Amazon Web Services
This course explores the differences between authentication, authorization, and access control in order to control access to your cloud resources effectively and with the appropriate level of security.
- Clear up any confusion surrounding authentication, authorization, and access control
- Learn how to use them to manage the security of your AWS resources
This course is ideal for anyone who wants to enhance their understanding of security in AWS.
To get the most out of this course you should already have a foundational understanding of AWS and basic security concepts.
When talking about security, I find that there can be a lot of confusion around the definition and meaning of the words authentication, authorization, and access control. Many people believe they all mean the same thing with no clear distinction between them. This is, however, untrue, and as a result people often use the wrong term to describe a security mechanism. So in this course, I want to cover each of these to help you understand the differences. It's important to know these differences in order to control access to your cloud resources effectively and with the appropriate level of security.
My name is Stuart Scott, and I am the AWS content Director here at Cloud Academy. Feel free to connect with me to ask any questions using the details shown on the screen, alternatively you can always get in touch with us here at Cloud Academy by sending an e-mail to firstname.lastname@example.org where one of our Cloud experts will reply to your question.
So getting back to the topic in question, let's start by looking at Authentication in more detail.
The authentication process is comprised of two parts of information. The first part of this process is to define who you are, effectively presenting your identity. An example of this would be your login username to your AWS account. This identification is a unique value within your AWS account that you are trying to authenticate to, and so as a result of it being unique, AWS would not allow two identical usernames to be created within the same single AWS account.
The second part of the authentication process is to verify that you are who you say you are in the first step. This is achieved by providing additional information which should be kept private and secret for security purposes. However, unlike the username, this private information does not have to be a unique value within your AWS account. So in the example I just gave whereby you provide your identity in the form of a username to your AWS account, which will be a unique value, the next step would be to verify that identity by providing a password.
Putting AWS and the cloud to one side for a moment, usernames and passwords are just one form of authentication used in an identity and verification process. In our everyday lives, we are presented with multiple forms of authentication methods without even thinking about it. For example, credit and debit cards and pin numbers. So, when we use these to pay for something we authenticate to our banks. In this process, we first identify ourselves by providing the credit card details with our personal information on it and then verify this identification by entering a private pin number. This combination then allows us to authenticate to our banks.
Another example might be with the use of biometrics, you might need to gain access to a secure room in your building, firstly you can present your identification card as your identity, and then this is authorized by presenting your fingerprint or retina scan, and therefore confirming you are who you say you are with the identity you provided.
Authentication is not just for verifying human access to systems or areas. Authentication takes place by IT services and applications that require access to other systems. For example, an EC2 instance might require access to Amazon S3 to perform routine tasks. In this instance, the same authentication principles and process is followed. Identity first, and then verification of that identity.
Now that we have a clear definition of authentication, let's take a look at authorization and see how authentication and authorization differ from each other. Authorization only takes place once an identity has been authenticated, so there is a clear order as to which these two operate.
Authentication takes place before the correct level of authorization can be attained. Authorization is the process in which an identity that has been authenticated establishes what level of access can and can’t be achieved. So here, we are really looking at access privileges and permissions.
Staying with an AWS example, let's assume we have an authenticated user that has entered their username and password. AWS security features, and in this case, AWS IAM, identity and access management service, defines the level of authorized access assigned to that identity within the AWS environment. Each identity can have a different level of authorization permissions associated to it. It's these properties that determine what that identity can then access.
Let's say we have four identities within our AWS account. Stuart, Will, Jorge, and Andy. Once authenticated, AWS will then determine their authorization levels.
This table shows the high-level authorization information. From this, we can see that Stuart is authorized to have full access to the complete AWS S3 service. Will is authorized to only Create instances from within Amazon EC2. Jorge is authorized to only create volumes within Amazon EBS. And Andy is authorized to both create and delete users within IAM.
So there is a clear distinction between authentication and authorization. Authentication identifies and verifies who you are. Authorization determines what an identity can access within a system once it has been authenticated to it.
Now how does access control fit into all this? Specifically logical access controls. Again, access control is defined as something different from authentication and authorization. When looking at Logical Access Control, we can hone in on the mechanisms or methods of accessing a secured resource.
Let's put some examples in context around this to make it a little clearer. So when a user logs on with a username and password, as per our previous example, this mechanism of logical access control, in its most simple form, can be classed as a username/password method. If we were to enforce tighter security controls and introduce Multi-Factor authentication, MFA, then this would be an enhanced level of access control as it uses an additional token to complete the authentication process. So you can look at logical access control in the eyes of the entire process of how access is granted to a resource.
There are of course many other logical access control mechanisms within the AWS environment that you may come across. So another method of access control within AWS can be that of IAM roles, where roles are used to grant permissions to perform specific functions which can be associated to users or other resources and services.
Another example is Federation, this is where access is granted to users that do not have identities within AWS IAM, instead, temporary credentials are supplied to gain access. For example, a user account within a corporate on-site Microsoft active directory can be federated to access AWS resources.
Network access control lists or NACLs. This method is performed at the network level restricting data dependent on specific network parameters such as IP address, protocols, and ports. For example, only allowing SSH access to a particular subnet from a specific network range.
Security groups: similar principles to NACLs, but they operate at the instance level. So, again access control is based on IP address and port information.
So, as you can see, access control is not always related to a human activity whereby usernames and passwords are used to simply log into a system or application.
Access control is very closely related to both authentication and authorization as the access control mechanism typically is used for both authentication and authorization to gain access to a resource.
So, to reiterate, I feel it's important to really understand the difference between the three terms we have just covered.
Authentication: the process of defining an identity and the verification of that identity. An example would be a username and password.
Authorization: determines what an identity can access within a system once it's been authenticated to it. An example of this would be an identity's permissions to access specific AWS services.
Access control: the method and process of how access is granted to a secure resource. An example, multi-factor authentication.
That now brings me to the end of this lecture and to the end of this course, and so you should now have a greater understanding of the difference between each of these terms and that you see the clear difference between them. AWS has services and features for the three mechanisms we have just learned, and so it's important we use these in the correct context and not confuse ourselves and others between their meaning.
Feedback on our courses here at Cloud Academy is valuable to both us as trainers and any students looking to take the same course in the future. If you have any feedback, positive or negative, it would be greatly appreciated if you could contact email@example.com.
Thank you for your time, and good luck with your continued learning of cloud computing. Thank you.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.