AWS Security, Audit and Compliance.

AWS Identity and Access Management:

IAM is used to securely control individual and group access to AWS resources and it provides centralized control to AWS account.

IAM can be used to manage: Users, Groups , Access policies ,Roles ,User credentials ,User password policies , Multi-factor authentication (MFA) .API keys for programmatic access (CLI).

Features of IAM:

  • By default, new users created are not granted any access to resources. Explicit permission must be granted to a user.
  • IAM user has three components: a user-name, a password and permissions to access various resources.
  • Access to AWS account can also be allowed through Identity federation (eg AD, Facebook) without creating IAM user account.
  • IAM is not applicable for application level authentication.
  • IAM is universal and does not apply to regions.
  • IAM is eventually consistent.
  • Root account which is created while setting up AWS account has all the access by default and should not be used for anything other than billing.
  • IAM can assign temporary security credentials to provide users with temporary access to services/resources.
  • You can assign AWS security credentials to your IAM users by using the API, CLI, or AWS Management Console. 
  • To sign-in you must provide your account ID or account alias in addition to a user name and password The sign-in URL includes the account ID or account alias, e.g:
  • AM policies are stored in IAM as JSON documents and contains the permissions that are allowed or denied •
  • IAM policies can be: User (identity) based policies or Resource-based policies.
  • Evaluation logic:
  • By default, all requests are denied (implicit deny).
  • An explicit allow overrides the implicit deny.
  • An explicit deny overrides any explicit allows.

Authentication Methods in IAM:

1 Console User needs to be shared with a password to sign in to AWS management console. User can change the console password.
2 Access Keys You can use the AWS Management Console to manage an IAM user’s access keys.
A combination of an access key ID and a secret access key is generated.

You can assign two active access keys to a user at a time.

The secret access is returned only at creation time and if lost a new key must be created.

Ensure access keys and secret access keys are stored securely •
Users can be given access to change their own keys through IAM policy (not from the console).

You can disable a user’s access key which prevents it from being used for API call.

These can be used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools.

Best practice is to regularly rotate (change) IAM user access keys. If your administrator granted you the necessary permissions, user can rotate your own access keys.  
3 Server Certificates AWS recommends that you use the AWS Certificate Manager (ACM) to provision, manage and deploy your server certificates.

IAM Users, groups, Roles and Polices explained:

1 IAM User By default, new user created has no access in account.

Root account has all the default access.5000 IAM users can be created in an account.

Each IAM user has a unique ARN which identifies the users across AWS.

Best practice is to create individual IAM accounts for the users and not to share the accounts.

Access key id and Secret access key are not same as password and can not be used to login to console.

Password policy can be applied for all the users.

You can allow or disallow IAM users to change the passwords using IAM policies.
2 Groups Groups are collection of users with policies attached to them.
You can use groups to assign permissions to users.

Groups is not an identity and cannot be identified as principal in IAM policy You can not nest groups, that is groups with groups.

Use the principles of least privileges while assigning permissions.
3 Roles Roles are created and assigned to trusted entities and are assigned set of permissions for making service requests.

With Roles you just need to delegate permissions without the need of granting permanent credentials to  given to users and services,IAM users can assume role to obtain temporary security credentials for a task.

A role can also be assigned to federated user who signs using external identity. Role can be assumed temporarily through console or AWS CLI ,APIs.

Role Delegation: You can create an IAM role with following two policies:
Permission policy: grants users of a role required permission.
Trust Policy: Specifies trusted accounts that can assume roles. Permission policy must also be attached to user in trusted accounts.  
4 Policies Policies are documents that define permissions and can be applied to users, groups and roles.

Policy documents are written in JSON All permissions are implicitly denied by default.

IAM Policy simulator is a tool to help you understand, test and validate the effect of applying access control policies.  

AWS Security token service (STS)

  • STS: AWS Security token service (STS) is a web service that enables you to request temporary, limited period credentials for IAM users.
  • STS is a global service and all AWS STS requests go to a single endpoint at
  • All regions are enabled for STS by default, but can be disabled.
  • Regions in which temporary credentials are required, must be enabled.
  • Credentials will always work globally.

