IAM Security Tools

• IAM Credentials Report (account-level)
  • a report that lists all your account's users and the status of their various credentials
• IAM Access Advisor (user-level)
  • Access advisor shows the service permissions granted to a user and when those services were last accessed
• IAM Access Analyzer
  • Find out which resources are shared externally:
    • S3 Buckets
    • IAM Roles
    • KMS Keys
    • Lambda Functions and Layers
  • Define Zone of Trust = AWS Account or AWS Organization
  • Access outside zone of trusts => findings

What’s Identity Federation?

• Federation lets users outside of AWS to assume temporary role for accessing AWS resources.

• These users assume identity provided access role.

• Federation assumes a form of 3rd party authentication • LDAP • Microsoft Active Directory (~= SAML) • Single Sign On • Open ID • Cognito

• Using federation, you don’t need to create IAM users (user management is outside of AWS)

  

SAML Federation For Enterprises

• To integrate Active Directory / ADFS with AWS (or any SAML 2.0)
• Provides access to AWS Console or CLI (through temporary creds)

Custom Identity Broker Application For Enterprises

STS ( Security Token Service )

Cognito User Pools (CUP) – User Features

• Create a serverless database of user for your web & mobile apps