AWS Cloud Fundamentals

Security and Account Management

 A Day in the Life of a Cloud Consultant

As a cloud consultant for a Fortune 500 company, you are assisting the clients in
addressing their security concerns before they move to the cloud.

The client requires:

• Fine-grained access control across all AWS services and resources
• Ability to specify user access and conditions, secure management, and
interaction with AWS resources
• Programmatically create AWS accounts, allocate resources, group accounts for
workflow organization
• Apply governance policies and streamline billing through a single payment
method
 A Day in the Life of a Cloud Consultant

The client also requires:

• Governance enforcement and management for security, operations, and
compliance at scale across all organizations and accounts in the AWS Cloud
• Machine learning-based service that recommends the most suitable AWS
resources for workloads, reducing costs and enhancing performance through
analysis of historical utilization metrics
• Continuous threat detection service for monitoring AWS accounts and
workloads, providing detailed security findings for visibility and remediation

Now, your task is to find the relevant solutions. This lesson will provide you with
the necessary concepts to meet these requirements.
 Learning Objectives

By the end of this lesson, you will be able to:

Assess identity and access management

Analyze AWS CloudShell

Imbibe the core concepts of AWS account management

Identify all the other security services of AWS

Identity and Access Management (IAM)
 Identity and Access Management (IAM)

It is a web service that provides access control across all of AWS.

The primary purpose of IAM is to manage accessibility to various AWS services and resources.
Identity and Access Management (IAM)

Following are the features of IAM:

• Grants different and distinct permissions to different

users without sharing the access keys or passwords

• Enables two-factor authentication for the account and

individual users for additional security
 IAM Users

IAM user is an AWS entity that represents the person or application that interacts with the AWS.

It is generally used for signing into the AWS Management Console and making requests to the AWS services.
IAM Users

• IAM users grant administrative permissions to those

who manage the AWS resources.
• IAM offers the option of enabling multi-factor
authentication (MFA) for IAM users.
 IAM Groups

An IAM group is a collection of IAM users with similar roles or access requirements.

AWS

Developer group Test group

User A User B User C User D

They streamline the administration of access control, as changes to permissions only need to be
made at the group level, and they automatically apply to all users within the group.
 IAM Groups

Following are the features of IAM groups:

• They offer a versatile approach to managing

permissions for IAM users, allowing a single user to
belong to multiple groups simultaneously.
• These groups simplify the management process,
reducing the risk of errors, and enhancing the overall
efficiency of access control administration.
Assisted Practice

IAM Group and User Management Duration: 25 Min.

Problem Statement:

You have been assigned a task to establish an IAM group on AWS and add a user to this group for
streamlined permissions management.
Assisted Practice: Guidelines

Steps to be followed:

1. Create a user group

2. Add user to the group
 IAM Policies

The IAM policy is an AWS object that defines the permissions granted to an identity (IAM user or
role) or a resource when associated with it. Most of the policies are saved as JSON documents.

When a request is made by an IAM principal (user or role), AWS reviews the policies, and then the
request is either approved or rejected based on the policy permissions.
 IAM Policies

AWS supports six different policies:

Identity-based policies 1
2 Resource-based policies

Session policies 6

3 Permissions boundaries

Access control lists 5

4 Organizations SCPs
 IAM Policies: Identity-Based Policies

These policies are JSON documents that define permissions for IAM identities, such as IAM users or IAM groups

They specify the actions that a particular identity can perform on AWS resources and the
conditions under which these actions are allowed.
 IAM Policies: Identity-Based Policies

They are divided into two categories:

Managed policies 01 Identity-based 02 Inline policies

policies
 IAM Policies: Identity-Based Policies

Managed policies

They are standalone identity-based policies that can be attached to multiple users, groups,
or roles.
 IAM Policies: Managed Policies

Managed policies are divided into two categories:

AWS managed policies 01 Managed policies 02 Customer managed policies

 IAM Policies: Managed Policies

AWS managed policies

These are predefined policies that are created and managed by AWS.
 IAM Policies: Managed Policies

Customer managed policies

These are IAM policies that are created and managed by the AWS account customer, rather
than being predefined by AWS.
 IAM Policies: Identity-Based Policies

Inline policies

● These are IAM policies that are created and attached directly to a single identity (user,
group, or role) within AWS.
● Unlike managed policies that can be shared and reused across multiple identities, inline
policies maintain a one-to-one relationship with the identity they are attached to.
 IAM Policies: Resource-Based Policies

These policies are used to grant permissions for specific principles (users, groups, or roles) to perform
actions on AWS resources.