AWS STS API temporary security credentials consists of:

  • Access key ID and Secret ID
  • Session token
  • Expiration/Duration of Validity
  • Users can use these credentials to access the resources.

Advantages of STS:

  • No need to distribute or maintain long term AWS Security credentials with an application.
  • Access can be provided to AWS resources without defining an AWS identity to them.
  • You can specify how long the credentials are valid upto a maximum limit.

Users can come from three sources:


  • Uses SAML2.0
  • Grants temporary action based on user AD credentials.
  • Does not needs to be a user in IAM.
  • Single Sign on allow users to login to AWS console without assigning IAM credentials.

2.Federation with Mobile Apps-Use facebook/Amazon/Google to login.

3.Cross Account Access: Lets user in one AWS account access resources in another AWS account. For this to be possible,  resource in the requesting account must have an attached “resource based policy” with the required permission.

AWS Directory Services:

AWS Managed Microsoft AD This enables users to access AWS applications and resources with their on-premises AD credentials.

With AWS Managed Microsoft AD, you can easily enable your active directory aware workloads and AWS resources to use managed actual Microsoft active directory in the AWS Cloud.

You can integrate AWS Managed Microsoft AD easily with your existing Active Directory by using Active Directory trust relationships.

AWS Managed Microsoft AD is run as a managed service. By using this directory type, two highly available domain controllers are created and attached to your VPC.

Domain controllers run on Windows Server 2012 R2 and are built across multiple Availability Zones for better redundancy.
As they are highly available, each domain controller is spun up in different Availability Zones.

Ability to configure a trust relationship between AWS Managed Microsoft AD in the AWS cloud and your existing on-premises Microsoft Active Directory.

This benefits users and groups that need to access resources in either domain with single sign-on (SSO).
Simple AD Simple AD is a standalone managed directory that is powered by Linux -Samba Active directory compatible server.

Since it is a basic, standalone version of AD, you cannot join it to an on-premises AD as Domain Trusts are not supported.
But Simple AD does help to manage EC2s easily as well as any Linux flavors that might require LDAP.
AD Connector AD connector works as a mediator to connect on-premise active directory to cloud.

AD connector is a proxy for redirecting directory requests to your existing Microsoft Active Directory without caching any information in the cloud.
Small AD—For smaller organizations of 500 users.
Large AD—For larger organizations of up to 5000 users.  
The benefit of using an AD Connector is that it removes the need for directory synchronization.

When a user logs into an AWS application, AD Connector forwards the sign-in request to your on-premises Domain Controllers. AD Connector supports an MFA RADIUS-based infrastructure, which Simple AD does not.

You can also join your EC2 instances to Active Directory with the use of an AD Connector.
Amazon Cognito Your User Pools Amazon Cognito makes it easy for mobile and web apps to easily add authentication, user management, and data synchronization without having to write backend code or manage any infrastructure.

Among other functionality, the User Pools feature makes it easy for developers to add sign-up and sign-in functionality to web apps.

This feature also provides enhanced security functionality such as email verification, phone number verification, and multi-factor authentication.

This feature also provides enhanced security functionality such as email verification, phone number verification, and multi-factor authentication.

AWS Organizations:

  • AWS Organizations helps you centrally manage and govern AWS resources. Using AWS Organizations:
  • programmatically create new AWS accounts and allocate resources,
  • group accounts to organize your workflows,
  • apply policies to accounts or groups for governance,
  • simplify billing by using a single payment method for all of your accounts.
  • AWS Organizations is a global service with a single endpoint that works from any and all AWS Regions. You don’t need to explicitly select a region to operate in.
  • AWS Organizations is a global service with a single endpoint that works from any and all AWS Regions. You don’t need to explicitly select a region to operate in.
  • AWS Organizations is offered at no additional charge. You are charged only for AWS resources that users and roles in your member accounts use.
  • Root account with organizational units and AWS accounts behind the OU’s Policies can be assigned at different points in the hierarchy:
  • Available in two feature sets: Consolidated billing & All features
  • Consolidated billing separates paying accounts and linked accounts.
  • Limit of 20 linked accounts for consolidated billing (default)
  • Can help with cost control through volume discounts.
  • Unused reserved EC2 instances are applied across the group
  • Paying accounts should be used for billing purposes only.
  • Billing alerts can be setup at the paying account which shows billing for all linked accounts.
  • Resource Groups: Resource groups allow you to group resources and then tag them.
  • Tag editor- assists with finding resources and adding tags.
  • Resource groups contain information such as: • Region • Name • Health Checks


