IAM Deep Dive: AWS Security SCS-C02 Exam Prep 1

Yashvi Kothari - Sep 29 - - Dev Community

**

1. What is Identity and Access Management?

**
A service/system that protects your valuable AWS resources.

Definition IAM

  • who can access your AWS account
  • what they can do.

IAM itself

Identity Management:

  • who can access your AWS account.
  • IAM uses unique usernames to identify individuals within your account, preventing duplicate user accounts.

Authentication:

  • identified user is who they claim to be.
  • involves providing a username and password. OR also use Multi-Factor Authentication (MFA) for extra security.

Access Management

  • what resources an authenticated user can access.
  • grant granular permissions, such as "Full Access" to EC2 or "Read Only" to RDS.

Access Control

method used to grant access:

  1. username/password
  2. Traditional method
  3. Basic security

  4. While effective for simple setups, it's vulnerable to password breaches.

  5. MFA

  • MFA significantly reduces the risk of unauthorized access, even if credentials are compromised.

Time-based One-Time Password (TOTP): Generates a unique code that expires after a short time.
Push notifications: Sends a notification to a registered device, requiring user confirmation.
Hardware tokens: Physical devices that generate unique codes.

  1. federated access
  • simplifies user management and provides seamless login experience.
  • use security measures of the external identity provider.
  • External identity provider: Allows users outside your AWS account to access resources using credentials from a trusted external identity provider.

Single sign-on (SSO): Enables users to log in to multiple applications with a single set of credentials.
Social login: Allows users to sign in using their existing accounts from social media platforms (e.g., Google, Facebook).
Enterprise identity providers: Integrates with your organization's existing identity management systems (e.g., Active Directory)

Why IAM ?

  • Minimize risks: Restrict access to resources, preventing unauthorized individuals from causing damage.
  • Enhance compliance: Meet industry standards and regulations by adhering to secure access protocols.
  • Improve manageability: Simplify user access and resource management within your AWS account.

2.AWS IAM Features

Access Management:

  • Users:
    individual identities (people or applications) needing access to AWS resources.
    Each user has a unique ARN (Amazon Resource Name).
    User have Multi-Factor Authentication (MFA) for enhanced security.

  • IAM User Groups:

add IAM users.
Attached Policies to grant or deny access to resources.

Image description

  • Roles:

Temporary credentials used by users, other AWS services, or applications to access resources.
Roles don't have passwords but can be assumed by authorized identities.

  • Policies (JSON documents): Define what resources can be accessed (or denied) and by whom. Policies can be attached to users, groups, or roles.

Image description

  • Account Settings: Enforce password policies with minimum security requirements.

  • Security Token Service (STS):

Provides temporary, limited-privilege credentials for IAM and federated users.
Regional endpoints are available for lower latency.

Access Reports:

Access Analyzer:
Identifies policies granting access to resources from outside your trusted zone (e.g., cross-account access).
Helps identify potential security risks.

Credential Report:

Generates a CSV file listing all IAM users with details like last used date, password change history, and MFA status.

Organization Activity (for AWS Organizations users):

Shows service activity for the past year within an account or organizational unit (OU).
Identifies active users and services accessed.

Service Control Policies (SCPs):
Set boundaries for permissions across AWS accounts within Organizations. SCPs can override identity-based policies for stricter control.

Eg:
If a user has full access to S3, RDS, and EC2 through an IAM policy, but the Service Control Policy (SCP) denies access to S3, the user will only be able to access RDS and EC2. The SCP takes precedence and limits the maximum permissions allowed.

Image
Serverless vs. Containerized: Making the Right Choice
Image
Other Options apart from IBM SkillsBuild for Data Science/Analysis
Image
HIRE A RECOVERY SPECIALIST TO RETRIEVE YOUR STOLEN, LOST OR SCAMMED CRYPT0 ASSETS, VISIT>>GRAYWARE TECH SERVICES.

discuss, blockchain, git, cryptocurrency
Image
How Crypto PR Agencies Keep Pace With Regulatory Changes
Image
Efficiently Destroying Observables in Angular

angular, webdev, javascript
Image
The Babble Effect: A Costly Mistake in Identifying Future Leaders

productivity, career, learning, startup
Image
Understanding Retrieval Augmented Generation (RAG)

rag, llm, ai
Image
File issue
Image
Navigating Water Damage Restoration with a Professional Contractor in Cypress
Image
🚀How I integrated an AI copilot into Dub.co (in a few minutes)🤖✨

webdev, javascript, programming, tutorial
Image
MVC in Frontend is Dead

webdev, architecture, frontend
Image
[Part 4] Effective Measures to Control System Architecture Drift

systemdesign, architecture, webdev
Image
[Part 3] The Temptation to Ignore Architecture Drift

systemdesign, architecture, webdev
Image
[Part 2] Architectural Drift in Real Life Systems

architecture, webdev, systemdesign
Image
Can AI Outsmart the Hackers? Adversarial Attacks and Defenses in Time-Series Forecasting

deeplearning, machinelearning, security, tutorial
Image
The Future of Freelancing: Decentralized Networks and Blockchain-Powered Platforms

blockchain, decentralization, futureofwork, freelancing
Image
Client Hook JS

javascript, programming, learning
Image
JSONB wit go and postgreSQL
Image
Exploring the Different Types of PostgreSQL Table Partitioning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .