AWS Effective Strategies to Implement IAM Solutions - cloud computing security - summary CH5

• what is identity management:
1. Traditional directory services: Kerberos (Microsoft), LDAP (non-Microsoft), Linux-based.
2. Modern directory services: SAML, OAuth.
3. Authentication security: Emphasis on Multi-Factor Authentication (MFA).

Technical requirements

• Active Directory (AD): Active Directory is a Microsoft service that manages and organizes information about network resources, facilitating user authentication and resource management in a Windows domain.
• Kerberos Protocol: Kerberos is a network authentication protocol that uses tickets to securely verify the identities of users and systems, enabling controlled access to network resources.

Introduction to IAM

• Identity and Access Management (IAM) → encompasses the complete user life cycle, covering account creation (provisioning), permission allocation, and account removal (deprovisioning) when a person leaves the organization or when the account is no longer needed.
• Access management is made up of the following main concepts:
1. Identity: Represents a user, computer, service, or role seeking access to perform actions in a system or application.
2. Authentication: Verifies an identity who they claim to be, like a user, by confirming provided credentials (username and password).
3. Authorization: Grants permissions to an authenticated identity, allowing specific actions on a resource (e.g., uploading a file to shared storage).
• Cloud providers take a different approach to IAM:
1. AWS IAM: All requests are implicitly denied by default until specific permissions are granted.
2. Azure Active Directory (Azure AD): Users have a minimal set of permissions for accessing resources by default.
3. GCP: Service accounts have permission to call Google Cloud APIs by default.
4. Microsoft AD: Central repository in on-premises data centers for storing user accounts, computer accounts, groups, and more.
5. Kerberos Protocol: Most used protocol for secure user authentication in on-premises traditional Windows applications or services.

Failing to manage identities

• Permission Issue: Lack of automated workflow led to copying admin permissions for a new employee, causing a ransomware attack and downtime in sales.
• Weak Password Policy: Easy-to-guess password due to lax policies allowed a hacker to access a financial report.
• Over-Privileged Employee: Role change oversight resulted in an employee having excessive access to production servers.
• Account Disablement Oversight: Failure to disable an ex-employee's account enabled unauthorized access to customer data through VPN.

Securing cloud-based IAM services

• each Cloud providers have managed IAM services for handling authentication and authorization requests.
• Here is a list of AWS IAM terminology :
1. IAM User: Person or application with AWS access, using credentials like password, access keys, and MFA.
2. IAM Group: Collection of users for easier permissions management.
3. IAM Role: Identity with resource access but no credentials; assigned to users, groups, or service accounts for temporary permissions.
4. Service Account: Special IAM user for allow application access to resources.
5. IAM Policy: JSON-based rules sets the permissions for accessing AWS resources.
1. Identity-based policies: This is attached to a user, group, or role
2. Resource-based policies: This is attached to the AWS resource ( Amazon S3 bucket )
6. Identity Provider: Management of external identities (e.g., through federation with Azure AD), allowing access to AWS resources.

• AWS IAM policy evaluation logic:
1. Identity-based policies combined with resource-based policies → result in total permissions from both policies.
2. Identity-based policies, when combined with permissions boundaries → yield effective permissions considering the restrictions imposed by permissions boundaries.
3. Identity-based policies, when combined with AWS Organizations service → control policies (for accounts that are organization members), result in effective permissions taking into account both policies.

Best practices for securing AWS IAM

• AWS IAM is the → Amazon-managed IAM service

1. Remove root user access keys, set a strong password, and enable MFA.
2. Minimize root user usage; create IAM user for console admin, enable MFA.
3. Avoid access keys for IAM admin users; follow least privilege principle.
4. Organize with IAM groups for easier permission management.
5. Create custom policies for limited access and assign them to user groups.
6. Use IAM roles for EC2 applications' access to AWS resources.

Auditing AWS IAM

• AWS allows you to monitor the AWS IAM using the following built-in services:
1. Amazon Cloud Watch: Service for auditing AWS Cloud Trail logs, enabling alarm creation for specific log thresholds (e.g., multiple failed logins).
2. AWS Cloud Trail: Service for auditing actions performed by the AWS account root user or any IAM user.
3. Amazon Guard Duty: Service utilizing machine learning to identify and alert on identity misuse, leveraging AWS Cloud Trail logs.

Best practices for auditing AWS IAM

1. Enable AWS CloudTrail in all regions.
2. Limit access to Cloud Trail logs to a few trusted employees with AWS management accounts.
3. Use Amazon Guard Duty for auditing AWS account root user.
4. Audit IAM user activities with AWS Cloud Trail.
5. Identify inactive users using IAM credential reports.

Securing directory services

• Cloud providers offer managed Active Directory for centralized identity management.
• The service handles domain joining, password policies, and access control.
• Customers can opt for self-hosted domain controllers for more control, similar to on-premises solutions. → deploy Active Directory domain controllers based on virtual machines
• Customers
1. Focus on consuming IAM service for → authentication and identity management.
2. No need to handle server maintenance tasks such as → availability, patch management, and backups.

Best practices for securing AWS Directory Service

• AWS Directory Service → is the Amazon managed Active Directory service.

1. Set up a comprehensive password policy with age, length, and complexity rules.
2. Define an account lockout policy, specifying attempts, duration, and reset options.
3. To avoid using a privileged account for a password reset → use the AWS Delegated Fine Grained Password Policy Administrators group to allow your support team permission to reset passwords
4. Apply MFA for high-privilege accounts managing AWS Directory Service.
5. Organize permissions by creating Active Directory groups for resource access.
6. Use VPC security groups to restrict EC2 instance access to AWS Directory Service.
7. Ensure a strong password for the built-in admin account of your AWS Directory Service.

Best practices for monitoring AWS Directory Service

• Amazon Cloud Watch: Monitors AWS Directory Service logs.
• AWS Cloud Trail: Audits API actions in AWS Directory Service console, SDK, or CLI.

1. Enable AWS Directory Service log forwarding to Amazon Cloud Watch for detailed log analysis, including tracking failed logins.
2. Use AWS Cloud Trail to audit user activity within AWS Directory Service via API.

Best practices for configuring MFA using AWS IAM

• MFA to → protect authentication attempts against potential account breaches.

1. Enable MFA for AWS account root and high-privilege IAM user - admin role
2. Require MFA for AWS console and API access.
3. In non-sensitive environments, use virtual MFA (e.g., Google Authenticator).
4. In sensitive environments, opt for hardware MFA or U2F security key.
5. Avoid using SMS for MFA due to vulnerabilities.