• IAM
• KMS
  • Access management
  • Key rotation
• Cognito
  • CUP
  • Identoty pools
• STS
• SSM Parameter Store
• Other services

Identity Federation options:

• SAML 2.0
• Custom Identity Broker
• Web Identity Federation with Cognito
• Web Identity Federation without Cognito
• Single Sign On
• non-SAML with AWS Microsoft AD

Docs

Each account has only one root user, which has full access to all AWS resources.

IAM objects:

• user
• group
• role
• policy

Credentials Report - list of all account's users and the status of their credentials.

Access Advisor - shows service granted permissions and usage at user, group, role, or policy level. Shows only the current state. Tracks for 365 days. Good for identifying unused and unnecessary policies.

By default, full access IAM user doesn't have access to billing information on the account. This can be enabled by root in My account settings.

User object represents a user or service with unique name or identifier. It can belong to multiple groups.

Federated users are existing enterprise users, f.e. Active Directory or Facebook. Identity management solution must support SAML 2.0 or one of the AWS's federation samples.

Group object is a collection of users (can not contain other groups). One or more policies can be attached to a group.

Role object contains a set of permissions in the form of attached policies and a list of entities that can assume it, f.e. users, AWS services, etc.

When an entity assumes a role all previous permissions are abandoned. Best practice is to use roles to grant temporary access. Can be used as extra security inside same account or to grant cross-account access.

Policy object is a JSON document that explicitly lists permissions. It can be assigned to user, group, role, or resource (Inline policy, modifies resource and can not be reused). In case of conflicting policies the least access is preferred.

Amazon Resource Name (ARN) - unique name that every resource has. Missing parameters are assumed to be defaults (f.e. arn:aws:ec2:::instance/instance-id)

Structure:

Policy types:

• identity-based
• resource-based
• organization service control
• ACL

Managed policy versioning can save up to 5 versions. If maximum is reached, one has to be removed explicitly. Newer version becomes the default (can be changed to previous ones). Default version can not be deleted (first make another one the default).

Each policy has the following summary structure:

• policy summary - list of services and summary of permissions defined by the policy
• service summary - list of actions and summary of permissions defined by the policy for the chosen service
• action summary - list of resources and associated conditions that apply to the chosen action

Policy simulator - users have to have appropriate permissions to use simulator. Can edit policies inside simulator without affecting actual environment!

Condition operators (not all):

• StringEquals
• StringNotEquals
• StringEqualsIgnoreCase
• StringNotEqualsIgnoreCase
• StringLike
• StringNotLike

Condition objects (not all):

• aws:SourceIP - client making requests
• aws:RequestedRegion - target region of API request

Tag based security:

"Condition": {
    "StringEquals": {
        "ec2:ResourceTag/Project": "ProjectName",
        "aws:PrincipalTag/Team": "TeamName",
    }
}

Enforce MFA:

"Condition": {
    "BoolIfExists": {"aws:MultiFactorAuthPresent": true}
}

Permission boundary is an advanced IAM feature that defines maximum permissions that a user or role can have (not supported for groups). Principal's final permissions are identified by overlapping of actual policies and a boundary.

Policy evaluation logic

Encryption key management.

Keys are linked to a specific region. Up to 4KB of data can be encrypted per call. For data more than 4KB use envelop encryption.

Key options:

• AWS Managed - free
• User created key - $1/month
• User imported key (must be 256-bit symmetric) - $1/month

CMK (Customer Master Key) types:

• symmetric (AES-256) - client never gets access to the key, only to KMS APIs
• asymmetric (RSA and ECC) - public/private pairs; client can download public key, but there is no access to private one - public key can be distributed to users that don't have access to KMS API

When snapshot of any service is copied across region, new key (in the destination region) is specified to be used for encrypting snapshot.

In envelop encryption CMK is used for generating/encrypting/decrypting the Data key (also called Envelop key), which in turn is used for encrypting actual data. This way network is used only for transferring the data key, instead of huge amount of data.

