AWS Solution Architect(Associate) - Topic 4: Advanced IAM

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely.

Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

[toc]

Advanced IAM

AWS Directory Service

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active Directory (AD), enables your directory-aware workloads and AWS resources to use managed Active Directory (AD) in AWS.

https://aws.amazon.com/rds/faqs/

AWS	Customer
Multi-AZ Deployment	Users, Groups, GPOs
Patch, Monitor, Recover	Standard AD Tools
Instance Rotation	Scale out DCs
Snapshot and Restore	Trusts (Resource Forest)
	Certificate Authorities
	Federation

User Case

• Provide your on-premises AD users quick access to AWS
• Leverage integrations with Amazon RDS and Amazon FSx
• Enable single sign-on experience for AWS End User Computing services
• Give your on-premises AD users federated access to the AWS Management Console and AWS CLI quickly
• Grant your on-premises AD users single-click access to cloud business applications

AD Compatible	Not AD Compatible
Managed Microsoft AD	Cloud Directory
AD Connector	Cognito User Pools
Simple AD

Simple AD

• Standalone managed directory
• Basic AD features
• Small: <= 500; Large <= 5000 users
• Easier to manage EC2
• Linux workloads that need LDAP
• Does not support trusts (can’t join on-promises AD)

AD Connector

• Directory gateway (proxy) for on-premises AD
• Avoid caching information in the cloud
• Allow on-premises users to log in to AWS using AD
• Join EC2 instances to your existing AD domain
• Scale across multiple AD Connectors

Cloud Directory

• Directory-based store for developers
• Multiple hierarchies with hundreds of millions of objects
• Use cases: org charts, course catalogs, device registries
• Full managed service

Amazon Cognito User Pools

• Managed user directory for SaaS application
• Sign-ip and sign-in for web or mobile
• Works with social media identities

IAM Policies

Amazon Resource Name (ARN)

• begin with: arn:partition:service:region:account_id

IAM Policies

Not explicitly allowed == implicity denied

• JSON document that defines permissions
• Identity Policy & Resource Policy
• No effect until attached
• List of Statements (Effect/Action/Resource)

Permission Boundaries

• Used to delegate administration to other users
• Prevent privilege escalation or unnecessarily broad permissions
• Control maximum permissions an IAM policy can grant
• Use Cases
  • Developers creating roles for Lambda functions
  • Application owners creating roles for EC2 instances
  • Administrator creating ad hoc users

AWS Resource Access Manager (RAM)

RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own.

• Here is a detailed blog using Resource Access Manager to achieve Cross-Account Resource Sharing

You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.

AWS Single Sign-On

Centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.