DEV Community

Yashvi Kothari for AWS Community Builders

Posted on

5

IAM Deep Dive: AWS Security SCS-C02 Exam Prep 1

**

1. What is Identity and Access Management?

**
A service/system that protects your valuable AWS resources.

Definition IAM

  • who can access your AWS account
  • what they can do.

IAM itself

Identity Management:

  • who can access your AWS account.
  • IAM uses unique usernames to identify individuals within your account, preventing duplicate user accounts.

Authentication:

  • identified user is who they claim to be.
  • involves providing a username and password. OR also use Multi-Factor Authentication (MFA) for extra security.

Access Management

  • what resources an authenticated user can access.
  • grant granular permissions, such as "Full Access" to EC2 or "Read Only" to RDS.

Access Control

method used to grant access:

  1. username/password
  2. Traditional method
  3. Basic security
  4. While effective for simple setups, it's vulnerable to password breaches.

  5. MFA

  • MFA significantly reduces the risk of unauthorized access, even if credentials are compromised.

Time-based One-Time Password (TOTP): Generates a unique code that expires after a short time.
Push notifications: Sends a notification to a registered device, requiring user confirmation.
Hardware tokens: Physical devices that generate unique codes.

  1. federated access
  • simplifies user management and provides seamless login experience.
  • use security measures of the external identity provider.
  • External identity provider: Allows users outside your AWS account to access resources using credentials from a trusted external identity provider.

Single sign-on (SSO): Enables users to log in to multiple applications with a single set of credentials.
Social login: Allows users to sign in using their existing accounts from social media platforms (e.g., Google, Facebook).
Enterprise identity providers: Integrates with your organization's existing identity management systems (e.g., Active Directory)

Why IAM ?

  • Minimize risks: Restrict access to resources, preventing unauthorized individuals from causing damage.
  • Enhance compliance: Meet industry standards and regulations by adhering to secure access protocols.
  • Improve manageability: Simplify user access and resource management within your AWS account.

2.AWS IAM Features

Access Management:

  • Users:
    individual identities (people or applications) needing access to AWS resources.
    Each user has a unique ARN (Amazon Resource Name).
    User have Multi-Factor Authentication (MFA) for enhanced security.

  • IAM User Groups:

add IAM users.
Attached Policies to grant or deny access to resources.

Image description

  • Roles:

Temporary credentials used by users, other AWS services, or applications to access resources.
Roles don't have passwords but can be assumed by authorized identities.

  • Policies (JSON documents): Define what resources can be accessed (or denied) and by whom. Policies can be attached to users, groups, or roles.

Image description

  • Account Settings: Enforce password policies with minimum security requirements.

  • Security Token Service (STS):

Provides temporary, limited-privilege credentials for IAM and federated users.
Regional endpoints are available for lower latency.

Access Reports:

Access Analyzer:
Identifies policies granting access to resources from outside your trusted zone (e.g., cross-account access).
Helps identify potential security risks.

Credential Report:

Generates a CSV file listing all IAM users with details like last used date, password change history, and MFA status.

Organization Activity (for AWS Organizations users):

Shows service activity for the past year within an account or organizational unit (OU).
Identifies active users and services accessed.

Service Control Policies (SCPs):
Set boundaries for permissions across AWS accounts within Organizations. SCPs can override identity-based policies for stricter control.

Eg:
If a user has full access to S3, RDS, and EC2 through an IAM policy, but the Service Control Policy (SCP) denies access to S3, the user will only be able to access RDS and EC2. The SCP takes precedence and limits the maximum permissions allowed.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (1)

Collapse
 
william_laim_41ff913d8d84 profile image
William Laim •

Thrilled to share that I passed the SCS-C02 exam today. P2PCERTS was the key to my success with their authentic and comprehensive material!
p2pcerts.com/amazon/scs-c02-dumps....

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post

đź‘‹ Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay