The AWS Security Specialty (SCS-C02) course has been designed for anyone wishing to ramp up their knowledge on cloud security within the Amazon Web Services (AWS) environment. An important part in preparing for this certification is a solid understanding in the diverse domains it covers. As I prepare to sit for the exam (a month from now), I will create posts about each domain, and it’s level of importance.
Today, I am focusing my efforts on Domain 4: Identity and Access Management (IAM), which weighs 16% of scored content. To sit for the exam, there are no pre-requisites, but if you expect to do well, please have 2 or more years of deploying security services & features in the AWS environment, or have taken and passed an associate exam.
Importance of IAM: IAM stands for Identity Access Management. It is the process through which both the customer under AWS are defined; authenticated identities are those which have signed in, and authorized identities have permissions to be accessed by the resources. “This ensures that the AWS resources have access only by entities or users, services and applications authenticated and authorized properly, hence leaving no chance of unauthorized access while keeping them free from all kinds of threats that would actually take place.” Here are the core services and tools under IAM:
AWS IAM Service: At the core of Domain 4 is the AWS IAM service that has the ability to securely manage access to AWS services and resources. Therefore, understanding IAM will mean the mastery of users, groups, roles, and policies to apply them effectively in building secured AWS environments.
AWS Single Sign-On (AWS SSO): AWS Single Sign-On is a centralized tool to manage access to your AWS accounts, business applications, and services. It keeps security in that a user can sign on once with one set of credentials, therefore avoiding the fatigue of having different passwords and security loopholes.
AWS Directory Service: Enables the organization to have options in managing its identity, such as AWS Managed Microsoft AD, Simple AD, and AD Connector. Proper IAM of AWS resources is one which knowledge of integration with the current identity systems should be at the tip of one’s finger.
Amazon Cognito: is an easy-to-process service of authentications, authorizations, and user management for web and mobile applications. Add user sign-up, sign-in, and access control to your apps. AWS Secrets Manager: This service helps to securely encrypt, store, and retrieve credentials for accessing services. You can secure accesses to your applications, services, and IT resources using AWS Secrets Manager without the bigness of up-front costs and complexity in terms of time and infrastructure when it comes to managing secrets.
AWS Identity and Access Management Access Analyzer: Helps in identifying the shared resources of the organization and accounts with an external entity. It helps in analyzing the policies of how access is granted between services and accordingly takes action to tighten security.
Best Practices for Mastering IAM in AWS
Understand the Principle of Least Privilege: Ensure that users, roles, services, and applications have permission only for the required tasks. Continually review and adjust permission levels so that the environment is not only secure but efficient, too.
Multi-Factor Authentication (MFA): Enable MFA on all your users, especially the administrators, to offer additional security above the username and password.
IAM Configuration Audit and Monitoring: Use AWS CloudTrail and AWS Config to keep track of and record every change across IAM and all its configurations. You can then audit access and changes to ensure that the pertinent security policies within your organization are being followed.
Role-based access control (RBAC): Configure duties in such a way that you share within the team and let permissions be role-based. This will ease administering user permissions and enhance security by granting access to what is necessary to execute his or her job.
Attribute-Based Access Control (ABAC): Unlike in traditional role-based access control (RBAC), where the access is determined up to the roles assigned to users, the extent of access control with ABAC defines it in such a way that decisions are much more detailed and can dynamically be made through evaluation by attributes. Policies themselves can be written to include the user attribute from AWS Identity and Access Management (IAM) or resource tags, so it allows for policies that can mold to changing requirements without the need for ongoing redrawing of roles and permissions.
As previously mentioned, this was merely to shed light on some relevant topics that you are expected to know, but if you’re looking for a more granular explanation of what is to be on the exam, please take a look at the exam guide found here https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf
Sincerely,
Carl-Alt-Del