Skip to content
securely control access to AWS services and resources
helps create and manage user identities and grant permissions for those users to access AWS resources
helps create groups for multiple users with similar permissions
not appropriate for application authentication
is Global and does not need to be migrated to a different region
helps define Policies,
in JSON format
all permissions are implicitly denied by default
most restrictive policy wins
helps grants and delegate access to users and services without the need of creating permanent credentials
IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls
needs Trust policy to define who and Permission policy to define what the user or service can access
used with Security Token Service (STS), a lightweight web service that provides temporary, limited privilege credentials for IAM users or for authenticated federated users
IAM role scenarios
for e.g. EC2 to access S3 or DynamoDB Cross Account access for users
with user within the same account
with user within an AWS account owned the same owner
with user from a Third Party AWS account with External ID for enhanced security
Identity Providers & Federation
AssumeRoleWithWebIdentity – Web Identity Federation, where the user can be authenticated using external authentication Identity providers like Amazon, Google or any OpenId IdP
AssumeRoleWithSAML – Identity Provider using SAML 2.0, where the user can be authenticated using on premises Active Directory, Open Ldap or any SAML 2.0 compliant IdP
AssumeRole (recommended) or GetFederationToken – For other Identity Providers, use Identity Broker to authenticate and provide temporary Credentials
IAM Best Practices
Do not use Root account for anything other than billing
Create Individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Use IAM roles for applications on EC2
Delegate using roles instead of sharing credentials
Rotate credentials regularly
Use Policy conditions for increased granularity
Use CloudTrail to keep a history of activity
Enforce a strong IAM password policy for IAM users
Remove all unused users and credentials
is a managed encryption service that allows the creation and control of encryption keys to enable data encryption.
provides a highly available key storage, management, and auditing solution to encrypt the data across AWS services & within applications.
uses hardware security modules (HSMs) to protect and validate the KMS keys by the
FIPS 140-2 Cryptographic Module Validation Program. seamlessly integrates with several AWS services to make encrypting data in those services easy.
supports multi-region keys, which are AWS KMS keys in different AWS Regions. Multi-Region keys are not global and each multi-region key needs to be replicated and managed independently.
provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud
helps manage your own encryption keys using
FIPS 140-2 Level 3 validated HSMs. single tenant, dedicated physical device to securely generate, store, and manage cryptographic keys used for data encryption
are inside the VPC (not EC2-classic) & isolated from the rest of the network
can use VPC peering to connect to CloudHSM from multiple VPCs
integrated with Amazon Redshift and Amazon RDS for Oracle
EBS volume encryption, S3 object encryption and key management can be done with CloudHSM but requires custom application scripting
is NOT fault-tolerant and would need to build a cluster as if one fails all the keys are lost
enables quick scaling by adding and removing HSM capacity on-demand, with no up-front costs.
automatically load balance requests and securely duplicates keys stored in any HSM to all of the other HSMs in the cluster.
expensive, prefer AWS Key Management Service (KMS) if cost is a criteria.
gives applications in AWS access to Active Directory services
different from SAML + AD, where the access is granted to AWS services through Temporary Credentials
least expensive but does not support Microsoft AD advanced features
provides a Samba 4 Microsoft Active Directory compatible standalone directory service on AWS
No single point of Authentication or Authorization, as a separate copy is maintained
trust relationships cannot be setup between Simple AD and other Active Directory domains
Don’t use it, if the requirement is to leverage access and control through centralized authentication service
acts just as an hosted proxy service for instances in AWS to connect to on-premises Active Directory
enables consistent enforcement of existing security policies, such as password expiration, password history, and account lockouts, whether users are accessing resources on-premises or in the AWS cloud
needs VPN connectivity (or Direct Connect)
integrates with existing RADIUS-based MFA solutions to enabled multi-factor authentication
does not cache data which might lead to latency
Read-only Domain Controllers (RODCs)
works out as a Read-only Active Directory
holds a copy of the Active Directory Domain Service (AD DS) database and respond to authentication requests
they cannot be written to and are typically deployed in locations where physical security cannot be guaranteed
helps maintain a single point to authentication & authorization controls, however needs to be synced
Writable Domain Controllers
are expensive to setup
operate in a multi-master model; changes can be made on any writable server in the forest, and those changes are replicated to servers throughout the entire forest
is a web application firewall that helps monitor the HTTP/HTTPS traffic and allows controlling access to the content.
helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
helps define Web ACLs, which is a combination of Rules that is a combinations of Conditions and Action to block or allow
integrated with CloudFront, Application Load Balancer (ALB), API Gateway services commonly used to deliver content and applications
supports custom origins outside of AWS, when integrated with CloudFront
Third Party WAF
act as filters that apply a set of rules to web traffic to cover exploits like XSS and SQL injection and also help build resiliency against DDoS by mitigating HTTP GET or POST floods
WAF provides a lot of features like OWASP Top 10, HTTP rate limiting, Whitelist or blacklist, inspect and identify requests with abnormal patterns, CAPTCHA etc
a WAF sandwich pattern can be implemented where an autoscaled WAF sits between the Internet and Internal Load Balancer
helps protect secrets needed to access applications, services, and IT resources.
enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
secure secrets by encrypting them with encryption keys managed using
AWS KMS. offers native secret rotation with built-in integration for
RDS, Redshift, and DocumentDB. supports
Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens. supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.
enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios.
supports private access using
VPC Interface endpoints
is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of the AWS accounts and cloud applications.
helps manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support SAML 2.0.
includes a user portal where the end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.
is a managed service that provides protection against Distributed Denial of Service (DDoS) attacks for applications running on AWS
provides protection for all AWS customers against common and most frequently occurring
infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of applications on AWS. provides AWS Shield Advanced with additional protections against more sophisticated and larger attacks for applications running on
EC2, ELB, CloudFront, AWS Global Accelerator, and Route 53.
offers threat detection that enables continuous monitoring and protect the AWS accounts and workloads.
analyzes continuous streams of meta-data generated from AWS account and network activity found in AWS
CloudTrail Events, VPC Flow Logs, and DNS Logs. integrated threat intelligence such as known malicious IP addresses, anomaly detection, and machine learning to identify threats more accurately.
operates completely independently from the resources so there is no risk of performance or availability impacts to the workloads.
supports suppression rules, trusted IP list and thread list.
is a vulnerability management service that continuously scans the AWS workloads for vulnerabilities
automatically discovers and scans
EC2 instances and container images residing in Elastic Container Registry (ECR) for software vulnerabilities and unintended network exposure. creates a finding, when a software vulnerability or network issue is discovered, that describes the vulnerability, rates its severity, identifies the affected resource, and provides remediation guidance.
is a Regional service.
requires Systems Manager (SSM) agent to be installed and enabled.
is a self-service audit artifact retrieval portal that provides customers with on-demand access to AWS’ compliance documentation and agreements
can use AWS Artifact Reports to download AWS security and compliance documents,
such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.