Key administrators are principals that can make changes to the key, but not use it. However, those principals can add permissions to also use the key. Key's usage permissions set principals that can encrypt and decrypt data using this key. These settings actually generate a key (resource) policy.

To allow principal to perform operations using KMS key, it should have IAM policy allowing intended API request and be listed in key policy. Default key policy allows access to root user, which means to all users within the account. For cross account snapshot copy, target account must be able to access the source KMS key.

Automatic key rotation can be enabled only for customer managed symmetric key (happens once a year). Does not change the CMK ID, just the backing key. Previous versions are stored to decrypt files that were encrypted previously.

Keys can be rotated manually. This also changes the CMK ID. Alias helps to hide the change for applications and clients using the key.

# Encrypt content of specified file, returns encrypted text in base64
# For key id can use alias, id or full ARN
aws kms encrypt --key-id alias/<alias> --plaintext <file_path> --output text --query CipherTextBlob > encrypted.base64

# Decrypt encrypted text, returns original text in base64
# Info about the key that was used to encrypt the text is included in the blob
aws kms decrypt --ciphertext-blob <file_path> --output text --query PlainText > decrypted.base64

# Enable automatic key rotation and check the status
aws kms enable-key-rotation --key-id alias/<alias>
aws kms get-key-rotation-status --key-id alias/<alias>

# Generate data key for encrypting data over 4KB
aws kms generate-data-key --key-id alias/<alias> --key-spec AES_256

Authentication and authorization provider for web and mobile applications.

Provides UI components for many platforms. Enables controlled access to AWS resources. Has support for identity federation (Google, Amazon, Facebook, Microsoft Active Directory, SALM 2.0).

Also tracks association between user identity and various devices. State across all devices is synced using push synchronization (SNS under the hood).

Provides user directory (with user profiles) that clients can use to sign in to web and mobile apps. Users can also sign in through social identity provides (Facebook, Google, SAML 2.0, etc). Provides client a JWT upon authentication.

Some features:

• built-in, customizable UI for many platforms
• email/phone verification
• MFA

Integrates with API Gateway for authentication.

Also called federated identities, allows creating unique identities and federate them with identity provides, such as Facebook, Google, Cognito User Pools, SAML, etc. Then it provides temporary AWS credentials to directly access AWS resources.

Used to synchronize data from device to Cognito. Soon to be replaced by AppSync.

Stores preferences, configurations, app state. Synchronizes with different platforms (iOS, Android, etc). Also provides offline, when client went offline and back online. Requires use of Federated Identity Pool in Cognito. Stores data in datasets (max 1MB), up to 20 datasets to synchronize.

Provides limited and temporary access to AWS resources. Token is valid up to one hour (minimum 15 minutes).

Important APIs:

• AssumeRole - provide credentials within same account or cross-account
• AssumeRoleWithSAML - provide credentials for users logged in with SAML
• AssumeRoleWithWebIdentity - provide credentials for users logged in via Identity Provider (not recommended, use Cognito instead); AssumedRoleUser section contains Arn and AssumedRoleId field, which are used to referenced temporary credentials (not related to IAM resources)
• GetSessionToken - set of credentials for MFA

Secure storage for configurations and secrets.

Integrated with KMS, CloudWatch Events, CloudFormation. Provides versioning, management using path (hierarchy).

Tiers:

Standard tier has no costs, provides free storage pricing and free Standard Throughput (High Throughput for extra cost). Advanced tier comes with an extra cost, storage and API requests price.

