Amazon Web Services (AWS) is a massive part of the Internet infrastructure. Estimates reported by TheVerge say that approximately 40% of all Internet traffic runs on AWS. The most popular Internet services used by millions can be found running on AWS including Airbnb, Expedia, Netflix, Pinterest, Slack, Spotify, and many more. Not only do entire popular websites and online services run on AWS; many websites use AWS as support for part of their online presence.
When AWS goes down, as happened on occasion, gigantic parts of what is recognized as the Internet stop functioning. Technical issues and security breaches may cause these failures. This means that Amazon takes security issues very seriously. AWS protects the network and its clients from unauthorized access by using robust identity access management.
What is Identity Access Management?
Identity access management (IAM) is a software program or a web-based service that is used to securely control access to network resources. An IAM system first authenticates a user through a password-protected sign-in process and then allows the user to access network resources according to their authorized permissions to use them.
For cloud-based services, cloud user access management uses a cloud-based authentication system to determine a user’s identity and then allows authorized access. Amazon Web Services (AWS) has a system of identity access management that works with the AWS cloud system.
AWS Identity and Access Management
AWS identity and access management begin with the creation of an AWS account. In the beginning, a user has a unique sign-in identity that creates a root user who has full access to the AWS services for that account. The root user account uses a person’s email address and a password that they create for authentication.
AWS users must guard this root user account information extremely carefully because it is the account that can access everything. Refer to the best practices section below to learn how best to secure this information.
Some AWS IAM features include:
- Shared Access — This allows other users to have access to the AWS account by using their sign-in credentials.
- Granular Authorized Permissions — Users can be given access according to very specifically chosen permissions that range from full access to group access to application access down to specific password-protected file access and everything in-between.
- Two-Factor Authentication — This optional security choice requires an authorized user to both use the correct password/access key and respond to a text message code sent to a device or email address, such as a user’s smartphone or email account.
- Secure APIs — Secure application programming interfaces give software programs the ability to connect to the data and services on the AWS system that are needed to perform their functions.
- Identity Federations — This allows the passwords of authorized users to be stored elsewhere in another system that is used for identification.
- Usage Audit — By using the AWS CloudTrial service, a full log of users’ account access activity is recorded for IT security audits.
Understanding How AIM Works on AWS
Amazon identity access management is based on the principles of a tiered-permission structure that includes resources, identities, entities, and principals.
Resources can be added, edited, or removed from the AWS IAM system. The resources are the users, groups, roles, policies, and objects for identity providers that are stored by the system.
These are AWS IAM resource objects that connect policies to identities in order to define users, roles, and groups.
These are what the AWS IAM system uses as resource objects for authentication purposes. On the AWS system, they are the users and their authorized roles. As an option, they can come from a federated identification system or SAML that provides web-based identity verification.
This can be either an individual user or an authorized software application that is recognized as an AWS IAM user or an IAM role that is authorized to sign in and requested access to data and services.
Best Practices for AWS Administration
Here are some best practices to follow for AWS administration.
1. Root User Account Security
The root user account created when first using AWS has the most power and is the “master key” for an AWS account. It should only be used to set up the account and for only a few necessary account and service management operations. The initial log-on requires an email address and a password.
The best practices to protect this root account are to use a one-time use email address that is very complex with at least 8 characters (with symbols, capital letters, lowercase letters, and numbers) before the “@” sign. Also, use a unique password, different from the email address that is also at least 8 characters long, which includes symbols, numbers, capital letters, and lowercase letters. Longer passwords are better.
After the AWS account is completely set up and established, other administrative accounts are created for regular use.
Once the need for the root user account to get everything started is finished, save the root account access information on a USB drive by locking it with encryption and then keep the encryption key separate. Put the USB drive offline in a locked safe, where it can be safely kept until needed in the future.
2. Limit Permissions
Give users and applications only the exact permissions that they need to do their work. Be cautious about granting access to confidential information and mission-critical services.
3. Security Issues
Security is an ongoing issue. It starts with a solid user-access design structure and then using ongoing audits to detect unauthorized-access attempts as well as managing users’ passwords for enough complexity and regular password changes. It is important to quickly terminate user access when it is no longer needed or desired. Using the AWS CloudTrial for auditing purposes is highly recommended.
When granting access to AWS from devices using the Internet be sure to use point-to-point encryption, such as SSL, to ensure the data is not compromised while in transit.
5. FAQ About AWS Identity Access Management
Frequently asked questions about AWS identity access management covers some questionnaire to deal with issues that helps you for AWS access management.
Technical Details of AWS Access Management
AWS access management has a chart that shows how the IAM protocols interface with the full AWS cloud-based system. IAM protocols include identity-based policies, resource-based policies, and other policies used for authorization.
During the authorization process, the AWS system checks the policies to decide about allowing or denying access.
The overall policy structure is based on a tiered set of key principles that include:
- Only the root account user has full access. By default, all other access requests are denied.
- Only an explicit identity or resource policy can override the system default.
- A limit on permissions for a session or based on an organization’s structural policy (SCP) may override the access granted by an identity-based or resource-based policy.
- A specific deny rule overrides any allowed access under other parameters.
AWS IAM Tutorials
Amazon offers tutorials for those wanting to learn more about setting up identity and access management on AWS.
The issues around setting up AWS IAM and using it properly are complex. To make sure it is easier for new customers to use the system, Amazon produced many helpful tutorials that include:
- Delegate Billing Console Access to the Billing Console
- Use IAM Roles for AWS Account to Delegate Access
- Create a First Customer-Managed Policy
- Enable Users to Configure Credentials and MFA Settings
AWS is the industry leader for many reasons. Amazon needed these cloud services for its operations. It became apparent that offering these services to others was a business opportunity for Amazon with high potential. Now, what started as a side business for Amazon has become a major part of the worldwide Internet infrastructure.
Using the AWS system is almost ubiquitous with using the Internet as a whole. Take the time to set up the IAM policies to protect security with attention to detail. Managing the IAM system is a high priority for network administrators. Combine this with regular IT security audits to uncover any potential problems.