DEV Community: JosephHonpah

🚀🚀Setting Up AWS Firewall Manager Used For Auditing Security Groups in AWS Organization accounts.

JosephHonpah — Fri, 21 Mar 2025 14:22:43 +0000

Managing security at scale in a multi-account AWS environment can be challenging. One common concern is ensuring security groups are configured according to your organization's security policies. AWS Firewall Manager simplifies this by enabling centralized management and auditing of security groups across AWS Organization accounts.

In this post, we’ll walk through the process of setting up AWS Firewall Manager to audit security groups in an AWS Organization.

❓What is AWS Firewall Manager?

AWS Firewall Manager is a security management service that makes it easier to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. You can use Firewall Manager to manage AWS WAF, AWS Shield Advanced, VPC, security groups, AWS Network Firewall, and more.

One powerful feature is Security Group policies, which allow you to audit and enforce security group rules at scale.

✍🏾 Why Audit Security Groups?

Improperly configured security groups can expose resources to unnecessary risk. Auditing ensures:

No overly permissive rules (e.g., allowing 0.0.0.0/0 for SSH or RDP)

Consistent rules across accounts and VPCs. Identification and correction of non-compliant security groups.

This Demo is specifically for auditing security groups in AWS organizations accounts.

⚗️ Pre-Requisites

AWS Organizations Setup

i) In this Demo we are not setting up the AWS Organization and all accounts should be part of an AWS Organization.

ii) AWS Config must be enabled in all member accounts (Firewall Manager relies on AWS Config for resource visibility).

Firewall Manager Administrator Account

i) You need to designate an administrator account for Firewall Manager in AWS Organizations. This account will manage and deploy policies across the org.

Permissions

i) The administrator account needs the necessary IAM permissions to manage Firewall Manager policies and read AWS Config data.

With all the above present in your good to go. I have AWS organizations setup already with management account “Josephndambombi” ending with ××××××××6565 and member account “Firewall1” ending with ××××××××3165, which was used for this Demo.

1️⃣ STEP 1: Setting up Firewall Manager from the management account of AWS Organization and resources such as SG, EC2 and AWS config from member account.

Firstly, you need to log into the management account (Josephndambombi “accountID xxxxxxxx6565"). Navigate to the search bar of the management console and search for AWS Firewall Manager, click on get started.

Put in the account Account ID of your management account (xxxxxxxx6565) and click on the Create administrator account.

Login to your member account (firewall1 “account ID xxxxxxxx3165") and the first prerequisite for Firewall Manager is AWS config on member accounts. Search for AWS config on the search bar and if it’s the first time enabling config click on 1-click setup. If it’s not the first time, you should click on settings and enable. Keep everything as default, click on create a bucket and create.

CREATING SECURITY GROUP

Once the AWS config is created, we will be needing two SGs. One which will act as the insecure SG for firewall manage to detect as non-complaint and one which will be secure to test if the firewall manager will detect complaint SG. Navigate to the EC2 console. Scroll down, click on the security group and create a security group.

Give it a name (Insecure-SG) , a description and scroll down to inbound rules.

For inbound rules, click on add rule and add port 3306 for MySQL DB. For IP address put any public IP (215.165.85.250/32). Since databases are not allowed to be accessible by public addresses this will be insecure SG and want FWM to detect this insecure access. Scroll down and click to create SG.

Need to create another security group which is the secure SG for this demo (Secure-SG). Click on create security SG.

Give it a name (Secure-SG), description and scroll down to inbound rules.

Click on add rule, type “3306" for port and a private IP address"10.0.0.0/32", Which will be the secure SG. Scroll down and click create SG

CREATING EC2 INSTANCE.

We need two ec2 instances to attach to the insecure and secure SG to test if the firewall manager is going to detect them. Navigate to the EC2 console and click on launch instances.

Give it a name (Demo-EC2) scroll down and keep everything as default.

Proceed without a key pair, Check ✅ on the select existing Security group and attach the insecure SG created above (Insecure-SG). Scroll down and click on the launch instance.

Create the second instance which will be the secure ec2. Click on the launch instance.

Give it a name (Secure-Demo-EC2) and scroll down.

Proceed without a key pair, click on select existing Security group and attach the secure security group (secure-SG). Scroll down and click the launch instance.

You should now have two ec2 instances. One which is secure and one insecure instance.

Setting up an Ideal(most secure to follow) security group in the management account(Josephndambombi), the firewall manager will evaluate security groups in member accounts(firewall1) based on the Ideal SG.

Back on management account (Josephndambombi “accountID: xxxxxxxx6565") navigate to EC2, scroll down to security group and click create security group.

Give it a name (Audit-SG), a description and scroll down to inbound rules.

Click on the add rule, port 3306 and on the source IP attach the entire CIDR range for private IP ranges (10.0.0.0/8), which will not allow any public IP range. Scroll down and click on create security group.

Navigate to the firewall manager on the management account (Josephndambombi), click on security policies and click on the create policy.

Keep in mind the region your using to create these resources in management account and in member account (firewall1). Select region “US East(N.Virginia)” , under policy details since we are auditing SG you check on the security group. Check ✅ on Auditing and enforcement of security group rules, Click next.

Give a policy name(DB-Access-SG-Policy), give a description. Check on configure custom policy rules and scroll down.

In the custom rule, click Add security groups and select the Ideal SG (Audit-SG) which you created for the firewall manager to use, Click next.

Check ✅ Include all accounts under my organization, select all resource type and resources check ✅ Include all resources that match the selected resource type. Click next

Keep policy tags as default and click next

Review details, scroll down and click create policy.

