Content of Figures
In keeping with the transformational change that is occurring as increased digitalisation impacts all industry sectors, AWS has extended the identity management features of their cloud platform. This allows customers to enhance their business processes, it lets them identify users who are accessing corporate facilities and it reduces cybersecurity risk by enabling better access control.
Whether you are using public cloud facilities, or a hybrid configuration, the AWS platform can now accommodate most access control needs. The AWS identity and access management (IAM) facilities provide greater granularity in assigning entitlements which allows better management of access control to applications and protected resources in the AWS environment. Users can deploy the appropriate level of identity management granularity to allow administration of a cloud environment to be adequately segmented. For instance, it is highly advisable to segment server access, database access, key management and backup services. AWS identity management services facilitates achieving this level of segmentation. Software development can also be better managed with the ability to control access to dev, test and prod environments.
Organizations take different approaches to access control. A common practice is to assign roles based on group membership i.e. if someone is an AD administrator, they will be put in the ‘AD admin’ group. Other organizations prefer to establish a directory OU (organizational unit); applications then verify that a user’s ID is in the associated OU before granting access to a user request. Increasingly user attributes are used to control access to systems i.e. only staff with a department attribute of “Finance” will get access to the financial management application.
To accommodate the widest possible number of use cases AWS provides both role assignments, whereby the permissions of a “role” can be granted to a user by assigning the role to them, or group assignments, whereby a user with a specific group membership is assigned the entitlements of that group.
Federation is also supported for access to AWS facilities. AWS is fully SAML 2.0 compliant and can provide SSO to the AWS management console for a user with an appropriate record in a trusted third-party identity provider (IdP) service. Federation can be used for API security management; this is particularly useful when third-party users must access an application via an AWS API.
Key management has been improved. Clients of AWS can choose to use the key management functionality provided within the platform or they or they can bring their own CustomerMaster Key to the AWS platform. The AWS key management functionality will satisfy the confidentiality requirements for most clients, but in regulatory environments that mandate customer-based key management, that option can be accommodated.
Managing identities is core functionality for a cloud platform. It is necessary for clients to be able to protect their cloud infrastructure and ensure appropriate access control to system features. The AWS platform enables customers to achieve this via a functional user interface.
2 Product Description
In the past, when AWS referenced IAM they typically referred to providing access control to system functions within the AWS environment i.e. managemen ...
With the recent expansion of the IAM facilities in the AWS platform it’s not only possible to exert more control over system accounts, application u ...Login Get full Access
2.1 IAM Users
AWS IAM provides the ability to create user accounts and establish their login credential requirements. In some cases, this will be just a password, i ...
Note: AWS does not provide provisioning workflows; clients can either synchronise their on-premise AD or deploy an identity manager solution with conn ...Login Get full Access
2.2 Password Policy
AWS provides the facility to set a policy to control password length and strength, expiration, history and whether or not users can change their own p ...
AWS has 5 pre-defined password policy settings. Each setting can have a different profile i.e. a different password strength requirement and is assign ...Login Get full Access
2.3 IAM Roles & Permissions
Roles are a simple but powerful way that AWS provides for entitlement management. An IAM role has a set of defined entitlements (permissions) and mult ...
Roles are also useful in managing access by business partners. By assigning a role to a user’s account the permissions associated with the role are ...Login Get full Access
2.4 IAM Groups
AWS provides a group management facility in addition to role management. Access control by groups is often used to manage user access to specific appl ...Login Get full Access
2.5 Delegated System Administration
Another improvement is the ability to manage directory administrators for on-premises facilities. In the past, AD admins would manage elevated privile ...Login Get full Access
2.6 IAM Policy Management
IAM policies provide the capability to determine whether a user has permission to access a requested resource and determine what they are allowed to d ...Login Get full Access
2.7 Multi-factor Authentication
A single factor system typically relies on a password credential for a user login. Two factor systems add ‘something you have’ such as a mobile de ...Login Get full Access
AWS IAM fully supports SAML 2.0 for federation with remote identity providers. It is not necessary to establish all users in the AWS directory service ...Login Get full Access
3 Strengths and Challenges
The AWS identity management functionality is a welcomed extension to the AWS platform. It recognizes the importance of protecting computing facilities ...Login Get full Access