Thursday, October 2, 2025

Advanced Identity in AWS | Overview.🔐

twtech Overview of Advanced Identity in AWS.

AWS Identity is a huge / evolving area and meant to include:

  •        IAM,
  •        SSO,
  •        Cognito,
  •        STS,
  •        Identity Center,
  •        Cross-Account Access,
  •        Fine-Grained Permissions,
  •        OIDC/SAML Federation,
  •        Delegated Admin,
  •        SCPs, etc.,

1. Identity Foundations

AWS identity is built around:

    •        Who,
    •        what someone is (identities)
    •        What someone can do (permissions).

  • Principals: Can be users, roles, services, applications, or federated entities.
  • Authentication: Verifying the identity (IAM, AWS SSO/Identity Center, federation).
  • Authorization: What actions the principal is allowed to perform (IAM policies, SCPs, permission boundaries).

2. Core AWS Identity Services

💻 IAM (Identity and Access Management)

  • IAM Users: Long-term credentials (not recommended for humans anymore).
  • IAM Roles: Temporary, assumable identities for workloads, services, and federation.
  • IAM Groups: Collections of users with shared policies.
  • IAM Policies: JSON docs defining permissions; key types:
    • Identity-based policies (attached to user, role, or group).
    • Resource-based policies (e.g., S3 bucket policy, KMS key policy).
    • Session policies (applied via STS AssumeRole).
    • Permissions boundaries (limits the maximum permissions).
    • Service control policies (SCPs) (organization-wide guardrails).

🌍 AWS Organizations + SCPs (Service control policies)

  • Manage multi-account identity governance.
  • SCPs restrict maximum allowed permissions, even if an IAM policy allows it.
  • Examples: Deny * outside specific regions, enforce tagging policies, deny root access.

👤 AWS Identity Center (Successor to AWS SSO… single sign-on)

  • Central hub for workforce identity.
  • Integrates with IdPs (Okta, Azure AD, Ping, etc.) via SAML or OIDC.
  • Provides role-based access into multiple AWS accounts.
  • Assigns fine-grained permissions without IAM users.
  • Supports MFA, SCIM provisioning, attribute-based access control (ABAC).

🌐 Amazon Cognito

  • Customer identity (CIAM).
  • Sign-up, sign-in, federation for apps.
  • Works with OIDC, SAML, social IdPs (Google, Facebook, Apple).
  • Provides JWTs for API authorization (with API Gateway, AppSync, etc.).

 AWS STS (Security Token Service)

  • Issues temporary credentials for roles, federation, and cross-account access.
  • Key APIs:
    • AssumeRole (cross-account/service access).
    • AssumeRoleWithSAML (federation).
    • AssumeRoleWithWebIdentity (OIDC, Cognito, Kubernetes IRSA).
    • GetFederationToken (temporary federated access).

3. Advanced Identity Patterns

🏛️ Federation & Workforce Identity

  • Use external IdPs with SAML/OIDC to authenticate.
  • AWS recommends Identity Center + external IdP over managing IAM users.
  • Attribute-based access control (ABAC) can map IdP attributes (like department, role) into IAM session tags for fine-grained permissions.

🔄 Cross-Account Access

  • Use IAM roles with trust policies.
  • Example: CI/CD pipeline in one account assumes a deployer role in another.
  • Best practice: No shared IAM users across accounts.

🔖 Attribute-Based Access Control (ABAC)

  • Use tags + session attributes instead of static role-permissions.
  • Example: Condition: StringEquals: { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" }
  • Allows dynamic, scalable permissions.

🛡️ Guardrails & Governance

  • SCPs (limit account permissions).
  • Permissions boundaries (limit delegated admins).
  • Resource policies (restrict usage to VPC, IP range, account).
  • IAM Access Analyzer (detects unintended public/3rd-party access).
  • Policy validation tools (IAM Policy Simulator, Access Analyzer custom checks).

📦 Workload Identity (for Apps & Services)

  • IRSA (IAM Roles for Service Accounts) in EKS: Pods assume IAM roles via OIDC federation.
  • IAM roles for Lambda: Least-privilege per function.
  • IAM roles for EC2: Instance profiles.
  • Service-linked roles: Predefined by AWS services.

🔐 Fine-Grained & Advanced Controls

  • KMS Key policies + IAM for encryption governance.
  • STS session policies for temporary restrictions.
  • Conditional access: aws:SourceIp, aws:RequestTag, aws:PrincipalTag, aws:CalledVia.

4. Modern Best Practices

  • No IAM users for workforce → Use Identity Center + external IdP.
  • No long-lived credentials → Use roles + STS (temporary).
  • ABAC over RBAC for scalable access.
  • Multi-account strategy with AWS Organizations.
  • Centralized governance → SCPs, Config, Control Tower.
  • IAM Access Analyzer + CloudTrail for continuous monitoring.
  • MFA enforced everywhere.
  • Key rotation & least privilege at all times.

5. Emerging & Advanced Trends

  • Identity-Centric Zero Trust in AWS: context-aware, attribute-based authorization.
  • IAM Roles Anywhere: Extend IAM roles to on-prem workloads using X.509 certs.
  • Service-to-service OIDC federation: Workloads in Kubernetes, GitHub Actions, and third parties assuming AWS roles directly.
  • Delegated Administration: Using Organizations to allow controlled admin of IAM Identity Center or GuardDuty across accounts.
  • Verified Access (VA): Secure remote workforce access to private apps with identity + device posture.

twtechKeyTakeAway:

  •        AWS identity is shifting from: IAM users & static policies → to federation, temporary credentials, ABAC, and centralized governance.
  •        The key themes are: least privilege, automation, multi-account strategy, federation, and continuous monitoring.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...