They allow resource owners to control access to their resources without relying solely on IAM policies
attached to IAM users or roles.
 IAM Policies: Permissions Boundaries

A permission boundary specifies the highest number of permissions that identity-based policies can
provide to an entity.

When an entity with a permission boundary is provided, it can only do tasks that are permitted by both
identity-based policies and permissions boundaries.
 IAM Policies: Organizations SCPs

AWS Organization Service Control Policy (SCP) is a service that allows users to group and manage all
their company's AWS accounts in one place.

They are JSON policies that specify an organization's or organizational unit's highest permissions.
 IAM Policies: Access Control Lists (ACLs)

ACLs are service policies that help in managing the principles in other accounts that have
access to a resource.

It is the only type of policy that does not work on the JSON policy document structure.
 IAM Policies: Access Control Lists

ACLs are enabled and supported on Amazon S3, AWS WAF, and Amazon VPC instances, allowing for
access control and permissions management.
 IAM Policies: Session Policies

They are advanced policies that are passed as a parameter in a temporary session for a role or
federated user.

The AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity API functions can be used to

create role and pass session policies.
 IAM Multi-Factor Authentication

AWS Multi-Factor Authentication (MFA) is a straightforward and effective security measure that
provides an additional layer of protection beyond traditional username and password authentication.
 IAM Multi-Factor Authentication

The users are prompted to provide their username, password, and the authentication code from their
AWS MFA device when logging into an AWS Management Console.

These factors improve the security of AWS account settings and resources.
 AWS Access keys

Access keys are long-term privileges provided to an IAM user or the AWS account root user.

They can log in to AWS CLI or API programmatic requests.

 AWS Access keys

There are two sections in the access key:

Access key ID 01 AWS access keys 02 Secret access key

 AWS Command Line Interface

It is a centralized tool for managing Amazon Web Services (AWS) accounts.

Users can avoid the need to access the AWS Management Console for repetitive tasks, streamlining
their workflows and saving time by utilizing the AWS CLI.
 AWS Software Development Kit (SDK)

The AWS SDK is a set of software tools for developing apps and libraries that utilize AWS resources.

AWS SDK for browser-based development enables developers to utilize AWS services directly from
JavaScript code executed within the browser.
 IAM Roles for AWS Services

IAM roles allow users to assign access with defined permissions to trustworthy entities without
disclosing long-term access credentials.

Users can use IAM roles to grant access to:

01 IAM users inside their account

02 IAM users under a separate AWS

account

03 AWS service like EC2

 IAM Roles for AWS Services

Using the AWS Security Token Service (STS) AssumeRole APIs, users can create an IAM role, which
in turn generates a set of temporary security credentials.

These credentials enable applications to sign requests to AWS service APIs securely.
Assisted Practice

IAM Roles Duration: 20 Min.

Problem Statement:

You have been assigned a task to create and assign an IAM role to the Amazon EC2 service.
Assisted Practice: Guidelines

Steps to be followed:

1. Create and assign an IAM role to Amazon EC2 Service

 IAM Security Tools

AWS offers a range of security tools designed to monitor and respond to potential events
affecting users' AWS resources.

AWS CloudTrail Amazon CloudWatch

Amazon CloudWatch
IAM Access Analyzer
Logs
 IAM Security Tools

AWS CloudTrail

It captures all API calls for IAM and AWS STS as events, including calls
from the console and API calls.

IAM Access Analyzer

It helps to identify unintended access to the user’s resources, such as

Amazon S3 buckets or IAM roles.
 IAM Security Tools

Amazon CloudWatch
It monitors the AWS resources and applications that users run on AWS
in real-time. Users can track metrics, create customized dashboards,
and set alarms using CloudWatch.

Amazon CloudWatch Logs

It helps users to monitor, store, and access their log files from
Amazon EC2 instances, CloudTrail, and other sources.
 IAM Best Practices

IAM provides a range of security options for developing and implementing security rules.

The following best practices are recommendations and should not be

considered as a comprehensive security solution:

1. Lock the root user access keys 4. Enable multi-factor authentication

2. Use roles to delegate permissions 5. Monitor activities of the AWS account

3. Implement least-privilege permissions

AWS CloudShell
 AWS CloudShell

It is a web-based shell that enables users to securely interact with AWS resources, offering ease
of operation and exploration.

• It supports latest versions of Google Chrome, Mozilla

Firefox, Microsoft Edge, and Apple Safari.
• Local installation or configuration is not necessary in
AWS CloudShell.
• Users can quickly run scripts with the AWS CLI,
experiment with AWS service APIs using the AWS
SDKs.
• It comes pre-authenticated with the user's console
credentials, ensuring a seamless and secure
experience.
 AWS CloudShell

The benefits of using AWS CloudShell are as follows:

Simplified
management Secure environment

Pre-configured
Cost optimization
environment
AWS Shared Responsibility Model
 AWS Shared Responsibility Model

AWS and the customers share the responsibility for security and compliance.

This shared approach might help relieve the customer's operating load depending on the
services delivered.
AWS Responsibility: Security of the Cloud

• AWS is responsible for safeguarding the infrastructure

that supports AWS cloud services.

• The hardware, software, networking, and facilities that

run AWS Cloud services constitute this infrastructure.
AWS Security Challenges
 Security Challenges: Overview

• Cloud computing necessitates remote access, and it is

crucial to carefully manage the access level.

• The system's access should strike a balance between

not being overly restrictive and not being too loose.
AWS Account Management
 AWS Organizations

They enable users to centrally maintain and administer your environment as they develop and
expand the AWS resources.

They allow users to create new AWS accounts and distribute resources programmatically, allowing
them to structure their workflows, apply policies, and simplify invoicing by using a single method.
Features of AWS Organizations

• Allows users to scale their environment by generating new

AWS accounts dynamically
• Enables the implementation of regulations, allowing different
teams to build with the resources they need
• Aids auditing at scale by creating an immutable record of all
account occurrences using AWS CloudTrail
 Pricing Model of Cloud

Amazon EC2 instances have four pricing models:

On-demand instances Spot instances Reserved instances Savings plane

 Savings Plan: Overview

These are cost-effective pricing plans that provide discounted rates compared to on-demand pricing.

These plans require a commitment for a specific consumption amount (measured in $ per hour)
over one or three years.
 Key Benefits of Savings Plan

Flexible Significant savings

Easy-to-use
 AWS Pricing Principles

AWS pricing is based on three key principles, which are as follows:

Optimization of AWS
Power of flexibility
cost

Opportunity to choose the

right pricing model
 AWS Free Tier in Pricing Model

It is an essential component of Amazon's pricing, which allows enterprises to try Amazon

services for free.

The Free Tier is divided into three levels

12 months free

Always free

Trials
 AWS Cost Management Tools

Amazon provides several free tools to help users optimize cloud costs. These are:

Billing and Cost Management Console

AWS Budgets

AWS Cost Explorer

AWS Trusted Advisor

Amazon CloudWatch
 Compute Optimizer

AWS Compute Optimizer uses machine learning to analyze historical usage and recommend
optimal AWS resources for workloads, minimizing costs and improving performance.
 Key Benefits of Compute Optimizer

Optimizes performance with

Lowers costs by up to 25% actionable recommendations

Starts quickly
 Billing and Costing Tool: Overview

AWS provides several tools are incredibly beneficial to infrastructure and operations managers
since they can aid in the discovery of:

AWS Cost and Usage Reports

EC2 Instance Usage Report

 AWS Trusted Advisor

Trusted Advisor is based on knowledge gained from servicing hundreds of thousands of

Amazon Web Services customers.