2️⃣STEP 2: Testing if firewall manager can detect these secure and insecure SG, instances and eni which are attached to the instances upon creation.

First switching to the member account (firewall1), navigate to AWS config you should see 3 complaint and 3 non-complaint resources. Which are the secure and insecure resources created at the beginning of this demo.

click on Rules and you should see Firewall manager has created a configuration to detect non compliant resources.

Click on the created rule and you will see the three resources which were created early in this Demo to detect insecure resources. That is the Insecure-SG, Demo-EC2 and the Eni attached to the EC2 instance as non-compliant. Indicating it works properly.

Login to the management account (Josephndambombi) to check what Firewall Manager has found as complaint and non compliant in the AWS organization. Click on security policies (DB-Access-SG-Policy).

You will find the management account (Josephndambombi “xxxxxxxx6565") to be complaint and the member account (firewall1 “xxxxxxxx3165") to be non-compliant due to 3 insecure resources in the member account. Click on the member account.

You will find the same insecure resources which were created above( Demo-EC2, Insecure-SG and the Eni of the instance). And under validation reason you will see it violates the audit security group policy created earlier.

To solve this just enable auto-remediation in the firewall manager or you login to the member account and edit the inbound rules of the insecure-SG to have a private source IP range.

Do not forget to clean up resources first by terminating the EC2 instances, deleting SGs and delete firewall policy

Hurray 🎉 and we just used config and firewall manager to track complaint and non-complaint resources in AWS organizations.

Best Practices

Start in Audit Mode before enabling remediation to understand the impact.
Tag your resources to simplify policy scoping.
Enable AWS Config Aggregators to get a unified view across regions and accounts.
Use AWS Security Hub to aggregate and prioritize security findings.

Conclusion

AWS Firewall Manager makes it easier to manage and audit security groups across multiple accounts in AWS Organizations. By following this guide, you can ensure your security groups adhere to best practices and reduce the risk of misconfiguration.

If you found this post helpful or have questions about AWS security management, feel free to comment below! 👇🏾 And please like and share for more contents like this 💗

AWS #AWSCommuintyBuilder #Letslearn #Security

By Joseph Ndambombi Honpah on March 20, 2025.

Canonical link

Exported from Medium on March 21, 2025.

HANDS ON GUIDE TO AWS ROLE AND PERMISSIONS (STS ASSUME ROLE)

JosephHonpah — Sat, 08 Mar 2025 14:46:52 +0000

DEMO GUIDE TO AWS ROLE: AWS SECURITY TOKEN SERVICE (STS) Assume Role.

Reference

by Joseph Ndambombi Honpah

7 hours ago

🔑 What is Assume Role?
AWS STS Assume Role allows you to grant temporary, limited-privilege credentials to users or applications. This is especially useful for scenarios like granting EC2 instances access to AWS resources without hard coding long-term credentials.

💡 Why Use Assume Role for EC2 Access?
1️⃣Enhanced Security: Avoid storing long-term credentials on your instances.
2️⃣Granular Permissions: Assign only the permissions needed for specific tasks.
3️⃣Auditability: Track and monitor temporary credentials for better compliance.

✍🏾In this Demo you want your management account to grant ONLY short term credentials for EC2 access to your newly created IAM user, to perform actions on EC2 console.

📝Prerequisite for this Demo.

1️⃣Two AWS IAM user accounts created by navigating to AWS MANAGEMENT CONSOLE

2️⃣Note pad for writing.

📈Cost for this Demo is zero $ unless you choose to spin up EC2 instances which may incur some charges or except you’re in Free Tier.

1️⃣ Creating a new IAM user just for demo, if you have one already set up you can skip this section.

Navigate to the management console for the management account and search IAM and click on it.
Go to users and click on the create user.

Give the IAM user name (Demo-STS), check on the Provide User access and check Create an IAM user box ☑️.

Auto-generate password and leave everything as default, scroll down click next

Leave everything as default and click next

Review your details and scroll down click on create.

Retrieve the details and save on the note pad for reference.

On a new browser, copy and paste the console sign-in details and sign in to the newly created IAM user with the details collected above.

Once you’re signed into the new user (Demo-STS user), navigate to the EC2 console and you would have no permissions granted for the account.

2️⃣ Creating STS Assume Role and adding EC2 permissions to that Role for the newly created account to use EC2 service.

Back on the management account, in the IAM console click on Roles and create role.

Click on check box ☑️ Trusted entity AWS account and This account, Scroll down and click next.

Add permissions by searching for AmazonEC2FullAccess. Once selected, scroll down and click next.

Give Role name (EC2-Full-Access-STS), Review and scroll down to create.

Still in the management account, click Roles and click on the role just created above to retrieve Role ARN and Link to switch roles to console which will be used in the next part of this Demo.

Click on the new IAM user (Demo-STS) created. Click on add permissions drop down and create inline policy.

Click on JSON and edit the action to “STSAssumeRole”, and Resource should be the ARN of the role created above “(EC2-Full-AccessSTS)” Scroll down and click next.

Give the policy name (EC2-Full-Access-STS) review, scroll down and click create policy.

To confirm that after the inline policy is created, it does not give EC2 access to the new IAM user (Demo-STS) yet.

You have to do that by navigating to roles in the management account, click on the role created(EC2-Full-AccessSTS) Copy and paste the “Link switch roles in console” to a new browser and press enter.

3️⃣ Checking if Assume Role is established and can be used by the new IAM user (Demo-STS).

