AWS Security

AWS Account

Each AWS account comes with a root user
This account i used when operating on management console
Through console others users can be created with required permissions
AWS Account is the basket for all resources you own: EC2 instances, CloudFormation stacks, IAM users, and so on

AWS Account Access

as root access -> password + accesskey
as normal user -> password + accesskey
as AWS resource -> API/CLI request from that EC2 instance

Identity and Access Management Service

Provides everything for authentication and authorization with AWS API
Every request you make to AWS API goes through IAM to check whether the request is allowed
IAM controls who can do what in your AWS account

IAM Service

Authentication in IAM is done with users or roles

Authorization is done by policies

	Root user	IAM User	IAM role
Can have password	Always	Yes	No
Can have access key	Yes *	Yes	No
Can belong to group	No	Yes	No
Can be associated with an EC2 instance	No	No	Yes

* not recommended

Differences between root user, IAM user and IAM role

Policies for authorization

Policy is defined as JSON
Contains one or more statements
A statement can allow or deny specific action on specific resources
Overview of all actions for EC2 resource

{
    Version: '2012-10-17',
    Statement: [{
        Sid: '1',
        Effect: 'Allow',
        Action: ['ec2:*'],
        Resource: ['*']
    }]
}

every EC2 action

allows

every EC2 action

Policies for authorization

If you have multiple statements that apply to same action, deny overrides allow

{
    Version: '2012-10-17',
    Statement: [
        {
            Sid: '1',
            Effect: 'Allow',
            Action: ['ec2:*'],
            Resource: ['*']
        },
        {
            Sid: '2',
            Effect: 'Deny',
            Action: ['ec2:TerminateInstances'],
            Resources: ['*']
        }
    ]
}

above policy allows all EC2 actions except terminating instances

{
    Version: '2012-10-17',
    Statement: [
        {
            Sid: '1',
            Effect: 'Deny',
            Action: ['ec2:*'],
            Resource: ['*']
        },
        {
            Sid: '2',
            Effect: 'Allow',
            Action: ['ec2:TerminateInstances'],
            Resources: ['*']
        }
    ]
}

above policy denies all actions including ec2:TerminateInstances

AWS Resource

have Amazon Resource Name (ARN)

arn:aws:ec2:us-east-1:878533158213:instance/i-3dd4f812

Service

Region

AccountID

Resource Type

Resource

Managed policy

If you want to create policies that can be reused in your account. There are 2 types:

AWS managed policy - A policy that is maintained by AWS. eg., policies that grant admin rights
Customer managed - Could be policy that represents roles in your organization.

Inline policy

A policy that belongs to a certain IAM role, user, or group. The inline policy can't exist without the IAM role, the user, or the group.

Two types of policies:

Policy is created once and reused for multiple principles (users, roles or groups)

Standalone object

Managed Policy

Policy is created for specific user, group or role

Inline object

Inline Policy

Roles for Authentication for AWS resource

AWS Resource Authentication

Each AWS API request from AWS resource (eg. EC2)
Will be authenticated with the roles attached
By default EC2 has no roles attached; hence no API calls are allowed

Policy Language

Provides authorization
Two facets:
- Specification: Defining access policies
- Enforcement: Evaluating policies

Policy Specification basics

JSON-formatted documents
Contain a statement (permissions) that specifies:
- which action an principle can perform
- which resources can be accessed

{
    "Statement": [
        "Effect": "allow|deny",
        "Principle": "principle",
        "Action": "action",
        "Resource": "arn",
        "Condition": {
            "condition": {
                "key": "value"
            }
        }
    ]
}

you can have multiple statements and each statement is comprised of PARC

Principle
Action
Resource
Condition

PARC + E

Principle

An entity that is allowed or denied access to a resource
Indicated by an Amazon Resource Name (ARN)
With IAM policies, the principle element is implicit (i.e, user, group or role attached)

<!-- everyone (anonymous users) -->
"Principal":"AWS":"*.*"

<!-- specific account or accounts -->
"Principal": {"AWS":"arn:aws:iam::1234567:root"}

<!-- individual IAM user -->
"Principal": {"AWS":"arn:aws:iam::1234567:user/username"}

<!-- federated user (using web identity federation) -->
"Principal": {"Federated": "www.amazon.com"}
"Principal": {"Federated": "graph.facebook.com"}

<!-- specific role -->
"Principal": {"AWS":"arn:aws:iam::1234567:role/rolename}

<!-- specific service -->
"Principal": {"Service":"ec2.amazonaws.com"}

Action

Describes the type of access that should be allowed or denied
Can be find in docs
Statement must include Action or NotAction element

<!-- EC2 action -->
"Action": "ec2:StartInstances"

<!-- IAM action -->
"Action": "iam:ChangePassword"

<!-- s3 action -->
"Action": "s3:GetObject"

<!-- specify multiple values -->
"Action": ["sqs:SendMessage", "sqs:ReceiveMessage"]

<!-- use wildcards (* or ?) as part of the action name -->
"Action": "iam:*AccessKey"
<!-- this would cover, for e.g, CreateAccessKey, DeleteAccessKey etc -->

Resource

The object or objects that are being requested
Statements must include either a Resource or a NotResource element

<-- S3 Bucket -->
"Resource": "arn:aws:s3:::my_corporate_bucket/*"

<-- SQS queue -->
"Resource": "arn:aws:sqs:us-west-2:12345678:queue1"

<-- Dynamo table -->
"Resource": "arn:aws:dynamodb:us-west-1:12345678:table/books_table"

<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:12345678:instance/*"

Conditions

Optional criteria that must evaluate to true for the policy to evaluate as true
Can contain multiple policies

Cognito

Service that enables you to create unique identities for your user
and authenticate them
using either your own user pools
or by using federated identity