It examines user’s AWS environment, and then provides recommendations when there are chances
to save money, improve system availability and performance, or help close security gaps.
 AWS Trusted Advisor

The features of AWS Trusted Advisor are:

● Saves money by suggesting users to eliminate unused

resources or employ reserved capacity

● Boosts the performance of users’ services by assuring that

they use provisioned bandwidth

● Helps users to improve the security of their applications by

advising them to use AWS security features
Other Security Services
 Encryption with KMS and CloudHSM

Organizations today are confused about the various alternatives for storing crypto keys on the
cloud for security.

AWS Key Management Service (KMS) and AWS CloudHSM are two crypto key management
services available on their cloud.
Encryption with AWS CloudHSM

• It is a customer-owned and controlled cloud-based

hardware security module.
• On hardware, it operates as a single-tenant, preventing
it from being shared with other customers or
applications.

• Organizations who wish to use HSMs for managing

encryption keys but don't want to bother about
managing HSM hardware in a data center can use AWS
CloudHSM.
Encryption with AWS Key Management System (KMS)

• Enables users to produce and manage cryptographic keys for

the company

• Provides comprehensive security across AWS platforms by

managing encryption keys
• Involves key generation, storage, administration, and auditing
when encrypting, decrypting, or digitally signing data for
applications or across AWS services
 AWS Certificate Manager

A service that makes it simple to create, manage, and deploy public and private Secure Sockets
Layer (SSL) or Transport Layer Security (TLS) certificates for usage with AWS services and internal
linked resources
 AWS Certificate Manager

The features of AWS Certificate Manager are:

Manages certificates on the AWS Cloud with ease

Integrates seamlessly with other AWS cloud services

Establishes a private certificate authority for enhanced security

Imports third-party certificates for user applications effortlessly

Ensures secure key management practices for your data

 AWS Secrets Manager

It helps in protecting secrets that are required to access your apps, services, and IT assets.

The service helps to easily rotate, manage, and obtain database credentials, API keys, and other
secrets throughout their lifespan.
Features of AWS Secrets Manager

The features of AWS Secrets Manager are:

• Enables users to rotate secrets safely without the need for

code migration, which helps you fulfill your security and
compliance needs

• Uses fine-grained AWS Identity and Access Management

(IAM) controls and asset policies to manage access to secrets

• Helps in protecting secrets by encrypting them with

encryption keys managed using the AWS Key Management
service
 AWS Artifact

AWS Artifact is a one-stop shop for all things compliance.

It gives instant access to AWS security and compliance information, as well as a few online
agreements.
 AWS GuardDuty

It is a continuous monitoring service for AWS instances that detects and alerts
potential risks.

It protects all AWS accounts and workloads with actionable threat protection.
 AWS GuardDuty

Includes information about the potential threat, such as:

IP Address Geo-location Tags Security groups

 AWS Inspector

A vulnerability management service that checks AWS workloads for software flaws and
accidental network exposure on a regular basis

By connecting information from common vulnerabilities and exposures (CVE) with criteria like
network access and exploitability, the Amazon Inspector generates a highly contextualized risk
assessment for each result.
 AWS Inspector

It helps the small security teams and developers to reassure infrastructure workload
security and compliance across their AWS workloads.
 Key Takeaways

Identity and Access Management (IAM) is a web service that

provides access control across all of AWS.

AWS CloudShell is a browser-based shell that makes it easy to

securely operate, explore, and engage with the AWS resources.

AWS Organization enables users to centrally maintain and

administer their environment as they develop and expand their
AWS resources.

AWS CloudHSM is a customer-owned and controlled cloud-based

hardware security module.
Thank you