Sign in using the Link switch roles in console in a new browser and with the new IAM user (Demo-STS) and click on Switch Role.

You can see the new IAM user (Demo-STS) now has full access ONLY to EC2 services.

Try checking for an S3 bucket with the same user and you will see it has no access to S3 services. Says Access Denied, because we did not attach the S3accesspolicy to the IAM role of the management account.

Select the drop down and click on sign out current account

Now you are back to original permissions for Demo-STS which has no access to EC2.

4️⃣ Cleaning up your environment.

First click on Roles and delete the role (EC2-FULL-ACCESSSTS). Next click on Users and delete the newly created IAM user (Demo-STS).

🥳👏🏾Well done, we just did an STS ASSUME ROLE and if you like my content please like, share and comment what you think about STS and what you like to see next content, your understanding is my priority 💟

awscommunitybuilder #AWS #STSAssumeRole #ContinuesLearning

🔗 LinkedIn: https://www.linkedin.com/in/joseph-ndambombi-honpah-2044b5277

Joseph Ndambombi Honpah 😊

AWS SECURITY MEASURES TO PUT IN PLACE.

JosephHonpah — Sat, 08 Mar 2025 14:44:36 +0000

Reference

by Joseph Ndambombi Honpah

💡In today's rapidly evolving digital landscape, securing your AWS environment is more critical than ever. Recent incidents, underscore the pressing need for robust security measures.

✍🏾To fortify your AWS infrastructure, consider implementing the following best practices:

1) 🔐Strengthen Identity and Access Management (IAM).

★Enforce the principle of least privilege by granting users only the permissions they need.
★Regularly rotate credentials and utilize multi-factor authentication (MFA) to enhance security.
★Ensure Proper Configuration Management:

2) ⚙️Regularly audit and monitor your AWS configurations to identify and rectify vulnerabilities.

★Leverage AWS Config and other tools to maintain compliance with security standards.

3) 📡 Implement Network Security Measures.

★Use Virtual Private Clouds (VPCs) to isolate sensitive resources.
★Configure security groups and network access control lists (ACLs) to regulate traffic flow effectively.

4) 🕵🏼‍♂️Adopt Continuous Monitoring and Incident Response:

★Deploy monitoring solutions to detect unusual activities promptly.
★Establish a comprehensive incident response plan to address potential security breaches swiftly.

🎯By proactively addressing these aspects, organizations can significantly reduce the risk of security incidents and safeguard their AWS environments against emerging threats.

🚨Stay vigilant and prioritize security to protect your digital assets in the cloud.

👉 What’s your biggest challenge in AWS security? Have you tried automating compliance or incident response? Share your thoughts in the comments! 👇

If you found this post helpful, give it a like, comment, or share to spread the knowledge! Let’s build a safer cloud together. 🚀🔐

AWS #AWSSecurity #CloudSecurity #Automation #Compliance #IncidentResponse #AWSCommunitybuilder #Serverless #CyberSecurity #Innovation #TechCommunity #CloudComputing #AWSCommunity #continueslearning

AWSSecurity

AWS DEMO: Step By Step Guide To Deploy Full End To End Web Application on 7 Services

JosephHonpah — Sat, 08 Mar 2025 14:39:02 +0000

Step By Step Guide To Deploy Full End To End Web Application on 7 Services.

Reference

by Joseph Ndambombi Honpah

INTRODUCTION

In this hands-on tutorial, I’ll walk you through how to build a ride sharing functionality app (for unicorns!), pulled from Wild Rydes sample project. We’ll use seven different services — GitHub, Amplify, Cognito, Lambda, IAM, API Gateway and DynamoDB — talking about why/where to use them, and how to get them to work with each other. As move on, we’ll build each service and giving these services the ride sharing functionality for the application.

This application is deployed on Amazon Amplify integrated with github repository for CI/CD pipeline. Amazon cognito user pool used for authentication of users to sign up or sign in to the application using username or email, password and password confirmation. IAM used to give lambda the write access to dynamodb table and Lambda used to put items (user data) to dynamodb table logs. Api gateway used as rest API which helps user to invoke lambda function for Unicorn Ride. stay tuned for final functionality of this application… let me know what you think in comment box

What you need to follow along this project(Prerequisite):

i. text editor(notepad) to write down Id’s, ARN etc.

ii. An AWS account, logged in to the AWS Console as a an IAM user.

iii. Some basic knowledge of AWS is preferable, but you can still follow along if you’re an absolute newbie

iv) A GitHub account and the code from my GitHub repo: https://github.com/JosephHonpah/end-to-end-web-app
4) Architectural view to application: https://main.d2i8yld6dviyk2.amplifyapp.com/

3) How to copy the application code from my GitHub repository to yours:

Create or login to you GitHub account.
Click on link below to get access to my GitHub repository. https://github.com/JosephHonpah/end-to-end-web-app
You can use template by creating new repository on GitHub from the template or cloning.

4) Creating new web app on AWS Amplify from you repository:

Navigate to aws management console and search for Amplify and click on AWS Amplify

click on Deploy an app below to build web application

Click on GitHub because application code is stored in GitHub repository you created above

You need to select your github account which is JosephHonpah for me.

After successful sign in, you need to select the repository in which you stored your code. you can upload all repositories to amplify and select from Amplify but best you click on Only select repositories and choose the repository you want to build on amplify.

Scroll down and click next

On app settings leave everything default and scroll down click next.

Review and click on save and deploy.

Amplify deploying and might take 2mins or more depnding on network bandwidth.

