AWS Solution Architect(Associate) - Topic 4: Advanced IAM

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely.

Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

Using IAM, you can control who can access to AWS resources

[toc]

Advanced IAM

AWS Directory Service

How it works

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active Directory (AD), enables your directory-aware workloads and AWS resources to use managed Active Directory (AD) in AWS.

https://aws.amazon.com/rds/faqs/

AWS Customer
Multi-AZ Deployment Users, Groups, GPOs
Patch, Monitor, Recover Standard AD Tools
Instance Rotation Scale out DCs
Snapshot and Restore Trusts (Resource Forest)
Certificate Authorities
Federation

User Case

  • Provide your on-premises AD users quick access to AWS
  • Leverage integrations with Amazon RDS and Amazon FSx
  • Enable single sign-on experience for AWS End User Computing services
  • Give your on-premises AD users federated access to the AWS Management Console and AWS CLI quickly
  • Grant your on-premises AD users single-click access to cloud business applications
AD Compatible Not AD Compatible
Managed Microsoft AD Cloud Directory
AD Connector Cognito User Pools
Simple AD

Simple AD

  • Standalone managed directory
  • Basic AD features
  • Small: <= 500; Large <= 5000 users
  • Easier to manage EC2
  • Linux workloads that need LDAP
  • Does not support trusts (can’t join on-promises AD)

AD Connector

  • Directory gateway (proxy) for on-premises AD
  • Avoid caching information in the cloud
  • Allow on-premises users to log in to AWS using AD
  • Join EC2 instances to your existing AD domain
  • Scale across multiple AD Connectors

Cloud Directory

  • Directory-based store for developers
  • Multiple hierarchies with hundreds of millions of objects
  • Use cases: org charts, course catalogs, device registries
  • Full managed service

Amazon Cognito User Pools

  • Managed user directory for SaaS application
  • Sign-ip and sign-in for web or mobile
  • Works with social media identities

IAM Policies

Amazon Resource Name (ARN)

  • begin with: arn:partition:service:region:account_id

IAM Policies

Not explicitly allowed == implicity denied

  • JSON document that defines permissions
  • Identity Policy & Resource Policy
  • No effect until attached
  • List of Statements (Effect/Action/Resource)

Permission Boundaries

  • Used to delegate administration to other users
  • Prevent privilege escalation or unnecessarily broad permissions
  • Control maximum permissions an IAM policy can grant
  • Use Cases
    • Developers creating roles for Lambda functions
    • Application owners creating roles for EC2 instances
    • Administrator creating ad hoc users

AWS Resource Access Manager (RAM)

RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own.

How it works

You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.

AWS Single Sign-On

Centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.

How it works

Author

Haojun(Vincent) Gao

Posted on

2021-01-08

Updated on

2022-02-22

Licensed under

Comments