Module 6: Security --- part 1
學習目標
- Shared responsibility model 優點
- Multi-factor authentication (MFA)
- AWS Identity and Access Management (IAM) security levels 優點
- AWS Organizations 優點
- Security policies
- Compliance with AWS 優點
- Additional AWS security services
Shared Responsibility Model
Customer is responsible for the security in the cloud.
AWS is responsible for the security of the cloud.
e.g. Amazon EC2
- Customer responsibilities: Security in the cloud
- Data
- Application
- Operating System
- AWS responsibilities: Security of the cloud
- Hypervisor
- Network
- Physical
User Permissions and Access
AWS Identity and Access Management (AWS IAM)
AWS IAM enables you to manage access to AWS services and resources securely. Create users to enable people and applications to interact with AWS services and resources.
- AWS Account Root User
- IAM Users
- IAM Policies
- IAM Groups
- IAM Roles
- Multi-factor authentication (MFA)
Principle of least privilege: A user is granted access only to what they need.
(1) AWS Account Root User
The root user identity is the identity that is established when you first create an AWS account.
The root user is accessed by signing in with the email address and password that you used to create your AWS account. Root user has complete access to all the AWS services and resources in the account.
Best Practice
- Do not use the root user for everyday tasks.
- Instead, use the root user to create your first IAM user and assign it permissions to create other users.
- Only use the root user when you need to perform a limited number of tasks that are only available to the root user.
- e.g. changing your root user email address, changing your AWS support plan
- Update the AWS account root user password in the AWS Management Console.
- AWS Account Management Reference Guide - “Tasks that require root user credentials”
(2) IAM User
An IAM user is an identity that you create in AWS. It represents the person or application that interacts with AWS services and resources. It consists of a name and credentials.
- By default, when you create a new IAM user in AWS, it has no permissions associated with it.
- You must grant the IAM user the necessary permissions.
Best Practice
- Create individual IAM users for each person who needs to access AWS
- Even if you have multiple employees who require the same level of access, you should create individual IAM users for each of them.
(3) IAM Policy
A document that allows (grants) or denies permissions to AWS services and resources.
- Effect: Allow or Deny
- Action: Any AWS API call
- Resource: Which AWS resource the API call is for
Best Practice
- Follow the security principle of least privilege when granting permissions.
(4) IAM Group
An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
(5) IAM Role ⭐
You can't assign IAM role to IAM user.
方便對不同的 AWS resources 給予不同的角色權限。(暫時的)
An IAM role is an identity that you can assume to gain temporary access to permissions.
- Roles have associated permissions that allow or deny specific actions.
- Roles can be assumed for temporary amounts of time.
- It is similar to a user, but has no username and password. Instead, it is an identity that you can assume to gain access to temporary permissions.
- You use roles to temporarily grant access to AWS resources, to users, external identities, applications, and even other AWS services.
Best Practice
- IAM roles are ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term.
Multi-factor authentication (MFA)
An authentication process that provides an extra layer of protection for your AWS account.
AWS MFA device could be a hardware security key, a hardware device, or an MFA application on a device such as a smartphone.
Best Practice
- Enable MFA for the root user and all IAM users in your account.
- Configure MFA in AWS IAM.
留言
張貼留言