Authentication, Authorization & Accounting
The course is part of these learning pathsSee 3 more
Cloud Security is a huge topic, mainly because it has so many different areas of focus. This course focuses on three areas that are fundamental, AWS Authentication, Authorisation and Accounting.
These three topics can all be linked together and having an understanding of the different security controls from an authentication and authorization perspective can help you design the correct level of security for your infrastructure. Once an identity has been authenticated and is authorised to perform specific functions it's then important that this access can be tracked with regards to usage and resource consumption so that it can be audited, accounted and billed for.
The course will define and discuss each area, and iron out any confusions of meaning between various security terms. Some people are unaware of the differences between authentication, authorization and access control, this course will clearly explain the differences here allowing you to use the correct terms to describe your security solutions.
From an AWS authentication perspective, a number of different mechanisms are explained, such as Multi-Factor AWS Authentication (MFA), Federated Identity, Access Keys and Key Pairs. With the help of demonstrations, you can learn how to apply access keys to your AWS CLI for programmatic access and understand the differences between Linux and Windows authentication methods using AWS Key Pairs.
When we dive into understanding authorization we cover IAM Users, Groups, Roles and Policies, providing examples and demonstrations. Within this section, S3 authorization is also discussed, looking at access control lists (ACLs) and Bucket Policies. Moving on from S3, we look at network and instance level authorization with the help of Network Access Control Lists (NACLs) and Security Groups.
Finally, the Accounting section will guide you through the areas of Billing & Cost Management that you can use to help identify potential security threats. In addition to this, we explain how AWS CloudTrail can be used to track API calls to analyse what users are doing and when. This makes CloudTrail a strong tool in tracking, identifying and monitoring a user's actions within your AWS environment.
Welcome to this lecture on authentication, authorization, and access control.
When talking about security, I find that there is always a lot of confusion around the definition and meaning of the words authentication, authorization, and access control. Many people believe they all mean the same thing with no clear distinction between them. This is, however, untrue, and, as a result, people often use the wrong term to describe their security mechanisms. In this lecture I want to cover each of these to help you understand the differences. It's important to know these differences in order to control access to your cloud resources effectively and with the appropriate level of security.
Let's start by looking at authentication. The authentication process is comprised of two parts of information. The first part of this process is to define who you are, effectively presenting your identity. An example of this would be your login username to your AWS account or environment. This identification is a unique value within the system that you are trying to authenticate to and in this example AWS would not allow two identical user accounts to be created within this same single AWS account.
The second part of the authentication process is to verify that you are who you say you are in the first step. This is achieved by providing additional information which should be kept private and secret for security purposes. However, this private information does not have to be unique value within the system. So in the example I just gave whereby you provide your identity in the form of a username to your AWS account, which will be a unique value, the next step would be to verify that identity by providing a password.
Putting AWS and the cloud to one side for a moment, usernames and passwords are not the only forms of authentication for an identity and verification process. In our everyday lives we are presented with multiple forms of authentication methods. For example, credit and debit cards and pin numbers. So, when we use these to pay for something we authenticate to our banks. In this process we first identify ourselves by providing the credit card details with our personal information on it and then verify this identification by entering a private, secret pin number. This combination then allows us to authenticate to our banks. Authentication is not just for verifying human access to systems. Authentication takes place by systems that require access to other systems. For example, one AWS service requiring access to another to perform a function. In this instance, the same authentication principles and process is followed. Identity first, and then verification of that identity.
Now that we have a clear definition of authentication, let's take a look at authorization and see how authentication and authorization differ from each other. Authorization only takes place once an identity has been authenticated, so there is a clear order as to which these two operate. Authentication takes place before the correct level of authorization can be attained. Authorization is the process in which a system you have authenticated to establishes what you can access and at what level. So here, we are really looking at your access privileges and permissions. Staying with a AWS example, we have authenticated ourselves by providing the correct identity and password. Now AWS security features, and in this case, AWS IAM, identity and access management service, defines the level of authorized access assigned to that identity within the AWS environment. Each identity can have a different level of authorization properties associated to it. It's these properties that determine what that identity can then access.
Let's say we have four identities within our AWS account. Stuart, Andy, Ben, and Eric. Once authenticated, AWS will then determine their authorization levels. This table shows the high level authorization information. From this we can see that Stuart is authorized to have full access to complete AWS S3 service. Andy is authorized to only launch instances from within AWS EC2. Ben is authorized to only create volumes within AWS EBS. And Eric is authorized to both create and delete users within IAM.
So there is a clear distinction between authentication and authorization. Authentication identifies and verifies who you are. Authorization determines what an identity can access within a system once it has authenticated to it.
Now how does access control fit into all this? Again, access control is defined as something different to authentication and authorization. Access control can be classed as a mechanism of accessing a secured resource. Let's put some examples in context around this to make it a little clearer. When a user logs on with a username and password, as per our previous example, this mechanism of access control, in its most simple form, can be classed as a username/password method. If we were then to include the use of a multi factor authentication device, MFA, then the access mechanism would be associated closer to MFA, as it's a greater level of authentication to that of just a username and password. So access control is more about the process of how access is granted to a resource.
Let's go over this again with some other access control mechanisms within the AWS environment that you should be aware of. It's important to note that it's not always related to a human and access control systems can be exchanged by AWS services themselves. So some other methods of access control within AWS can be IAM roles, where roles are used to grant permissions to perform specific functions. This can be classed as role based access control. Federation: this is where access is granted to users that do not have identities within AWS itself, and are supplied temporary credentials to gain access. For example, a user account within a corporate on site Microsoft active directory can be federated to access AWS resources. Network access control lists or NACLs: this method is performed at the network ray restricting data dependent on specific network parameters such as IP address, protocols, and ports. For example, only allowing SSH access to a particular subnet from a specific network range. Security groups: similar to NACLs, they perform the same function but at the instance level. So, again access control based on IP address and port information. So, as you can see, it's not always related to human activity where usernames and passwords are used.
Access control is very closely related to both authentication and authorization as the access control mechanism typically is used for both authentication and authorization to gain access to a resource.
So, to reiterate, I feel it's important to really understand the difference between the three terms we have just covered. Authentication: the process of defining an identity and the verification of that identity. An example would be a username and password. Authorization, determines what an identity can access within a system once it's been authenticated to it. An example of this would be an identity's permissions to access specific AWS services. Access control: the method and process of how access is granted to a secure resource. An example, multi factor authentication that we just discussed.
I hope you now have a clearer understanding of the difference between each of these terms and that you see the clear difference between them. AWS has services and features for the three mechanisms we have just learned and so it's important we use these in the correct context and not to confuse ourselves and others between their meaning.
This brings us to the end of this lecture. Coming up next we look deeper at authentication to discuss the various methods of authentication available in AWS.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data centre and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 60++ courses relating to Cloud, most within the AWS category with a heavy focus on security and compliance
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.