Advanced Identity in AWS - Overview.🔐
Scope:
- Intro
- Core Advanced Strategies,
- Governance and Automation,
- Policy Refinement,
- links to documentation,
- Identity Foundations,
- Core AWS Identity Services,
- Advanced Identity Patterns,
- Modern Best Practices,
- Emerging & Advanced Trends,
- KeyTakeAway.
Intro:
- Advanced identity management in AWS focuses on granular control, automation, and centralized governance to secure large-scale environments.
Core Advanced Strategies
- Attribute-Based Access Control (ABAC): A strategy that defines permissions based on attributes, such as tags on users and resources.
- Attribute-Based Access Control allows for dynamic scaling since twtech doesn't need to update individual policies when adding new resources.
- IAM Identity Center: Recommended for centralized management of human user access across multiple AWS accounts.
- IAM Identity Center integrates with external providers like Okta, Microsoft Entra ID, and Google Workspace.
- Permissions Boundaries: A feature used to set the maximum permissions that an identity-based policy can grant.
- Permissions Boundaries is essential for delegating policy creation to developers without allowing them to escalate their own privileges.
Governance and Automation
- Service Control Policies (SCPs): Used within AWS Organizations to establish central security guardrails.
- SCPs define the maximum available permissions for all accounts in an organization or organizational unit (OU).
- IAM Access Analyzer: Automates the process of identifying resources shared with external entities and helps generate least-privilege policies based on actual access activity.
- IAM Roles Anywhere: Enables workloads outside of AWS, such as on-premises servers or containers, to securely obtain temporary AWS credentials using digital certificates instead of long-term access keys.
- Condition Keys: Advanced policies use global or service-specific condition keys to restrict access based on variables like source IP, request time, or whether MFA was used.
- Cross-Account Roles: Instead of creating duplicate users, twtech can use roles to delegate access across different AWS accounts, providing a unified audit trail and reducing credential sprawl.
links to documentation:
https://aws.amazon.com/blogs/security/techniques-for-writing-least-privilege-iam-policies/
https://docs.aws.amazon.com/managedservices/latest/userguide/sec-iam.html
AWS identity is built around:
- Who,
- what someone is (identities)
- What someone can do (permissions).
- Principals: Can be users, roles, services, applications, or federated
entities.
- Authentication: Verifying the identity (IAM, AWS SSO/Identity Center, federation).
- Authorization: What actions the principal is allowed to perform (IAM policies, SCPs, permission boundaries).
2. Core AWS Identity Services
💻 IAM (Identity
and Access Management)
- IAM Users: Long-term credentials (not recommended for humans anymore).
- IAM Roles: Temporary, assumable identities for workloads,
services, and federation.
- IAM Groups: Collections of users with shared policies.
- IAM Policies: JSON docs defining permissions; key types:
- Identity-based policies (attached to user, role, or
group).
- Resource-based policies (e.g., S3 bucket policy, KMS
key policy).
- Session policies (applied
via STS AssumeRole).
- Permissions boundaries (limits the maximum
permissions).
- Service control policies (SCPs)
(organization-wide guardrails).
🌍 AWS Organizations + SCPs (Service control policies)
- Manage
multi-account identity governance.
- SCPs restrict maximum allowed permissions, even if an IAM policy allows it.
- Examples: Deny * outside specific regions, enforce tagging policies, deny root access.
👤 AWS Identity Center (Successor to AWS SSO… single sign-on)
- Central
hub for workforce identity.
- Integrates with IdPs (Okta, Azure AD, Ping, etc.) via SAML or OIDC.
- SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) are both open standard protocols used for implementing single sign-on (SSO) and federated authentication, allowing users to access multiple applications with one set of credentials.
- Provides
role-based access into multiple AWS accounts.
- Assigns fine-grained
permissions without IAM users.
- Supports MFA,
SCIM provisioning, attribute-based access control (ABAC).
🌐 Amazon Cognito
- Customer identity (CIAM).
- Sign-up,
sign-in, federation for apps.
- Works with OIDC, SAML, social IdPs (Google, Facebook, Apple).
- Provides JWTs for API authorization (with API Gateway, AppSync, etc.).
AWS STS (Security Token Service)
- Issues temporary
credentials for roles, federation, and cross-account access.
- Key APIs:
- AssumeRole
(cross-account/service access).
- AssumeRoleWithSAML
(federation).
- AssumeRoleWithWebIdentity (OIDC,
Cognito, Kubernetes IRSA).
- GetFederationToken (temporary federated access).
3. Advanced Identity Patterns
🏛️ Federation & Workforce Identity
- Use external
IdPs with SAML/OIDC to authenticate.
- AWS recommends Identity Center + external IdP over managing IAM users.
- Attribute-based access control (ABAC) can map IdP attributes (like department, role) into IAM session tags for fine-grained
permissions.
🔄 Cross-Account Access
- Use IAM roles with trust policies.
- Example: CI/CD pipeline in one account assumes a deployer role in another.
- Best practice: No shared IAM users across accounts.
🔖 Attribute-Based Access Control (ABAC)
- Use tags + session attributes instead of static
role-permissions.
- Example: Condition: StringEquals: { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" }
- Allows dynamic, scalable permissions.
🛡️ Guardrails & Governance
- SCPs
(limit account permissions).
- Permissions boundaries (limit delegated admins).
- Resource policies (restrict usage to VPC, IP range, account).
- IAM Access Analyzer (detects unintended
public/3rd-party access).
- Policy validation tools (IAM Policy Simulator, Access Analyzer custom checks).
📦 Workload Identity (for Apps & Services)
- IRSA
(IAM Roles for Service Accounts)
in EKS: Pods assume IAM roles via OIDC federation.
- OIDC (OpenID Connect) federation is a mechanism that allows a service provider (Relying Party) to trust identities managed by an external identity provider (IdP).
- Instead of creating new usernames and passwords, users use their existing accounts from providers like Google, Microsoft Entra ID, or Okta to access different applications or cloud services.
- IAM roles for Lambda: Least-privilege per function.
- IAM roles for EC2: Instance profiles.
- Service-linked roles: Predefined
by AWS services.
🔐 Fine-Grained & Advanced Controls
- KMS Key policies + IAM for encryption governance.
- STS session policies for temporary restrictions.
- Conditional access:
- aws:SourceIp,
- aws:RequestTag,
- aws:PrincipalTag,
- aws:CalledVia.
4. Modern Best Practices
- No IAM users for workforce → Use Identity Center + external IdP.
- No long-lived credentials → Use roles + STS (temporary).
- ABAC over RBAC for scalable access.
- Multi-account strategy with AWS Organizations.
- Centralized governance → SCPs, Config, Control Tower.
- IAM Access Analyzer + CloudTrail for continuous monitoring.
- MFA enforced everywhere.
- Key rotation & least privilege at all times.
5. Emerging & Advanced Trends
- Identity-Centric Zero Trust in AWS: context-aware, attribute-based authorization.
- IAM Roles Anywhere: Extend IAM roles to on-prem workloads using X.509 certs.
- Service-to-service OIDC federation: Workloads in Kubernetes, GitHub Actions, and third parties assuming AWS roles directly.
- Delegated Administration: Using Organizations to allow controlled admin of IAM Identity Center or GuardDuty across accounts.
- Verified Access (VA): Secure remote workforce access to private apps with identity + device posture.
twtech-KeyTakeAway:
- AWS
identity is shifting from: IAM
users & static policies → to federation, temporary credentials,
ABAC, and centralized governance.
- The key themes are: least privilege, automation, multi-account strategy, federation, and continuous monitoring.
No comments:
Post a Comment