AWS & Services

AWS Global Architecture

  • AWS Regions

  • AWS Availability Zones

  • AWS Local Zones

AWS Services

AWS covers a wide range of cloud computing services to meet various needs.

Here is a brief mention of some of the popular services offered by AWS falling into various cloud service categories and a simple description of them -

  1. Amazon S3 (Simple Storage Service):

    • Scalable object storage for storing and retrieving any amount of data.

  2. Amazon EC2 (Elastic Compute Cloud):

    • Virtual servers in the cloud for scalable computing capacity.

  3. Amazon VPC (Virtual Private Cloud):

    • Provides a secure and isolated virtual network environment, allowing users to customize their own logically isolated section of the AWS Cloud.

  4. Amazon RDS (Relational Database Service):

    • Managed relational databases with support for multiple database engines.

  5. Amazon Lambda:

    • Serverless compute service for running code without provisioning or managing servers.

  6. Amazon DynamoDB:

    • Fully managed NoSQL database service for fast and predictable performance with seamless scalability.

  7. Amazon Route 53:

    • Scalable domain name system (DNS) web service designed to route end-user requests to globally distributed endpoints.

  8. Amazon SNS (Simple Notification Service):

    • Fully managed messaging service for event-driven architecture, sending notifications to a distributed set of recipients.

  9. Amazon SQS (Simple Queue Service):

    • Managed message queuing service for decoupling and scaling microservices, distributed systems, and serverless applications.

  10. Amazon ECS (Elastic Container Service):

    • Highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster.

  11. Amazon Cognito:

    Fully managed identity service that enables you to add user sign-up, sign-in, and access control to your web and mobile apps.

  12. Amazon CloudFront:

    • Content delivery network (CDN) service for securely delivering data, videos, applications, and APIs to customers globally.

  13. AWS IAM (Identity and Access Management):

    • Securely control access to AWS services and resources for your users.

  14. Amazon Athena:

    • Serverless, interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL, with no need for infrastructure management.

  15. Amazon ElastiCache:

    • In-memory data store and cache service to improve the performance of web applications by retrieving information from fast, managed, in-memory caches.

  16. AWS CloudFormation:

    • Infrastructure as Code (IaC) service for provisioning and managing AWS infrastructure in a safe, predictable, and repeatable manner.

  17. Amazon GuardDuty:

    • Managed threat detection service that continuously monitors for malicious activity and unauthorized behaviour to protect your AWS accounts and workloads.

  18. AWS WAF (Web Application Firewall):

    • Web application firewall that helps protect web applications from common web exploits by allowing you to control and customize web security rules.

  19. Amazon CloudWatch:

    • Monitoring and observability service that provides data and actionable insights for applications and infrastructure resources in the AWS cloud

  20. AWS CloudTrail:

    • Service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.

  21. Amazon Inspector:

    • Automated security assessment service to help improve the security and compliance of applications deployed on AWS.

  22. AWS Security Hub:

    • Comprehensive security and compliance service that provides a unified view of your security posture across your AWS accounts

  23. AWS Secrets Manager:

    • Service to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

  24. AWS Shield:

    • Managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS against infrastructure and application layer DDoS attacks.

AWS Authentication and Authorization

Amazon Web Services (AWS) provides a secure and scalable cloud computing platform used by millions of users globally. Authentication and authorization are fundamental aspects of AWS security, ensuring that only authorized entities can access AWS resources and services.

  1. Understanding the Basics:

    Authentication: Authentication is the process of verifying the identity of users, systems, or applications. In AWS, it ensures that the entities interacting with your resources are who they claim to be.

    Authorization: Authorization, on the other hand, is the process of granting or denying access to specific AWS resources. Once a user or system is authenticated, authorization defines what actions they are allowed to perform.

  2. AWS Identity and Access Management (IAM):

    IAM is the cornerstone of AWS authentication and authorization. It helps you manage users, groups, roles, and their associated permissions. Let’s break down these components.

    Users: Each person or system interacting with AWS has a unique identity called a user. Users are provided with a set of security credentials (username and password or access keys) for authentication.

    Groups: Groups are collections of users. Instead of assigning permissions to individual users, you can assign permissions to groups, making it easier to manage access for multiple users with similar needs.

    Roles: Roles are a secure way to grant permissions to entities outside your AWS account. For example, you can create a role that allows an AWS service to access specific resources in your account.

  1. Security Credentials

    AWS uses various types of security credentials for authentication:

    1. Access Keys: Access keys consist of an access key ID and a secret access key. These are used by applications or users to make programmatic requests to AWS.

    1. IAM Usernames and Passwords: IAM users can be authenticated using a username and password, providing a way for humans to interact with AWS services. Used for aws console access.

    1. Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide a secondary authentication factor, typically a time-based one-time password (TOTP), in addition to their regular credentials.

    3. Policies:

      Policies define the permissions that users, groups, and roles have. They are written in JSON format and specify what actions are allowed or denied on what AWS resources. Policies can be attached to IAM users, groups, or roles.

  2. AWS Authentication and Authorization Process:

    1. User Initiates Request:

      1. A user or application sends a request to AWS, indicating the desired action, such as reading from an S3 bucket or launching an EC2 instance.

    2. AWS IAM Authentication:

      1. AWS Identity and Access Management (IAM) authenticates the user or application by verifying the provided credentials. This involves checking the validity of access keys, usernames and passwords, or other authentication methods.

    3. Authorization Check:

      1. Once authenticated, AWS conducts an authorization check to determine if the authenticated entity (user, group, or role) has the necessary permissions to perform the requested action. This involves evaluating the attached policies that define what actions are allowed or denied.

      2. Policy Evaluation:

        1. IAM policies, expressed in JSON format, are evaluated. These policies are attached to the IAM user, group, or role and explicitly state what resources can be accessed and what actions are permitted. If a policy grants the required permissions, the authorization check is successful.

      3. Response to User:

        1. Based on the outcome of the authorization check, AWS either allows or denies the request. If allowed, the requested action is performed; if denied, an error is returned, indicating insufficient permissions.

      4. Logging and Auditing:

        1. AWS logs authentication and authorization events, providing a trail of who accessed what resources and when. This logging is crucial for security audits and compliance with regulatory requirements.

        1. Federated Users:

          1. Federated Identity Providers (IdP):

            1. Organizations often use external IdPs (like Microsoft Active Directory) to manage user identities.

            2. Federated users authenticate through their organization’s IdP, and AWS trusts this external authentication.

          2. Temporary Security Credentials:

            1. AWS generates temporary credentials for federated users after successful authentication.

            2. These credentials allow access based on policies defined in AWS.

        2. IAM Roles and STS:

          1. IAM Roles:

            1. Roles are like VIP passes, granting specific permissions.

            2. They can be attached to users, applications and other AWS services.

            3. Roles reduce the risk of long term credential exposure.

            4. Cross-Account Access: Allows roles to be assumed by entities in different AWS accounts.

            5. Temporary Permissions: Offers time-limited access to resources.

          2. Security Token Service (STS):

            1. STS is the service that enables the creation of temporary security credentials.

            2. Used in scenarios like federated users and roles, providing short-term access.

        3. Security Best Practices:

          • Principle of Least Privilege:

            • Users and systems should have the minimum level of access required.

          • Regular Credential Rotation:

            • Periodically change access keys, passwords, and other security credentials.Usage of MFA is recommended.

          • Use IAM Roles for EC2 Instances:

            • Instead of embedding access keys, leverage roles for secure instance access.

PreviousAWSNextAWS Common Misconfigurations & Associated Threats

Last updated