Advanced tier also provides parameter policy - assign a TTL to a parameter to enforce updating or deleting it. There are 3 types of policies:

• Expiration - delete parameter at a specified date
• ExpirationNotification - notify (CloudWatch Events) about deletion specified amount of time before expiration date
• NoChangeNotification - notify (CloudWatch Events) that parameter hasn't changed for specified amount of time after creation or last update

# Retrieve param store value
$ aws ssm get-parameters --names <full_path_1> <full_path_2>

# Retrieve encrypted param store value
# If user has associated permissions to the encryption key, then the decrypted value is returned
$ aws ssm get-parameters --with-decryption --names <full_path_1>

# Retrieve all parameters under specified path
# Add optional --recursive parameter to retrieve child paths
$ aws ssm get-parameters-by-path --path <parent_path>

• Articact
• ACM
• CloudHSM
• Directory Service
• GuardDuty
• Inspector
• Macie
• Secrets Manager
• Shield
• SSO
• WAF

Creates and manages Secure Socket Layer and Transport Layer Security certificates. Integrates with ELB, CloudFront, API Gateway, and web apps.

On-demand access to AWS security and compliance reports.

• Agreements - review, accept and manage agreements for an individual or all accounts in AWS Organizations
• Reports - provides compliance reports from third-party auditors

Cloud-based hardware security module (AWS provisions it) that enables you to generate and use your own encryption keys. Supports both symmetric and asymmetric encryption. Does not provide free tier.

Integrates with Redshift and can be used as SSE-C option for S3.

Requires CloudHSM client software to interact with a service. IAM is used to manage CRUD operations, while client software is used to create users and assign permissions.

Operates as a HA cluster deployed in a VPC.

• AWS Managed Microsoft AD - your own AD in AWS; can establish "trust" connection with on-prem AD - users are shared between 2 instances of AD; supports MFA
• AD Connector - Directory Gateway (proxy) to redirect to on-prem AD
• Simple AD - AD-compatible managed directory on AWS (can not join Microsoft AD)

Intelligent threat detection for AWS infrastructure and resources (continuous monitoring of network and account activity).

Input data includes CloudTrail logs, VPC flow logs, and DNS logs. ClodWatch Event rules can be set up to notify about findings.

Automated security assessments (best practices) for EC2 instances. Analyzes running OS against known vulnerabilities. Inspector agent must be installed - connects to Inspector service. Generates a report with vulnerabilities and can send notifications to SNS.

Assessment types (use AWS standards or define custom ones):

• network - network reachability (agentless)
• host - up to date patches, common configuration errors, vulnerabilities

Data security and privacy management powered by machine learning.

Analyzes data stored in S3. Detects personal data and intellectual property. Provides dashboards showing how data is accessed and stored. Can notify unusual data access through EventBridge.

Provides secure way to integrate credentials, API keys, tokens, etc. Has native integration with RDS, DocumendDB, and Redshift. Can auto-rotate credentials. Possible fine-grained access control to secrets.

RDS secrets include username/password, server address, and database name and port.

Secrets can auto-rotate after specified number of days and get automatically generated by Lambda on rotation. SecretsManager can create this Lambda function, which can also be reused later.

DDoS protection service.

Standard option is automatically enabled and free; protects resources from the most common, frequently occurring types of attacks.

Advanced option is a paid service that provides detailed attack diagnostics (network and transport layer). Can be integrated with CloudFront, Route 53, ELB, EC2 and WAF. Also provides financial protection against DDoS-related spikes in AWS services and 24/7 access to DDoS response team, or DRP.

Central portal to manage SSO to multiple AWS accounts and 3rd party apps. Integrates with Orginazations, on-prem Active Directory, and supports SAML 2.0.

Provides centralized permission management and auditing (CloudTrail).

Monitors network requests and protects against common web exploits, layer 7.

Can be deployed on CloudFront, ALB, and API Gateway, and has similar functionality to ACLs. Can protect from SQL injection and Cross-Site Scripting (XSS).

Web ACL defines rules that include IP addresses, HTTP headers, body and URI strings. Rules can also set maximum size of a request, geo-restriction and rate-based restriction (DDoS protection).

AWS developer guide

Firewall Manager manages rules in all account in Organization

• common set of security rules
• WAF rules
• Shiled Advanced
• Security Groups