Shulou(Shulou.com)06/02 Report--

IAM Overview centralized management of access to AWS resources and user authentication support joint access management, support LADP third-party services (Identity Provider) are non-regional related services Globally valid creation of users, groups, and roles to apply policy security credential types include: email and password, IAM username and password, access key, multiple authentication (MFA), key-to-password policy management and KMS encryption and decryption management it is recommended that you always use to create and manage IAM accounts to operate IAM follows the principle of least privilege, that is, all permissions are implicitly denied While explicitly denying the highest priority IAM is a formal statement policy that matches an entity, including user, group, and role policies, which can be one-to-many or many-to-one.

A principal is an IAM entity that allows interaction with AWS resources, either a person or an application, temporary or permanent.

There are three principal identities: root user, IAM user (group), and role

The login principal of the root user when creating the AWS for the first time can have full access to the AWS resources and services in all accounts. It is strongly recommended that the root account should not be used for any routine tasks or that the administrator must securely lock the root user. The root user is also Billing Account equivalent to Owner, and the entity and Email address that create the AWS account IAM users can create persistent identities through the IAM service. It can be an individual or an application IAM user can be managed at any time by the principal of IAM authority to create a method that needs to provide interaction with AWS Support for AWS console username, password, CLI or SDK management IAM users can provide customized URL for IAM user access should use the least privilege principle to manage IAM users best practices: create a separate IAM account with administrative privileges on the root account the aggregate policy for IAM user group users applies to the whole group one user can belong to multiple groups without default groups cannot be nested groups

Roles grant specific permissions to specific roles within a specific period of time these roles authenticate through AWS or third-party systems usually associate the permissions of a user or group to a role to simplify management to prevent configuration errors when a role starts to take on tasks AWS provides temporary security tokens for AWS security tokens (STS) as if he can use authorized AWS services (STS valid time is 15 minutes-36 hours) IAM group cannot use roles only up to 1000 IAM roles can be created per account EC2 application roles traditionally grant application permissions are very troublesome, require secure use of certain credentials, and also need to consider secure storage and access to these credentials For example, when an application needs to access S3, it needs to use the key of the IAM user, and the key needs to be stored in a secure location to be accessed by the application, which will lead to many problems such as credential rotation, and is not conducive to agile development. You can take advantage of the IAM role feature, which is assigned by Config Profile when the application's EC2 starts. When the program accesses S3 using API, the role gets a temporary token and passes the temporary token to API with the AWS toolkit to allow access. This method does not need to consider any key management and rotation. Roles can be replaced or separated at any time while the instance is running, only one role per EC2 can be assigned cross-account access (Cross Account) access to AWS resources is granted to IAM users in other AWS accounts, which are usually used by third-party suppliers or customers associated with the company. Limited access to company resources temporary access management (Federation) provides temporary access to federated users mainly for third-party services On the other hand, the organization does not want to provide it with long-term credentials within the organization (such as API management) to authenticate the user name / password to log on to Console. Password policy can be set to implement complexity requirements and expiration up to 128characters it is recommended that the password policy be set to ensure that a strong password is used and that the IAM account login is frequently changed. You must also provide a combination of the account ID or alias (including URL) access key ID AKI (20 characters) and access key SAK (40 characters) to call REST when using the key pair through API. And SAK must sign all API request signatures to help protect message integrity, prevent tampering during transmission, and prevent replay attack supports Signature v4. The access key for signing using SAK derivation needs to be placed in a secure place rather than embedded in the code. Each IAM user has up to two activated keys that are only valid in the region.

Key pair

The instance uses an explicit private key to grant access when the RSA 2048 SSH key is accessed for the first time. Putting the public key into the instance is the preferred way to log in to EC2. The key pair can also be used for CloudFront to create a signature for private content URL to achieve private distribution. If the key pair is lost, it cannot be regenerated, but it can be replaced by the access key + session token (STS) when the service is used by a hypothetical role. The temporary token used is used to verify the access key, including the temporary access key pair itself and a session token. Access ID access key security token timeout no need to create a special IAM account temporary authentication for access no key rotation configuration timeout 15min-36hr, default 12 hours X.509 can be used to sign SOAP-based request AWS account can create X.509, IAM must use third-party software to create X.509 can be used as SSL/TLS server certificate Submit key to CA for certificate signing request CSR uses X.509 to create custom Linux AMI multi-factor authentication for EC2 MFA is an additional security layer added to the infrastructure in addition to the password / key, usually requires input of an one-time password from external devices OTP support hardware and software MFA authentication support for API implementation of MFA authentication MFA can assign any IAM user In particular, it is recommended that you enable MFA for root users only with one MFA binding federated authentication (Identity Federation) IAM identity provider IdP can combine IAM and external identities to authenticate externally and assign permissions to authenticated users outside IAM. IAM will return the temporary token associated with the role to work in order to authenticate the identity public IdP used to call AWS API using OIDC (OpenID Connect) integration is mainly authorized to major network IdP authentication users, such as Google,Facebook,Amazon, etc., known as Web Federation intra-enterprise authentication such as enterprise-owned AD or LADP authentication services, support SAML 2.0Note: the default creation of IAM users does not contain any password and key pairs The administrator needs to manually specify the authorization to specify the permissions that the principal can and cannot perform the operation, as defined by the policy. A policy is a JSON file that fully defines a set of permissions to access and manipulate AWS resources Version: optional, in the format of date Effect-allow or deny Resource-resources and data principals applicable to the AWS infrastructure of specific permissions, using ARN to uniquely specify the resource Amazon resource name = Amazon Resource Name (ARN) the unique identity of an AWS resource Point to a unique resource arn when invoked in the global environment: for example, arn:aws:rds:eu-west-1:1234567:db:mysql-dbService-applicable service name Action-specify a subset of operations for the service Condition-optionally define one or more additional conditions that restrict permissions to allow operations.

The policy policy that explicitly declares the policy and the principal contact user policy exists only if the policy that hosts the policy preset among the contacted users exists independently of the user, and the policy can be associated with many users or user groups. It is recommended that you use predefined managed policies to ensure that users maintain correct access when adding new features. Best practice: group Policy greatly simplifies policy management for multiple users by associating managed policies with a user group. Administrative policies are also managed for user group policies and user groups. User permissions do not have permissions-default permissions when new users are created-Power privileges are granted to users as needed-can access all AWS services, but cannot manage user and group administrator rights-root user rights other major features the security risk of any credential rotation increases with the duration of the credential use Therefore, it is necessary to change the key regularly. Create a new access key reconfigure all applications use the new key disable all application operations of the old key to verify the new key delete the old key multi-permission problem in order to solve the principal when performing an operation, may apply to multiple permissions that have been configured Request is rejected by default when there is an explicit refusal in all policies, then reject if there is explicit permission in all policies but no explicit refusal, then allow if there is no express refusal or permission Then the default deny policy cannot override any permissions denied by the role by default AWS Directory ServiceAD concept AD contains organizational information, users, groups, computers, and other resources MS AD Service runs MS AD as a managed service running on Win2012R2 AD is highly available domain controllers deployed across two availability zones support data replication and automatic daily snapshots do not need to install software, AWS handles all bug and update cannot migrate existing AD You can only create a new scenario for more than 5000 people. AD Connector can use AD Connector to connect to an existing local AD through VPC VirtualPN or Direct Connect to connect to an enterprise data center using existing credentials to access AWS applications based on RADIUS existing MFA solution integration suitable for hybrid cloud scenarios Simple AD services using Samba 4 servers to provide AD services to support common AD functions Such as user account and group identity support Linux and Windows EC2 join domain Kerberos-based single sign-on (SSO) and group policy also provide daily snapshot and point-in-time recovery-based log and audit functions do not support trust relationship with MS AD, do not support MFA, DNS dynamic updates, LDAP and other advanced features are suitable for simple scenario AWS Security Token Service concept lightweight Web services with no more than 5000 people Temporary, limited access credential proxy authentication creates temporary credentials using the identity agent service, and the user gets a temporary URL to access the AWS management console (single sign-on) Supports the third-party request identity agent for IAM users in the current account of the IAM user group across AWS accounts: query STS to determine that the Web request user authenticates to AWS using AWS credentials to issue temporary credentials through AWS STS API STS returns temporary security credentials to the application, including: AccessKeyIdSecretAccessKeySessionToken and time limit (1 to 36 hours)

Common scenarios: SAML-based SSO federated authentication STS supports the open standard of SAML2.0 to achieve federation faster and easier, using existing identity management software to manage AWS access, without coding identity provider idP using HTTP-POST binding to start Web SSO through SAML2.0, simplifying SSO through the new URL requires IAM to create SAML idP as the principal of IAM trust policy step for users to enter account passwords in the application The application sends it to Identity Provider (Identity Broker) Identity Provider (IdP) sends the user name and password to the enterprise's LDAP directory for verification after IdP sends a SAML authentication response to the application using AssumeRoleWithSAMLRequest API to send SMAL requests to the STS application to access the S3 bucket using temporary credentials

Web-based federated authentication uses STS API AssumeRoleWIthWebIdentity to support identity authentication of Amazon, Google and Facebook

Cross-account access (Cross Account Access). You can easily switch accounts (roles) on the AWS management console, allowing users to quickly switch between different development accounts (roles), test accounts (roles) and production accounts (roles). Example: give the development account access to the S3 resources in the production account. The administrator in the production account needs to create a new role UpdateAPP in the IAM, and the policy (Policy) is defined in the role. The policy defines the permission to allow a specific AWS account ID to access the S3 bucket named productionapp. In the development account, the administrator authorizes to switch roles to the members of the developer group. Grant permission to the developer group to call AWS Security Token Service (AWS STS) AssumeRole API on the UpdateApp role. When you request to switch roles, you can use the Switch Role button in the AWS console to switch to the production account or use AWS API/CLI to obtain the credentials of the UpdateAPP role. AWS STS returns temporary credentials and allows access to AWS resources. In this way, the switched roles can access the contents of the productionapp bucket.