Amplify deployed successfully and with a DNS name to access application: https://main.d2i8yld6dviyk2.amplifyapp.com/

Application can now be accessed from GitHub repository using amplify domain name provided above. Good right? Okay lets go…

5) You need authenticated users to securely and successfully sign up and sign in to your application. which we will use Amazon cognito user pool with the following steps below;

Navigate once again to search bar on management console, search cognito and open in new tab.

Click on create user pool.

Put in name of cognito user pool app client. it could be any name but make sure you have notepad to write down.

select configuration type. How you want users to sign up and sign in into your application and select attributes. scroll down and click on create.

Click on User pool and make sure to copy the User pool ID to notepad. Because you need to add configurations to your code for authentication to your appliction.

On left corner of page click on App clients and copy the the Client-ID and drop on notepad.

Navigate to your github repository on directory js/config.js and add user pool ID, client ID and AWS region which you copied and paste on note pad.

Once that is done then click on commit changes on top left corner and amplify with automatically deploy the changes made to your code since is a serverless CI/CD pipeline service.

Back on application click on sign up and register with email and password, clicl on LET’S RYDE.

Put in code on email and click Verify. you should be able able to get code from Amazon cognito and Verification successful message from AWS Amplify which means user is good to go and sign in to application

Once sign in with credentials, you get a token and you copy and drop that on notepad aswell for future use. this token will be needed to invoke API gateway so users to make API calls for rides from any location on the map.

6) Here we are going to see how to use dynamodb to store users credentials, orders etc. And lambda will be good service to automatically store theses details to dynamodb.

Create dynamoDB table by typing dynamodb on search bar. click on it and create table.

Give table a name and a partion key name which will be used to retrieve items from your table and allocate data across hosts for scalability and availability. scroll down and create table.

once table created, click on table , scroll down and click on additional Info. You need to copy and paste ARN of table and paste on notepad

You need to give lambda the the permission to write to dynamodb when even user sign up, sign in, orders ride, ride details etc. Which will be done on AWS Identity Access Management (IAM). Open IAM on new tab from aws management console.

click on Roles and create role.

Trusted entity type as AWS service and use case should be lambda, scroll down and click next.

add permission to role AWSLambdaBasicExecutionRole.

Give a name to lambda role and scroll down click on create role.

After role is created, click on role (webapp2025_lambda) and click on Add permissions to create Inline policy for dynamodb.

Use case should be DynamoDB and we need for best practice is to give permission to let lambda putitem to dynamodb table created above.

scroll down and click on Add ARNs to restrict access.

Click on Text and paste the dynamodb table ARN you created and copied above from notepad. click on Add ARNs and proceed to Next.

Review and give policy name. scroll down and proceed to create policy. Good to go…

Lambda function is now needed to perform the magic on application. so you once again navigate to search bar and search lambda and open in new tab, Click on create function.

Author from scratch and give lambda function a name and i will go with Node.js 20 x, because my code in repository is configured for Node.js 20 x and scroll down.

Add Permissions to lambda funtion which was created above on IAM. click on Use an existing role and select the role created. scroll down and click create function.

once function created, scroll down, copy and paste the lambda code from github repository created from beginning on the lambda code editor and Include dynamodb table name you created above in the code, the proceed to Deploy.

On left page click on create new event so as to test if lambda function is working properly. give the Event name and scroll down to the Event Json.

Copy test event code from github repository above and paste it in Eveny Json, scroll up and save test event.

Click on test and should be able to get a statuscode of 201, which means the functions works properly.

Going back to dynamodb table, you can see two items have been recorded into the table from lambda. Implying lambda function now works properly and writes to dynamodb.

I hope your enjoying the Architecture and just one more service to make the puzzle whole for the application.

7) In this last puzzle of the architecture it consist of how users on frontend of application can be able to make request for rides on map from any location using lambda. But lambda will not be best solution for users to make these calls, so API Gateway will be perfect solution and will seat between front end and lambda function to give it the proper functionality.

Navigate to API gateway on search bar and open in new tab, scroll down and click on REST API.

select new API and give API gateway name. scroll down and click create API.

Create an authorizer so API Gateway can work with Cognito, because API gateway will need Json web tokens from cognito to do api calls. So have to integrate the two services. click Authorizers pn left page and proceed to Create an authorizer.

Give authorizer name, use case(Authorizer type) should be cognito. select the cognito user pool created above and recall you should be in thesame region you created the userp pool. Token Source type in Authorization, scroll down and click create authorizer.

Click on created Authorizer and proceed to Test authorizer. Copy and paste in the Token Value as the token which was gotten from cognito user pool above saved in notepad during sign in process into application . click on Test authorizer.

A status code 200 signifies cognito user pool now integrated with API gateway succesfully and other meta data provided by cognito.

Create a Resource to hook up lambda function. Click on Resources on left page and proceed to create resource.

Resource path is default and give name resource name (webapp). Enable CORS(Cross Origin Resource Sharing) because the domain of amplify site above is different from domain of API gateway so its going to go cross origin. Proceed to Create resource.

On right of page click on Create method.

On method type select POST, Integration type should be lambda and scroll down.

Enable proxy so requests are sent to lambda funtion in structured event. Select the lambda function which was created above (webapp_lambda), scroll down and click Create method.

Under the Method request, click on edit which will hook up the authorization created above.

Under Authorization, select the user pool authorizer created above (webapp2025), scroll down and click save.

Everything set, now proceed to Deploy API on top right page.

For stage select new stage. Stage name (dev) and click on Deploy.

Copy the invoke URL and paste in code in config.js file on github repository above. so request from users accessing the application from frontend will be proxied by API gateway to lambda function at the back end and lambda putitem to dynamodb table.

Paste the copied invoke url above in the config.js file on github repository. Proceed to commit changes so it will be applied on application running on Amplify authomatically since its a CI/CD service.

Finally to test out everything. A user from Capitol Hill on map click on Request Unicorn

There a Unicorn Rocinante on the way and has arrived. wow great right?

Check on Dynamodb table, all request forwarded by API gateway to lambda function and its stored to dynamodb which you can as well do some analyses and much more.

Conclusion

I faced many challenges on how to get the right funtionality buy building and deleting and again, just know its not how fast you can deploy but why each service is the way it is .

This project is geared to perfect understanding of how AWS services work together to give a rebost architecture. let me know in comment if need any assitance and if you find any errors. please like and share as well.

JOSEPH NDAMBOMBI HONPAH.

AWS CONTROL TOWER FOR MULTI ACCOUNT AND COMPLIANCE.

JosephHonpah — Sat, 08 Mar 2025 14:34:12 +0000

Implementing AWS Control Tower for Multi-Account Governance and Security

Reference

by Joseph Ndambombi Honpah

1.1 Introduction To AWS Control Tower

AWS Control Tower is a service that provides an automated way to set up and manage a secure, multi-account AWS environment based on best practices. It simplifies account governance by offering centralized management, compliance enforcement, and security policies, making it an ideal solution for organizations looking to scale operations while maintaining control, thereby helping institutions and individuals who want to learn more about multi-account environments. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.

Architectural Diagram

1.2 Why AWS Control Tower For Multi-Account Management?

Centralized Governance & Compliance
Automates multi-account setup with AWS best practices.
Uses Guardrails (preventive & detective controls) to enforce security.
Ensures compliance with standards like PCI DSS, GDPR, NIST, HIPAA.
Security & Policy Enforcement

- Pre-configured security settings prevent misconfigurations.

AWS Security Hub, AWS GuardDuty, AWS CloudTrail integration for real-time security monitoring.
IAM and AWS SSO (Single Sign-On) for centralized user access control.\
Automated Account Provisioning
Uses AWS Organizations to create and group AWS accounts
Account Factory automates account setup with predefined policies.
Standardized networking, logging, and security configurations for new accounts.
Cost & Operational Efficiency
Reduces manual effort by automating governance and security tasks.
Prevents unauthorized changes that could lead to security vulnerabilities.
Centralized billing and resource tracking across multiple accounts.
Scalability & Flexibility
Supports multi-region deployments for global operations.
Easily scales with your organization as new teams and workloads are added.
Customizable landing zones for different use cases.

The table below summarizes the benefits of AWS Control Tower over manual management of AWS accounts.

1.3 Considerations Before Using AWS Control Tower

Before adopting AWS Control Tower, it’s crucial to evaluate whether it aligns with your business, security, and operational needs. Here are some points to consider:

Cost Implications
AWS Control Tower is free but it uses services like AWS Config, CloudTrail, and Security Hub that incur costs.
More AWS accounts = Higher costs for logging, monitoring, and security services.
Multi-account management
If you’re managing multiple AWS accounts and need governance, Control Tower is a great fit.
If you have a single AWS account, Control Tower may be overkill.
AWS Organizations
Control Tower depends on AWS Organizations to manage accounts.
If you’re not using AWS Organizations, Control Tower will automatically set it up.
Centralized security and compliance
If your company follows strict compliance standards (e.g., PCI DSS, HIPAA, GDPR), Control Tower helps enforce guardrails.
If you prefer custom governance solutions, Control Tower may not be flexible enough.
Standardized security & networking model
Control Tower creates a predefined landing zone with VPCs, IAM policies, and logging.
If you need a fully custom network setup, AWS Control Tower may not be flexible enough.
User access and IAM

- Control Tower integrates with AWS SSO for access management.

If you’re using an external Identity Provider (Okta, Azure AD, etc.), ensure compatibility.
Existing accounts compatibility
Control Tower cannot manage existing accounts automatically.
You may need to migrate accounts manually to Control Tower’s governance model.
Using Terraform, CDK, or Infrastructure as Code
AWS Control Tower does not natively support Terraform but can be managed via APIs.
AWS CDK and CloudFormation have limited support for Control Tower resources.

FINTECH SCALABILITY

JosephHonpah — Sat, 08 Mar 2025 14:18:10 +0000

ARCHITECTING FOR SCALABILITY ON AWS

Reference

by Joseph Ndambombi Honpah

One of the biggest challenges in cloud architecture is scalability. Whether you’re handling unpredictable traffic spikes or building for global users, designing resilient, scalable systems is critical.

In the fintech world, milliseconds matter. Whether processing payments, detecting fraud, or ensuring regulatory compliance, cloud architecture plays a crucial role. Here’s how AWS helps fintech companies stay ahead:

Security — AWS services like IAM(Identity and Access Management, AWS KMS(Key Management Service), and AWS WAF(Web Application Firewall) ensure data protection and compliance with PCI DSS(Payment Card Industry Data Security Standard), GDPR(General Data Protection Regulation), and other regulations.
Real-Time Processing — With Amazon Kinesis and Amazon DynamoDB, fintech firms can analyze transactions instantly, identify fraud before it happens.
Resilient Architecture — Multi-AZ deployments with Amazon RDS(Relational Database Service), Amazon Aurora, and Amazon S3(Simple Storage Service) provide high availability, reducing downtime to near zero.
Cost Optimization — Serverless solutions like AWS Lambda, Amazon API Gateway and AWS Step Functions help fintech startups scale dynamically without over-provisioning resources.

