Identity

avatar
Created by
Kyle Dev

Cards (34)

  • Zero Trust Model is a security model that operates on the principle of "trust no one, verify everything."
  • Identity becomes the primary security perimeter.
  • Primary security perimeter defines the first line of defense and its security controls that protect a company's cloud resources and assets.
  • Network-Centric way (old way) is traditional security focused on firewalls and VPNs since there were few employees or workstations outside the office or they were in specific remote offices.
  • Identity-Centric way (New way) is where you bring your own devices, remote workstations is much more common but we can't trust if the employee is in secure location. And MFA or providing provisional access based on level of risk is used.
  • Identity-Centric way does not replace but augments Network-centric way.
  • Identity Security Controls you can implement on AWS to meet the Zero Trust Model:
    1. IAM Policies
    2. Permission Boundaries
    3. Service Control Policies (Organization-wide Policies)
    4. IAM Policy Conditions
  • Sample IAM Policy Conditions:
    1. aws:SourceIP - restrict on IP Address
    2. aws:RequestedRegion - Restrict on Region
    3. aws:MultiFactorAuthPresent - Restrict if MFA is tuned off
    4. aws:CurrentTime - Restrict Access based onn time of day
  • Directory Services maps the names of network resources to their network addresses.
  • Directory service is a shared information infrastructure for locating, managing, administering and organizing resources.
  • Example of Directory Services:
    1. Domain Name service
    2. Microsoft Active Directory
    3. Apache Directory Server
    4. Oracle Internet Directory (OID)
    5. OpenLDAP
    6. Cloud Identity
    7. Jump Cloud
  • Identity Provider (IdP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to applications within a federation or distributed network.
  • Federated Identity is a method of linking a user's identity across multiple separate identity management systems.
  • Examples of Federated Identity:
    1. OpenID - is about providing who are you
    2. OAuth2.0 - is about granting access to functionality
    3. SAML - single sign on via web browser
  • Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to different systems and software.
  • Login for SSO is seamless, where once a user is logged into their primary directory they are not presented with another login screens.
  • Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network.
  • Multi-Factor Authentication (MFA) a security control where after you fill in your credentials, you have to use a second devices such as a phone to confirm that it is you logging in.
  • Security Key is a secondary device used as second step in authentication process to gain access to a device, workstation or application.
  • AWS Identity and Access Management (IAM) you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
  • IAM Policies are JSON documents which grant permissions for a specific user, group, or role to access services. Policies are attached to IAM Identities.
  • IAM Permission is an API actions that can or cannot be performed. They are represented in the IAM Policy document.
  • IAM Users are end users who log into the console or interact with AWS resources programmatically or via clicking UI interfaces.
  • IAM Groups - they group up your users so they all share permission levels of the group. Ex: Administrators, Developers, auditors and etc.
  • IAM Policies are written in JSON and contain the permission which determine what API actions are allowed or denied.
  • Principle of Least Privilege (PoLP) is the computer security concept of providing a user, role, or application the least amount of permissions to perform an operation or action.
  • Just-Enough-Access (JEA) is permitting only the exact actions for the identity to perform a task.
  • Just-in-time (JIT) is permitting the smallest length of duration an identity can use permissions.
  • Risk-based Adaptive Policies is when each attempt to access a resource generates a risk score of how likely the request is to be from a compromised source. Could factor from device, user location, IP address and etc.
  • AWS Account is the account which holds all your AWS resources.
  • AWS Account Root User is a special account with full access that cannot be deleted.
  • AWS Account User is a user for common tasks that is assigned with permission.
  • Tasks that only Root User can perform:
    1. Change your account settings.
    2. Restore IAM user permissions.
    3. Activate IAM access to the Billing and Cost Management console.
    4. View certain tax invoices.
    5. Close your AWS account.
    6. Change or Cancel AWS Support plan.
    7. Register as a seller in the Reserved Instance Marketplace
    8. Enable MFA Delete on an S3 Bucket
    9. Edit Amazon S3 bucket policy
  • AWS Single Sign-on is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization.