: push your own metrics Amazon CloudWatch Alarms Alarms are used to trigger notifications for any metric Alarms actions Auto Scaling: increase or decrease EC2 instances "desired" count EC2 Actions: stop, terminate, reboot or recover an EC2 instance SNS notifications: send a notification into an SNS topic Various options (sampling, %, max, min, etc...) Can choose the...
Read more