SEC 2: How do you manage identities for people and machines?
There are two types of identities you need to manage when approaching operating secure AWS workloads. Understanding the type of identity you need to manage and grant access helps you ensure the right identities have access to the right resources under the right conditions. Human Identities: Your administrators, developers, operators, and end users require an identity to access your AWS environments and applications. These are members of your organization, or external users with whom you collaborate, and who interact with your AWS resources via a web browser, client application, or interactive command-line tools. Machine Identities: Your service applications, operational tools, and workloads require an identity to make requests to AWS services - for example, to read data. These identities include machines running in your AWS environment such as Amazon EC2 instances or AWS Lambda functions. You may also manage machine identities for external parties who need access. Additionally, you may also have machines outside of AWS that need access to your AWS environment.
Mastering identity at every layer of the cake
Managing user permissions at scale with AWS SSO
Best Practices for Managing, Retrieving, and Rotating Secrets at Scale
IAM Best Practices
The AWS Account Root User
Getting Started with AWS Secrets Manager
Temporary Security Credentials
Identity Providers and Federation
Security Partner Solutions: Access and Access Control
Use strong sign-in mechanisms: Enforce minimum password length, and educate users to avoid common or re-used passwords. Enforce multi-factor authentication (MFA) with software or hardware mechanisms to provide an additional layer.
Use temporary credentials: Require identities to dynamically acquire temporary credentials. For workforce identities, use AWS Single Sign-On, or federation with IAM roles to access AWS accounts. For machine identities, require the use of IAM roles instead of long term access keys.
Store and use secrets securely: For workforce and machine identities that require secrets such as passwords to third party applications, store them with automatic rotation using the latest industry standards in a specialized service.
Rely on a centralized identity provider: For workforce identities, rely on an identity provider that enables you to manage identities in a centralized place. This enables you to create, manage, and revoke access from a single location making it easier to manage access. This reduces the requirement for multiple credentials and provides an opportunity to integrate with HR processes.
Audit and rotate credentials periodically: When you cannot rely on temporary credentials and require long term credentials, audit credentials to ensure that the defined controls (for example, MFA) are enforced, rotated regularly, and have appropriate access level.
Leverage user groups and attributes: Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (e.g., department or location) are correct and updated. Use these groups and attributes, rather than individual users, to control access. This allows you to manage access centrally by changing a user’s group membership or attributes once, rather than updating many individual policies when a user’s access needs change.
Use strong sign-in mechanisms
Rotate credentials regularly
Use temporary credentials
Grant least privilege
Reducing policy scope by viewing user activity
View role access
Lab: IAM permissions boundaries delegating role creation
Lab: IAM tag based access control for EC2
Attribute-based access control (ABAC)
Store and use secrets securely
AWS Secrets Manager
Rely on a centralized identity provider
Identity Providers and Federation
Finding unused credentials
Deleting an IAM group
Audit and rotate credentials periodically
IAM Access Analyzer
Getting credential report
Lab: Automated IAM user cleanup
Use access levels to review IAM permissions
Lab: Automated deployment of IAM groups and roles
Leverage user groups and attributes
AWS Single Sign-On - Manage Identities
What Is ABAC for AWS?
Lab: IAM Tag Based Access Control for EC2