Security

Management In AWS

Atul Kumar Aryan

Author & Cloud Expert AWS Expert
 Atul Kumar

⮚ 20 Years working on Oracle as Certified Cloud Architect

⮚ Help Customers Migrating to Cloud & Integrations
⮚ Author & Speaker
⮚ Oracle ACE since 2006
⮚ Helped thousands of individuals to learn Cloud

https://k21academy.com/youtube © Copyright 2021| K21 Academy | All Rights Reserved

2
2
 Aryan: AWS Expert

⮚Working on AWS since 2013

⮚Certified AWS Architect
⮚Work for the Top Cloud Professional Services
provider in the world as AWS Solution Architect &
AWS DevOps Professionals.

https://k21academy.com/youtube © Copyright 2021| K21 Academy | All Rights Reserved

3
 Making Most Of Training

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

 Getting Help

[email protected]

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

5
 Making Best of Your Training

⮚ Live Interactive Session

⮚ FREE Unlimited Retake for Next 1 Years
⮚ FREE On-Job Support for next 1 Years
⮚ Ask Questions & Make Session Interactive
⮚ Add Yourself in WhatsApp Group
⮚ Live Session Details http://k21academy.com/live
⮚ Ask as Many Questions as you can & make session interactive
⮚ Do Lots of Hands-On
⮚ Learn at your own Pace & Look How Far You have come
⮚ Share WIN

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

6
AWS SAA-C02
Module Agenda
 Agenda: Module
⮚ AWS Identity & Access Management
⮚ IAM Components
⮚ IAM User Group and Permission
⮚ IAM Policy
⮚ Best Practices for IAM
⮚ KMS
⮚ Accessing Billing
⮚ AWS Alerts
⮚ AWS budget

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

8
Identity & Access
Management
 What is IAM ?
⮚ IAM is a preventative security control.
⮚ It can create and manage AWS users and groups
and use permissions to allow and deny access to
AWS resources
⮚ IAM deals with 4 terms such as users, groups, Roles
and Policies.
⮚ It controls both centralized and fine grained-API
resources plus management console.

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

10
 Why Use IAM?
⮚ You can specify permissions to control which operations a user or
role can perform on AWS resources
⮚ IAM service provides access to the AWS Management Console,
AWS API, and AWS Command-Line Interface (CLI)

Note: IAM does not provide authentication for your OS or

application

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

11
IAM Components
 IAM Components

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

13
 IAM Users
⮚ IAM users can be an individual, system, or application requiring access to AWS services
⮚ A user account consists of a unique name and security credentials such as a password,
access key, and/or multi-factor authentication (MFA)
⮚ IAM users only need passwords when they access the AWS Management Console

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

14
 IAM Groups
⮚ IAM Groups are a way to assign permissions to logical and functional units of your organization
⮚ IAM groups are a tool to help with operational efficiency
⮚ Bulk permissions management (scalable)
⮚ Easy to change permissions as individuals change teams (portable)
⮚ A group can contain many users, and a user can belong to multiple groups.
⮚ Groups can't be nested; they can contain only users, not other groups.

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

15
 Why Should We use Groups?

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

16
 How To Manage Permissions With
Groups?

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

17
 IAM Policies
⮚ IAM policies are JSON-based statements that define access control and permissions.
⮚ IAM policies can be “inline” or “managed” and can be attached to a user or a group
⮚ Inline policies - policies that you create and manage, and that are embedded directly into a
single user, group, or role.
⮚ Managed policies - standalone policies that you can manage separately from the IAM users,
groups, or roles to which they are attached.
⮚ AWS managed policies
⮚ Customer managed policies

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

18
 Elements of An IAM Policy
⮚ Version – Specifies current version of the policy language.
⮚ Statement – Contain array of elements.
⮚ Effect – Whether the statement will result in an allow or an explicit deny.
⮚ Action – Describes the specific action or actions that will be allowed or denied.
⮚ Resource – Specifies the object or objects that the statement covers.
⮚ Principal – Principal element specifies the identity.

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

19
 Elements of IAM Policy - Example
⮚ Sample JSON

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

20
 IAM Roles
⮚ An IAM role is like a user, in that it is an AWS identity with permission policies that determine
what the identity can and cannot do in AWS.
⮚ You can authorize roles to be assumed by humans, Amazon EC2 instances, custom code, or
other AWS services for specific access to services.
⮚ Roles do not have standard long-term credentials such as password or access keys associated to
it, instead when you assume a role, it provides you with temporary security credentials for your
role session.

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

21
 IAM
Best Practices
 IAM Best Practices
⮚ Lock away your AWS account (root) access keys
⮚ Create individual IAM users
⮚ Use groups to assign permissions to IAM users
⮚ Grant least privilege
⮚ Configure a strong policy for your users
⮚ Enable MFA for privileged users

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

23
 IAM Best Practices
⮚ Use roles for applications that run on Amazon EC2 instances
⮚ Delegate by using roles instead of by sharing credentials
⮚ Rotate credentials regularly
⮚ Remove unnecessary credentials
⮚ Use policy conditions for extra security
⮚ Monitor activity in your AWS Account

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

24
 IAM Best Practices

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

25
 IAM
Delegation And Audit
 Delegation And Audit

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

27
Identity and Credit
Management
 Identity and Credit Management
⮚ Why Create Individual user
Benefits How to Do it

Unique set of credential Create IAM user for yourself Create

Individual permission individual users for others
Granular control
Easy to revoke access

⮚ Why configure a Strong Password Policy

Benefits How to Do it

Ensures your user and data are protected
Easy to enforce password complexity
requirements
Increase account resilience against brute
force login attempts
Requires password expiration of 90 days
Requires complex password Required
password rotation policy

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

29
 Identity and Credit Management

Enabling credential rotation for IAM users (Enable access key rotation
sample policy) policy.

The Root account holder as well as IAM users in the account should
regularly change their passwords and access keys to analyze if a
password or access key is compromised without owners knowledge

For this you can even set password policies and determine the
duration of credentials validity to use resources

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

30
KMS
 Key Management System KMS

KMS is a managed encryption service that enables user to easily encrypt user data

• Creates keys with unique alias and description KMS

• Allows to Import your own keys
• Defines which IAM users and roles can manage keys
• Defines which IAM users and roles can use keys to encrypt and decrypt data
• Disable and enable keys as per requirement
• Audit use of keys by inspecting logs in AWS CloudTrail
• It provides a highly available key storage, management, and auditing solution for you to
encrypt your data across AWS services

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

32
 Who Can Use KMS?

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

33
Accessing Billing
 AWS Billings
➢ AWS Billing is the service that you use to pay your AWS bill, monitor your usage, and
analyze and control your costs.
➢ AWS automatically charges the
credit card or debit card that
you provided when you signed
up for a new account
with AWS. Charges appear on
your monthly card bill.

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

35
AWS Alerts
 What Are AWS Alerts?

https://k21academy.com/youtube © Copyright 2021 | K21 Academy | All Rights Reserved

37
 Find Us

https://www.facebook.com/K21Academy
http://twitter.com/k21Academy

https://www.linkedin.com/company/k21academy

https://www.youtube.com/k21academy

https://www.instagram.com/k21academy

https://k21academy.com/community © Copyright 2021 | K21 Academy | All Rights Reserved

38