DEV Community: Yogita Sharma

Understanding IAM

Yogita Sharma — Mon, 16 Jan 2023 13:41:36 +0000

What is IAM:
IAM is a web service that enables you to securely manage and access AWS services. It helps you to control who is authenticated and authorized to use the services. It is integrated well with every other AWS service.

IAM service usage is FREE!

Let us take an example of an organization that has different departments such as the software department, legal department, finance department, travel, etc. Each department has persons working for them with specific duties or roles. For example, the software development department will have software professionals, the legal department will have lawyers and the finance department will have finance-related experts, etc.
In this organization software professionals will have access to codebases and servers but are unlikely to access legal documents and financial documents.
Integrated access management(IAM) is done by creating a specific role i.e. certain type of access is given to the individuals who have a certain role.

Features of IAM:

IAM helps to securely manage AWS services and resources.
It allows us to create principals such as users, groups, and roles to have secure access to the resources.
IAM allows us to define policies in which we allow /deny access to the resources.
It supports identity federation for dedicated access to the AWS management console of AWS APIs.
It provides multi-factor authentication.
It provides a policy simulator.

IAM Identities:
An IAM Identity provides access to an AWS account, represents a user, and can be authenticated to perform actions in AWS. Policies determine what actions a user, role, or member of a user group can perform on which AWS resources and under what conditions.
A user group is similar to a user, it is an identity with permission policies that determine what the identity can and cannot do in AWS, but a role does not have any credentials(password or access keys) associated with it.

IAM Users:
An IAM user is an entity that you create in AWS and represents the person or service that interacts with AWS. The main purpose for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.
A user consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI.
When created, an IAM user is granted permission through membership in a user group that has appropriate permission policies attached(recommended) or by directly attaching policies to the user.

IAM Groups:
A group is a collection of users, user groups specify permissions for a collection of users, making those permissions easier to manage for the users.
A user group cannot be identified as a Principal, a person, or an application that can request an action or operation on an AWS resource in a resource-based p

Amazon Security: WAF and Shield

Yogita Sharma — Mon, 16 Jan 2023 12:42:51 +0000

Web application Firewall

Web Application Firewall is a security service provided by AWS that helps protect your Web Application from common web exploits that could affect application availability, compromising security, or consume excessive resources.
It is used to monitor the HTTP and HTTPS requests that are forwarded to an Amazon API, Gateway API, Amazon CloudFront, or an Application Load Balancer.
It also gives control over which traffic to allow or block to your web applications by defining customizable web security rules.
Any public web applications are exposed to certain common exploits, using a web application firewall; you can watch for vulnerabilities and block them upfront without affecting your applications running on these AWS services.
When we enable the Web Application Firewall, it watches for the following character streaks in a web request.

Cross Site Scripting (XSS):
These are scripts that are likely to be malicious. Attackers embed these scripts that can exploit vulnerabilities in your web applications.

IP addresses range that requests originate from:
WAF can look for countries or geographical locations where requests originate from.
Length of a specific part of the request such as the query string.

It can find the SQL Injection:
SQL Injections are SQL code that is likely to be malicious. So that attackers can try to extract data from your database by embedding malicious SQL code in a web request.
It can also look for strings that appear in the request, for example, values that appear in the query string.

When we are setting up WAF for different AWS services first we define the conditions for example if a request is originating from a particular country.
After defining the conditions we combine them into rules. A rule contains multiple conditions. The rules are then combined into Web ACL. This is where we define an action for each rule. We can also define a default action that gets executed when none of the rules are met.

AWS Shield:

AWS Shield protects against DDoS attacks. The DDoS attack is a distributed denial of service (DDoS) attack. It is an attack in which multiple compromised systems attempt to flood a target, such as a network or a web application, with traffic. A DDoS attack can prevent legitimate users from accessing a service and can cause the system to crash due to the overwhelming traffic volume.

AWS provides two types of Shields:

AWS Shield Standard:
Shield network and transport layer DDoS attacks that target your website or applications. All AWS customers are benefited from the automatic protections of AWS Shield Standard at no additional charges.

AWS Shield Advanced:
It provides expanded DDoS attack protection for web applications running on Amazon EC2, Elastic Load Balancing (ELB), CloudFront, and Route 53 resources. It comes with an additional charge.

Amazon Cognito

Yogita Sharma — Mon, 16 Jan 2023 12:20:24 +0000

Understanding Amazon Cognito:
Cognito provides authentication, authorization, and user management for web and mobile apps. Users can sign in directly with their user name and passwords and can also use a third party such as Facebook, Amazon, Google, or apple to authenticate. There are a few main components of Cognito given:

User Pools:These are user directories that enable signup and sign-in options for app users.
Identity pools: It is used to grant users access to other AWS services.

We can use identity and user pools separately or together. We can also synchronize data across devices(Cognito Sync)

User Pools:
It is a user directory in Cognito.
Users can sign in to the web or mobile app through Cognito or federate through a third-party identity provider(IdP)
All members of the user profile have a directory profile accessible through SDK.

User pool capabilities:

Sign up and sign in services
Built-in web interface to sign in users
Sign in with Facebook, Google, Amazon, and Apple, and through SAML/OIDC identity protocol-based providers from user pools.
Manage user directories and user profiles.
Use lambda triggers to customize workflows and user migration.
Multi-factor authentication, checks for compromised credentials, account takeover protection, and phone and email verification.

Cognito Identity Pools:

Identity pools are used to obtain temporary credentials to access AWS services.
Supports anonymous guest and identity providers that can be used to authenticate users for identity pools. Cognito user pools
Sign in with Facebook, Google, Amazon, and Apple, and through SAML/OIDC identity protocol-based providers from the user pool. Developer authenticated identities.
To save user profile information, an identity pool needs to be integrated with a user pool.

Cognito Sync:
It is a service and client library that provides cross-device syncing of application usage data.
We can synchronize user profile data across mobile devices and web apps without a custom backend.
client libraries cache data locally allowing the app to read and write data even with device connectivity variability.
With the device online, synchronize data, if push sync is enabled, notify other devices immediately that an update is available.

S3 Fundamentals

Yogita Sharma — Mon, 16 Jan 2023 10:04:45 +0000

What is S3?
Storage for the internet designed to make web-scale computing easier, simple web services interface used to store and retrieve any amount of data at any time and from anywhere on the web.

Key benefits of S3:

Creating buckets:
Create and name a bucket that stores data. Buckets are the fundamental containers in S3 for data storage.

Storing data:
Store an infinite amount of data in a bucket, upload unlimited objects into an S3 bucket where each object can contain up to 5TB of data and each object is stored and retrieved using a unique developer assigned key.

Downloading data:
Download your data anytime you like or enable others to do the same through bucket policies and other security mechanisms.

Permissions:
Grant or deny access to others who want to upload or download data into you S3 bucket, authenticate mechanisms keep data secure from unauthorized access.

Standard Interface:
Use standard based REST and SOAP interfaces.

Key terminologies of S3:

Buckets:

Containers for objects stored in S3.
Every object must be contained in a bucket.

Purpose of S3 buckets:

Organize the S3 namespace at the highest level.
Identity responsible account for storage and data transfer charges.
Play a role in access control.
Serve as the unit of aggregation for usage reporting.
Configure buckets so that they are created in a specific region
Can configure a bucket so that every time an object is added to it, S3 generates a unique version ID and assigns that id to the object.

Objects:

Fundamental entitles stored in S3
They can be pdf files, text files, mp3 files, spreadsheets, or any kind of files.
They consists of object data and metadata where the object data is not visible to S3
Metadata is a set of name-value pairs that describe the object.
Metadata includes some default metadata such as the data last modified and standard HTTP metadata such as a content type. At the time the object is stored can also specify custom metadata. Object is uniquely identified within a bucket by a key and a version ID.

Keys:

Unique identifier for an object within a bucket, every object has exactly one key.
Combination of a bucket, key and version ID uniquely identify each object.
Every object in S3 can be uniquely addressed through the combination of the web service endpoint, bucket name, key and optionally a version.

Regions:

We can choose the geographical region where S3 will store the buckets that you create.
Choose a region to optimize latency, minimize cost, and/or address regulatory requirements.
Objects stored in a region never leave the region unless explicitly transfer them to another region.
You can only access S3 and its features in regions that are enabled for your accounts.

IAM Best Practices

Yogita Sharma — Mon, 16 Jan 2023 09:37:44 +0000

1. Always lock away your AWS Account Root User Access Key:
The access key for your AWS account gives full access to all your resources for all AWS services, including your billing information. Therefore, always protect your AWS account access key just like you would protect your credit card numbers or any other sensitive secret.

2. Create individual IAM Users:
As much as possible you must stay away from using your AWS account root user credentials to access AWS and never give your credentials to anyone else. Instead, always create individual users for anyone who needs access to your AWS account.

3. Configure a strong password policy for your users:
If you allow users to change their passwords, require that they create strong passwords and that they rotate their passwords periodically. You can use the password policy to define password requirements such as minimum length, whether requires non-alphabetic characters, how frequently it must be rotated, and so on.

4. Rotate credentials regularly:
Change your passwords and access keys regularly and make sure that all IAM users in your account do that as well. That way if a password or access key is compromised without your knowledge, you can limit how long the credentials can be used to access your resources.

5. Remove unnecessary credentials:
Remove IAM user credentials which are password and access keys, that are not needed. Similarly, if a user does not and will never use the access key, there is no reason for the user to have them. Passwords and access keys that have not been used recently might be good candidates for removal. You can find the unused
passwords or access keys using the console, using the API, or by downloading the credentials report.

6. Enable MFA for privileged users:
For extra security enable multi-factor authentication, that is MFA for the privileged IAM users are users who are allowed access to sensitive or API operations. With MFA, users have a device that generates a unique authentication code, a one-time password, or an OTP. Users must provide both their normal credentials and the OTP. The MFA device can either be a special piece of hardware or it can be a virtual device. For example, it can run on an app or a smartphone.

7. Users groups to assign permissions to IAM groups:
Instead of defining permissions for individual IAM users, it is usually more convenient to create groups that relate to job functions such as administrator or developers or accounting, etc. Next, define the relevant permissions for each group. Finally, assign IAM users to those groups. All the users in an IAM group inherit the permissions assigned to that group that way, you can make changes for everyone in a group in just one place.

8. Use AWS-defined policies to assign permissions whenever possible:
AWS recommends that you use the managed policies that are created and maintained by AWS to grant permissions whenever possible. A key advantage of using these policies is that they are maintained and updated by AWS as new services, or new API operations are introduced. But also keep in mind that custom-managed policies are more flexible. Hence, you need to ensure that those policies are defined well and in a secure manner.

9. Use policy conditions for extra security:
To the extent that it is practical, define the conditions under which your IAM policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only with a specified date range or time range.

10. Grant least privilege:
When you create IAM policies, follow the standard security advice of granting the least privileges which are granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks. Always start with a minimum set of permissions and grant additional permissions as necessary, doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.

11. Use access levels to review IAM permissions:
When you review a policy, you can view the policy summary which includes a summary of the access level for each service action within that policy. AWS categorizes each service action into one of four access levels based on what each action does; that is it uses these access levels to determine which actions to include in your policies.

12. Use roles to delegate permissions:
Never share security credentials between accounts to allow users from another AWS account to access resources in your AWS account. Instead, always use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed. For example, applications that run on an EC2 instance need credentials to access other AWS services. To provide credentials to the application in a secure way, always use IAM roles.

13. Monitor Activity in your AWS Account:
You can use logging features in AWS to determine the actions users have taken in your account and the resources that were used. The log files show the time and date of the actions, the source IP for an action, which actions failed due to inadequate permissions, and more logging features available in Amazon CloudFront, CloudTrail, CloudWatch, Config, and S3.

Features and Uses of S3(Simple Storage Service)

Yogita Sharma — Sat, 14 Jan 2023 10:48:47 +0000

Main features of S3

Durability: Amazon S3 is designed to deliver 99.99999999% durability of objects over a given year.

Availability: The data in S3 is automatically distributed over a minimum of 3 physical availability zones. If one zone is unavailable, the data is still available in the other two zones by a replicated copy.

Scalability: S3 is managed by AWS and automatically scales up and down depending on the load.

Reliability: It is an extremely reliable service.

Fast: The multipart upload option enables you to upload large objects in parts.

Inexpensive: It is the most cost-efficient data storage and archived service.

Secure: Server-side encryption and Client-side encryption offers sophisticated integration with AWS CloudTrait to log,
monitor and retain storage API call activities.

Flexible Storage Management: Storage Administrators can classify reports and visualize the data usage trends to reduce cost and improve service levels.

Easy Interface for Data Transfer: It have a simple interface to download and retrieve data anytime and from anywhere on the web.

Easy Integration: It consists of thousands of consulting system integrators and is supported by an independent software vendorn partners.

Uses of S3:

Backup and Recovery: Versioning-enabled buckets enable you to recover objects from accidental deletion or overwrite.
Amazon S3 offers a highly durable, scalable, and secure destination for backing up and archiving your critical data.

Data Archiving: Amazon S3 and Amazon Glacier provide a range of storage classes to meet the needs of compliance archives
for regulated industries or archives for regulated industries or active archive for the organization that need fast infrequent
access to archived data.

Data Lake for Big Data Analytics: Amazon S3 can be used as your data lake for big data analytics. It helps you manage big data by reducing costs while simultaneously scaling to meet the high demands.

Hybrid Cloud Storage: It helps you build hybrid cloud storage augmenting your existing load storage environment with the
durability and scale of Amazon S3.

Cloud-Native Application Data: S3 provides high-performance, highly available storage that makes it easy to scale and maintain
cost-effective mobile and Internet-based apps that run very fast. With S3 you can add any amount of content and access it from anywhere. So you can deploy applications faster and reach customers.

Disaster Recovery: S3's highly durable, secure, global infrastructure offers a robust disaster recovery solution designed to provide superior data protection.