As a Solution Architect, I’ve seen fintech companies transform their operations with these services. Let me know what you think and what are your biggest cloud challenges in fintech? comment and share.

[Boost]

JosephHonpah — Sat, 08 Mar 2025 08:59:09 +0000

HISTORY OF CLOUD COMPUTING AND MY PERSONAL EXPERIENCE WITH AWS IDENTITY AND ACCESS MANAGEMENT (IAM).

JosephHonpah — Sat, 25 Jan 2025 16:49:22 +0000

HISTORY OF CLOUD COMPUTING AND MY PERSONAL EXPERIENCE WITH AWS IDENTITY AND ACCESS MANAGEMENT (IAM).

Reference

by Joseph Ndambombi Honpah

Blog 2: “WHAT IS CLOUD COMPUTING?”

INTRODUCTION TO CLOUD COMPUTING.

Have you ever wondered how cloud computing came into existence?

Cloud based computing has modified how individuals and businesses interact with technology, reviewing the traditional standard of computing resources. Cloud computing refers to the on-demand delivery of computing services such as storage, processing power and applications over the Internet, enabling users to access resources flexibly and efficiently without owning and maintaining physical infrastructure.

https://cdn.codecoda.com/img/blog/cloud-computing-architecture-schema.png

The history of cloud computing boils down back in the 1960s when a computer scientist by name John McCarthy came up with a suggestion that “computation may someday be organized as a public utility,” such as water or electricity. This vision began actively with the advent of time-sharing systems and the commercialization of internet services in the late 20th century. Reference for more details.

Amazon Web Services (AWS) later came into picture in early 2000s marking a significant milestone with its first cloud computing services Amazon S3 (Simple Storage Service) and Amazon EC2 (Elastic Compute Cloud). Which popularized the pay-as-you-go model and the concept of Infrastructure as a Service (IaaS). This was followed by the emergence of major players like Microsoft Azure, Google Cloud Platform, and IBM Cloud, which expanded the range of cloud offerings to include Platform as a Service (PaaS) and Software as a Service (SaaS). These services coordinated access to powerful computing capabilities, enabling startups, enterprises, and governments to innovate and scale with unique agility.

Today cloud computing is a cornerstone of modern IT infrastructure. It powers everything from artificial intelligence and big data analytics to remote work and global collaboration. The cloud has also become critical for digital transformation across industries, driving innovations such as serverless computing, containerization, and edge computing.

Looking ahead into the future of cloud computing appears even more transformative. Trends like hybrid and multi-cloud environments, quantum computing integration, and the increasing role of artificial intelligence promise to expand its potential. With the growing focus on sustainability, cloud providers are investing in greener data centers and renewable energy sources to minimize their environmental impact.Due to this initiative, AWS included a new pillar just for this it’s Well-Architected Framework: https://docs.aws.amazon.com/wellarchitected/latest/framework/sustainability.html

As we move forward, cloud computing is assured to become even more universal and powering a world where innovation knows no bounds.

2. INTRODUCTION TO AWS(AMAZON WEB SERVICE).

Amazon Web Services (AWS) is a subsidiary of Amazon, designed to provide cloud computing services to individuals, businesses, and governments. During the early 2000s, Amazon had developed internal services that could be sectioned and reused leading to the realization that this framework could benefit external users.

In 2002 Amazon officially launched AWS, offering its first services like Amazon S3 (Simple Storage Service) and Amazon EC2 (Elastic Compute Cloud). These products introduced the concept of scalable, pay-as-you-go infrastructure, where customers paid only for the resources they used, eliminating the need for large upfront hardware investments and thereby reducing cost.
2006, AWS was formally relaunched with the core services

Amazon S3 which is a scalable storage service for storing and retrieving data (Object storage). S3 supports objects from 0 bytes up to 5TB.

Amazon EC2 which is a virtual server environment offering resizable compute capacity. These services marked the foundation of modern cloud computing.

2009 AWS Introduced the attachment of Amazon EBS (Elastic Block Store), a persistent block storage for EC2 instances, enhancing its capabilities for enterprise applications.

2012 AWS held its first re:Invent conference, which has since become an annual event showcasing new services, customer stories, and innovative solutions.
2014 AWS Lambda was launched, with serverless computing introduced with Lambda, allowing developers to run code without managing servers, charging only for execution time.

2018 AWS became a major revenue driver for Amazon, reaching $25 billion in revenue. By this time, it accounted for a significant portion of Amazon’s operating income.
2020 AWS announced sustainability initiatives and edge computing services like AWS Outposts, Lambda@edge, AWS Greengrass bringing cloud services closer to on-premises environments.
2023 Adam Selipsky succeeded Andy Jassy (who became Amazon CEO) as the head of AWS, focusing on expanding the business globally.

AWS has numerous advantages it offers over traditional IT infrastructures and competing cloud providers such as:

A. Scalability and Flexibility

AWS provides instant scalability, allowing businesses to scale their infrastructure up or down based on demand. Such as Auto scaling, Load balancing.

B. Cost-Effectiveness

Users pay only for the resources they consume, eliminating upfront capital expenses (Pay-As-You-Go Model) and no need to pay for hardware cost.
AWS offers cost-saving options for predictable workloads and unused capacity such as spot and reserved instances.

C. Security and Compliance

AWS uses robust security protocols, including data encryption, multi-factor authentication (MFA), and firewalls to provide built in security.