AWS KMS (Key Management Service) Overview hosted encryption service adopts a two-layer key structure, which encrypts different data keys through the master key. The data key to encrypt the application is unique, and the master key can not be separated from the KMS system to only support symmetrical encryption.

CMKKMS uses the customer master key (CMK) to encrypt and decrypt data. CMK can be a customer-managed key or an AWS-managed key CMK cannot be separated from AWS KMS in an unencrypted state, but a data key can. By default, when KMS integration is enabled, each account generates a default key hosted by AWS, and if CMK is not specifically specified, this default key encrypts resources as CMK. The CMK key length is 256bit, and the creation of a data key of 128bit or 256bit CMK requires appropriate permissions, and defines which users and roles in IAM can manage and use the key, or allow other AWS accounts to use the key. CMK supports encryption and decryption of maximum 4KB data AWS can choose to automatically perform annual CMK rotation CMK deletion can set a waiting period of 7-30 days to ensure that each account in each region can create up to 1000 CMK without any impact

Envelope encryption

CMK encrypted data key encryption, will return plaintext and encrypted version plaintext version for data encryption, after completion should immediately delete the encrypted version from memory can be stored with encrypted data encryption context all encryption operations support additional context information optional Key/value encryption and decryption operations must first determine the same context Otherwise, the context cannot be decrypted. Fine-grained authorization and additional audit security practices can be used to create unique aliases for keys and describe which IAM users and roles can manage keys. Choose to allow KMS to temporarily disable and enable key checking and auditing key usage in the CloudTrail log every year. KMS can only be used in the generated area, and cannot be transferred to another area. KMS+HSAAWS KMS provides a simple Web interface RESTful API. User access flexible, multi-tenant enhanced security device (HSA) uses CMK to build an HSA-based encryption context, which can only be accessed on HSA. KMS is a hierarchical service for resident HSA encryption operations. KMS is composed of KMS hosts for Web and a HSA echelon. All requests for KMS are sent through SSL, and KMS host protocols and programs are terminated on KMS hosts to complete relevant encryption and decryption operations through HSA.

KMS encrypted EBS Volum

AWS CloudHSM deploys dedicated hardware security modules in the AWS cloud and uses SafeNet Inc's Luna SA7000 HSM devices to provide tamper-proof encryption and storage of security keys within the hardware module without exposing them to the encryption boundaries of the device.

CloudHSM mainly provides HSM services for single tenants in dedicated VPC, supporting symmetric and asymmetric encryption.

When using AWS CloudHSM services, you need to create a CloudHSM cluster. A cluster can contain multiple HSM instances, which are distributed in multiple availability zones in an area. HSM instances in the cluster are automatically synchronized and load balanced. You can get dedicated single-tenant access to each HSM instance in the cluster. Each HSM instance appears as a network resource in Amazon Virtual Private Cloud (VPC). Adding or removing HSM from the cluster can be done simply by calling AWS CloudHSM API (or using AWS CLI on the command line). After creating and initializing a CloudHSM cluster, you can configure a client on the EC2 instance to allow your application to use the cluster over an authenticated secure network connection. Amazon administrators can monitor the health of HSM, but do not have permission to configure, manage, and use them. Your application uses the standard encrypted API with the HSM client software installed on the application instance to send encryption requests to HSM. The client software maintains a secure channel to all HSM in the cluster and sends requests on this channel, while the HSM performs the operation and returns the result through this secure channel. The client then returns the result to the application by encrypting the API. It is recommended to configure highly available HSM services

Amazon Cognito service Cognito provides identity and synchronization services for mobile and Web-based applications in cooperation with public IdP, such as Google, Facebook, and Amazon, which use SDK to access IdP, and use it to identify and authorize IdP authentication. After successful authentication, an OAuth or OpenID Connect will be sent back to Cognito,Cognito. A new Cognito ID and a set of temporary AWS credentials Cognito will be returned to the user as a proxy. You need to create an identity pool for specific user information storage in your AWS account. That is, roles and permissions Cognito will create limited new roles to access AWS resources, while end users can only access Cognito Sync services and Mobile Analytics services. Cognito uses client SDK to manage local SQLite storage as read and write caches, and synchronizes asynchronously to the cloud. Users can continue to exchange data even if they are offline. However, the data may be outdated but must be verified by Cognito when synchronizing multiple accounts. Cognito identity only synchronizes and stores its own data authorized by the role, and the data transmission is encrypted using HTTPS.

Welcome to scan the code and follow us for more information.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.