AWS Cloud Security Fundamentals
Three AWS services are critical for maintaining a strong security and governance posture. These services are not only functionally effective, but are available at no additional cost to AWS CSP customers.
AWS Identity and Access Management (IAM)
IAM manages access to AWS resources and services via customized roles and policies. By default, permission begins with implicit denial. This means resources or people will not have permission unless it is explicitly granted. Explicit denial also exists, which will deny permission – even if permission was explicitly allowed.
While the concept of IAM is elementary, effective use requires thoughtful consideration. Many customers use the “*” wildcard when writing custom policies. While it speeds up policy development, it fails to satisfy the Security Principle of Least Privilege; this means that resources should only be given just enough permission to complete the task. My recommendation is to spend more time drafting narrowly scoped policies.
Tagging is not only a great way to search for resources, but also an important cloud governance tool. Tagging plays an important role in setting IAM policy conditions and narrowing the scope of access.
Most commonly, tags can be used to control access based on 1) Authorization, 2) Requests, and 3) Resources using the aws:TagKeys control. Some but not all AWS API requests include tags and some but not all resources can be tagged.
Authorization based on Tags is a great way to implement Attribute-based access control (ABAC), while Requests and Resources are instrumental in implementing role-based access control (RBAC).
AWS Security Token Service (STS)
AWS STS is commonly used for federated access, for example integrating an Identity Provider like Active Directory with the AWS console. Less common - but just as effective – STS can be used for programmatic access. Configuring STS to manage programmatic access means access keys no longer need to be manually rotated. This helps reduce the risk of access keys being used for unintended purposes.
There are many new and exciting security solutions available for AWS GovCloud and Commercial...Check back for the latest and greatest!