D. Speed and Agility

Users can deploy infrastructure in minutes, accelerating development cycles.

E. Reliability

AWS is built on a robust infrastructure with redundancy and failover mechanisms to ensure maximum uptime.

F. High-Performance Computing

AWS offers powerful compute options for high-performance tasks like Simulations and data analysis, Graphics rendering and machine learning training.

The benefits of AWS make it a powerful and versatile platform for businesses and developers. Whether you’re a startup, an enterprise, or an individual, AWS offers the tools, resources, and infrastructure to support your specific needs while enabling innovation and cost efficiency. Refer for more benefits of AWS cloud computing

3. INTRODUCTION TO IAM.

AWS Identity and Access Management (IAM) is a foundational service provided by Amazon Web Services, that helps individuals or organizations to securely control access to AWS resources. It allows administrators to manage permissions, define roles, and enforce security policies for users, groups, and applications interacting with AWS services. By granting the principle of least privilege, IAM ensures that users and systems have only the permissions necessary to perform their tasks, thereby reducing security risks. AWS Training and Certification provides a 10-minute video introduction to IAM:

Introduction to AWS Identity and Access Management.

**Use Cases
**IAM is widely used in scenarios requiring granular access control, such as:

Multi-User Environments: Assigning specific roles and permissions to employees based on their responsibilities.
Application Authentication: Providing applications with access to AWS services using IAM roles and policies.
Compliance and Auditing: Monitoring access patterns, ensuring that security protocols align with regulatory requirements.
Federated Access: Integrating with identity providers (e.g., Google, Microsoft Active Directory) to manage user access seamlessly.

Billing
**IAM itself is a **free service, and customers are not charged for creating users, groups, roles, or policies. Costs only arise indirectly when users perform actions that consume AWS resources, such as running EC2 instances or accessing S3 storage. For a complete list of charges and prices for IAM Access Analyzer, see IAM Access Analyzer pricing.

IAM was launched in May 2011 as a way to provide more robust identity and access management for its growing suite of services. Over time, IAM has undergone significant enhancements to meet evolving security needs:

2012 Introduced AWS Identity Federation, allowing users to log in using external identity providers.
2015 Rolled out IAM Roles for EC2, enabling applications running on EC2 to securely interact with AWS services without hardcoding credentials.
2018 Launched AWS IAM Access Analyzer, a tool to identify resources shared outside an organization.
2020 Expanded support for fine-grained permissions with service-specific condition keys and improved auditing features.

Today, IAM remains a critical pillar in AWS’s security framework, continuously evolving to address the complex security requirements of modern cloud environments. Its role in enabling secure and scalable cloud usage ensures it is indispensable for AWS customers worldwide. IAM is integrated with many AWS services. For a list of AWS services that work with IAM and the IAM features the services support, see AWS services that work with IAM.

4. PERSONAL EXPERIENCE WITH IAM

Working with AWS Identity and Access Management (IAM) can be both empowering and challenging. It’s a robust system, but mistakes can happen, often with significant consequences. Here’s a candid recount of some IAM missteps I’ve encountered, how I identified them, and what I learned from each experience.

A. Over-Permissive Policies

In the early days in tech industries, I created policies that were overly broad, such as attaching AdministratorAccess or using “Action”: “” with “Resource”: “”. It was a quick way to get things working, especially during urgent deployments, but it exposed resources unnecessarily.

How I Realized It:
During a routine security check, an audit tool flagged multiple users and roles with excessive permissions. Additionally, one instance of a misconfigured access policy allowed unintended access to sensitive S3 buckets.

Lessons Learned:

The principle of least privilege is non-negotiable.
Avoid shortcuts during policy creation, even under time pressure.

How to avoid It:

Use AWS managed policies as a starting point and refine them based on specific needs.
Regularly run IAM Access Analyzer to identify and mitigate over-permissive policies.

B. Hardcoding Access Keys

I once embedded access keys in application code for testing purposes, intending to replace them later. Unfortunately, the code was committed to a public repository. While the keys were inactive, it created an unnecessary risk.

How I Realized It:
A security scan alerted me to the exposed keys, and AWS automatically flagged the incident in the Trusted Advisor Service.

Lessons Learned:

Hardcoding credentials, even temporarily, is a bad practice.
Public repositories are a high-risk environment for sensitive data.

How to Avoid It:

Use IAM Roles for applications running on AWS (e.g., EC2 or Lambda) to avoid needing hardcoded keys.
Enable AWS Secrets Manager for securely storing and retrieving sensitive data.
Add pre-commit hooks or tools like Git Secrets to prevent accidental leaks.

C. Insufficient Multi-Factor Authentication (MFA) Enforcement.

In my early days in AWS cloud, I neglected to enforce Multi-Factor Authentication (MFA) for the root account and critical IAM users. While no security breaches occurred, this left the environment vulnerable to phishing or brute-force attacks.

How I Realized It:
During an AWS Well-Architected Review, MFA enforcement was flagged as a major gap in our security posture.

Lessons Learned:

Protecting root and privileged accounts with MFA is crucial.
Even if no breaches occur, overlooking MFA undermines best practices.

How to Avoid It:

Mandate MFA for all users with elevated privileges.
Use IAM policies to enforce MFA and block access if not enabled.
Leverage AWS Config to continuously monitor and report on MFA compliance.

D. Ignoring Service-Linked Roles

I deleted an IAM role that was service-linked to AWS CloudFormation, thinking it was unused. This broke critical workflows and caused failed stack deployments.