  • AWS Key Management Store (KMS) is a managed service that enables you to easily encrypt your data.
  • AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.
  • AWS KMS allows you to centrally manage and securely store your keys. These are known as customer master keys or CMKs.
  • You can generate CMKs in KMS, in an AWS CloudHSM cluster, or import them from your own key management infrastructure.
  • These master keys are protected by hardware security modules (HSMs).
  • You can submit data directly to KMS to be encrypted or decrypted using these master keys You set usage policies on these keys that determine which users can use them to encrypt and decrypt data under which conditions KMS is tightly integrated into many AWS services like Lambda, S3, EBS, EFS, DynamoDB, SQS etc.
  • You can control who manages and accesses keys via IAM users and roles.You can audit the use of keys via CloudTrail KMS differs from Secrets Manager as its purpose-built for encryption key management KMS is validated by many compliance schemes (e.g. PCI DSS Level 1, FIPS 140-2 Level 2)
  • Custom Key Store: The AWS KMS custom key store feature combines the controls provided by AWS CloudHSM with the integration and ease of use of AWS KMS •
  • You can configure your own CloudHSM cluster and authorize KMS to use it as a dedicated key store for your keys rather than the default KMS key store •
  • When you create keys in KMS you can chose to generate the key material in your CloudHSM cluster.
  • Master keys that are generated in your custom key store never leave the HSMs in the CloudHSM cluster in plaintext and all KMS operations that use those keys are only performed in your HSMs •
  • In all other respects master keys stored in your custom key store are consistent with other KMS CMKs.
  • Key deletion: -You can schedule a customer master key and associated metadata that you created in AWS KMS for deletion, with a configurable waiting period from 7 to 30 days •
  • The default waiting period is 30 days • You can cancel key deletion during the waiting period.
  • Limits:
  • You can create up to 1000 customer master keys per account per region
  •  As both enabled and disabled customer master keys count towards the limit, AWS recommend deleting disabled keys that you no longer use .
  • AWS managed master keys created on your behalf for use within supported AWS services do not count against this limit.

AWS CloudHSM :

  • The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud.
  • A Hardware Security Module (HSM) provides secure key storage and cryptographic operations within a tamper-resistant hardware device HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the hardware.
  • When you use the AWS CloudHSM service you create a CloudHSM Cluster Clusters can contain multiple HSM instances, spread across multiple Availability Zones in a region. HSM instances in a cluster are automatically synchronized and load-balanced.

You can connect your corporate Microsoft Active Directory to AWS SSO so that your users can sign in to the user portal with their user names and passwords to access the AWS accounts and applications to which you have granted them access.


AWS WAF (Web Application Firewall) is available on the Application Load Balancer (ALB). You can now use AWS WAF directly on Application Load Balancers (both internal and external) in a VPC, to protect your websites and web services. With this launch customers can now use AWS WAF on both Amazon CloudFront and Application Load Balancer.

AWS WAF is a web application firewall service that lets you monitor web requests and protect your web applications from malicious requests. Use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses. You can also use AWS WAF preconfigured protections to block common attacks like SQL injection or cross-site scripting

Service Control Policies:

Salable + single point of maintenance +  limiting access to specific services or actions in all of the team’s AWS accounts = Use Service control policies
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features.

SCPs alone are not sufficient for allowing access in the accounts in your organization. Attaching an SCP to an AWS Organizations entity (root, organizational unit (OU), or account) defines a guardrail for what actions the principals can perform. You still need to attach identity-based or resource-based policies to principals or resources in your organization’s accounts to actually grant permissions to them. When a principal belongs to an account that is a member of an organization, the SCPs contribute to the principal’s effective permissions.

Also Refer:

1 Comment

Leave a Reply

Your email address will not be published.