AWS, cloud, cloudsecurity, cloudnative

AWS Cloud Security Fundamentals

Tony Lutz
Jan 12, 2021 10:58:20 AM
SHARE

 

Three AWS services are critical for maintaining a strong security and governance posture.  These services are not only functionally effective, but are available at no additional cost to AWS CSP customers.  

AWS Identity and Access Management (IAM) 

IAM manages access to AWS resources and services via customized roles and policiesBy default, permission begins with implicit denial.  This means resources or people will not have permission unless it is explicitly granted. Explicit denial also exists, which will deny permission – even if permission was explicitly allowed. 

While the concept of IAM is elementary, effective use requires thoughtful consideration. Many customers use the “*” wildcard when writing custom policies. While it speeds up policy development, it fails to satisfy the Security Principle of Least Privilege; this means that resources should only be given just enough permission to complete the task. My recommendation is to spend more time drafting narrowly scoped policies. 

AWS Tagging 

Tagging is not only a great way to search for resources, but also an important cloud governance tool.  Tagging plays an important role in setting IAM policy conditions and narrowing the scope of access.  

Most commonly, tags can be used to control access based on 1) Authorization, 2) Requests, and 3) Resources using the aws:TagKeys control. Some but not all AWS API requests include tags and some but not all resources can be tagged. 

Authorization based on Tags is a great way to implement Attribute-based access control (ABAC), while Requests and Resources are instrumental in implementing role-based access control (RBAC). 

AWS Security Token Service (STS) 

AWS STS is commonly used for federated access, for example integrating an Identity Provider like Active Directory with the AWS console.  Less common - but just as effective – STS can be used for programmatic access. Configuring STS to manage programmatic access means access keys no longer need to be manually rotated. This helps reduce the risk of access keys being used for unintended purposes. 

Conclusion 

There are many new and exciting security solutions available for AWS GovCloud and Commercial...Check back for the latest and greatest! 
Tony Lutz

Tony Lutz

Related posts

cloud network stock image
cloud,cloudsecurity,Cloud Enterprise Architecture,cloud migration,Case Study,Cloud Networking,data engineering,Big Data,Business Intelligence,Resource Management,Data Management,Techquity

The Need for Better Cloud Network Security

Transitioning traditional data center environments to the cloud offers federal agencies huge...

Read more
Cloud-migration-Blog-Banner--1
cloud,cloudsecurity,Cloud Governance & Compliance,cloud migration,Data Migration,Cloud Services

Simple Technology Solutions to Support U.S. Treasury with Azure Migration Services

Federal agencies have a pressing need to expand their multi-cloud capabilities to meet emerging...

Read more
© 2024 All rights reserved.