How I Realized It:
CloudFormation deployments started failing immediately with error messages indicating a missing role.

Lessons Learned:

Service-linked roles are crucial for the operation of specific AWS services.
Deleting roles without understanding their purpose can disrupt production systems.

How to Avoid It:

Verify role dependencies before deletion using tools like IAM Access Analyzer.
Consult AWS documentation to understand service-linked roles and their importance. For information about service-linked roles: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html

E. Neglecting Role and User Rotation

Some IAM users and roles were left active long after the employees or applications associated with them were no longer in use. This created potential vulnerabilities.

**How I Realized It:
**A periodic review using AWS IAM Credential Report showed users with keys that hadn’t been rotated or used in years.

Lessons Learned:

Stale credentials are a security risk, even if unused.
Regularly auditing IAM resources is essential for maintaining hygiene.

How to Avoid It:

Implement automated cleanup scripts or workflows to disable unused users and roles.
Use IAM Access Advisor to monitor usage and deactivate unused permissions.
Enforce strict key rotation policies and lifecycle management for roles.

An Upgraded IAM Mindset:

Working with IAM has taught me that security is a continuous process requiring vigilance and adherence to best practices. Each mistake reinforced the importance of balancing functionality and security while leveraging AWS tools to automate monitoring and compliance.

IAM isn’t just about granting access — it’s about controlling and auditing it effectively. By learning from these missteps, I’ve adopted a proactive approach to avoid similar issues in the future and ensure that IAM configurations align with organizational security goals.

5. BEST PRACTICES

Over the years in AWS cloud, I’ve seen IAM play a pivotal role in ensuring secure and efficient cloud operations for various organizations. Here are some notable successes and lessons learned:

A. Scaling Securely in Multi-Account Environments

In one scenario, an organization migrated to AWS Organizations to manage multiple AWS accounts. By combining IAM roles with Service Control Policies (SCPs), we ensured:

Centralized governance across all accounts.
Strict control over permissions without impacting individual teams’ productivity. This approach reduced misconfigurations, minimized the attack surface, and enhanced security audits across accounts.

**Key Takeaway
**IAM roles, when paired with AWS Organizations, provide a scalable and secure foundation for managing multi-account architectures.

B. Implementing Granular Access Control for Third-Party Integrations

For an e-commerce company integrating with external analytics tools, creating custom IAM roles with fine-grained permissions limited access to only the necessary S3 buckets and data. This ensured the tool operated effectively without exposing sensitive resources.

**Key Takeaway:
**Always apply the principle of least privilege to integrations, start with minimal permissions and adjust as required.

C. Automation with Temporary Credentials

A logistics company transitioned from using static IAM access keys to relying on IAM roles with temporary credentials through AWS STS (Security Token Service). This significantly reduced the risk of credential leaks while automating key rotation for developers and applications.

**Key Takeaway:
**Whenever possible, prefer roles and temporary credentials over long-term access keys.

What Should Always Be Done When Starting with IAM

Enable MFA anywhere

Protect the root account and all users with multi-factor authentication (MFA).
Enforce MFA through IAM policies for privileged operations. See, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

Define Roles Before Users

Design a role-based access control (RBAC) system from the beginning. See, https://docs.aws.amazon.com/redshift/latest/dg/t_Roles.html
Assign roles to users instead of granting direct permissions.

Leverage AWS Managed Policies First

Start with AWS-managed policies for common use cases and then refine or create custom policies if needed.

Use IAM Access Analyzer

Identify resources that are accessible outside the AWS environment and ensure proper restrictions. https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

Regularly Audit IAM Configurations

Use tools like AWS Config, Credential Reports, and AWS Trusted Advisor to monitor compliance and catch misconfigurations.

What Should Never Be Done with IAM

Grant Wildcard Permissions

Avoid policies like “Action”: “” or “Resource”: “”. These can inadvertently open access to unintended resources and services.

Use Root Account for Daily Tasks

Never use the root account for routine operations. Instead, create administrative IAM users or roles for day-to-day management. See, Root user best practices for your AWS account.

Embed Static Access Keys in Code

Hardcoding access keys in scripts or applications is a major security risk. Use IAM roles for applications running on AWS services like EC2 or Lambda.

Ignore IAM Policy Versioning

Always review and update policies as your architecture evolves. Outdated policies can leave gaps or grant excessive permissions.

Delete Roles or Policies Without Checking Dependencies

Always verify if a role or policy is in active use before deleting it to avoid disrupting workflows or critical operations.

AWS IAM is the backbone of cloud security and access management, but its effectiveness depends on how thoughtfully it is configured and maintained. By following best practices, avoiding common pitfalls, and leveraging automation, organizations can create a secure, scalable, and efficient cloud environment. IAM’s flexibility makes it a powerful tool, but with great power comes the responsibility to use it wisely.

6. CONCLUSION.

IAM (Identity and Access Management) is a framework of policies and technologies that ensures the right individuals or systems have appropriate access to resources at the right time. Use IAM to manage access to cloud resources, enforce least privilege, and secure user identities. Avoid using IAM when access management is better handled by external tools or when over-complicating policies could lead to security misconfigurations. With IAM, you can create fine-grained access controls, enable multi-factor authentication, and automate secure resource provisioning.

Tired of juggling complex IAM policies? In the next post, we’ll dive into crafting scalable, foolproof IAM strategies, exploring advanced techniques like policy simulations, automated audits, and how to spot and fix security gaps before they become costly mistakes.

JOSEPH NDAMBOMBI HONPAH