Please note that this course has now been replaced with three new courses:
- The Difference Between Authentication, Authorization, and Access Control in AWS
- Authorization Controls in AWS
- AWS Authentication Mechanisms
Cloud Security is a huge topic, mainly because it has so many different areas of focus. This course focuses on three areas that are fundamental: AWS Authentication, Authorization, and Accounting.
These three topics can all be linked together and having an understanding of the different security controls from an authentication and authorization perspective can help you design the correct level of security for your infrastructure. Once an identity has been authenticated and is authorized to perform specific functions it's then important that this access can be tracked with regards to usage and resource consumption so that it can be audited, accounted, and billed for.
The course will define and discuss each area, and iron out any confusion of meaning between various security terms. Some people are unaware of the differences between authentication, authorization, and access control, this course will clearly explain the differences here allowing you to use the correct terms to describe your security solutions.
From an AWS authentication perspective, a number of different mechanisms are explained, such as Multi-Factor AWS Authentication (MFA), Federated Identity, Access Keys, and Key Pairs. With the help of demonstrations, you can learn how to apply access keys to your AWS CLI for programmatic access and understand the differences between Linux and Windows authentication methods using AWS Key Pairs.
When we dive into understanding authorization we cover IAM Users, Groups, Roles, and Policies, providing examples and demonstrations. Within this section, S3 authorization is also discussed, looking at access control lists (ACLs) and Bucket Policies. Moving on from S3, we look at network- and instance-level authorization with the help of Network Access Control Lists (NACLs) and Security Groups.
Finally, the Accounting section will guide you through the areas of Billing & Cost Management that you can use to help identify potential security threats. In addition to this, we explain how AWS CloudTrail can be used to track API calls to analyze what users are doing and when. This makes CloudTrail a strong tool in tracking, identifying, and monitoring a user's actions within your AWS environment.
Learning Objectives
- Obtain a strong grasp of the difference between authentication, authorization, access control, and accounting
- Understand various authentication mechanisms used in AWS such as MFA, Federated Identity, Access Keys, and Key Pairs
- Learn about IAM Users, Groups, Roles, and Policies and how they tie into authorization in AWS
- Learn about billing and cost management, and how to use it to identify potential security threats
- Understand how AWS CloudTrail can be used to track, identify, and monitor users' actions within AWS
Intended Audience
This course has been created for anyone with an interest in cloud security, and/or who may hold a position of cloud solutions architect, cloud security specialist, or similar.
Prerequisites
To get the most out of this course, you should have a basic understanding of identity and access management (IAM), Amazon EC2, Amazon S3 storage, networking fundamentals, and the virtual private cloud service.
Hello and welcome to this short lecture to complete and summarize this course.
Authentication, authorization, and accounting is key within any infrastructure. From different AWS environments such as test dev and production, to different departments using your AWS infrastructure, such as sales and marketing, etc.
If you overlook security from an identity and authorization perspective, you could leave yourself open to security loopholes which in turn can lead to abuse from not only internal users, but external as well. Security remains the highest sticking point within cloud computing. It's the one key topic that consistently gains attention and requires constant and considerable effort to get right and implement efficiently.
In order to do this correctly, a clear understanding and definition of security terms are essential. Such as the clear differences between authentication, authorization, and access control we spoke about in one of the early lectures of this course. If you want to be an effective security expert, you need to know the differences between these terms to allow you to select and architect the right solution to meet your needs.
There are so many different methods of authentication and granting permissions. It can get a little overwhelming when selecting the most effective mechanism. However when doing so, implement the solution that meets the security level of the data and resources that you are protecting. If the data or resource is highly sensitive then you would to implement multiple levels of authentication, such as MFA in addition to multiple levels of authorization at different levels. The more restrictions that are in place the harder it is to breach.
With potentially hundreds or thousands of users accessing your AWS environment to create, modify, or delete resources, tracking this access can be crucial in resolving operational issues in security breaches and threats. This is where AWS CloudTrail, by tracking every API call, plays a great role in helping to account for actions made by an identity.
This information can be used to track costs incurred by particular users, should they have launched a number of instances with a single API call.
Billing also plays a part in helping to secure your infrastructure, Analysis of your billing information allows you to track and notice trends occurring in your infrastructure. Any anomaly outside of these predicted trends could be a security breach that needs investigation.
Implementing numerous authentication methods at the correct levels along with multiple authorization mechanisms where identities can be tracked and monitored throughout their authenticated session, in addition to graphical billing analysis, allows you to create an effective, secure, and proactive security analysis solution.
I would recommend you take a look at our labs we have here at CloudAcademy, as there are a number of AWS labs covering security, such as advanced IAM and S3 policies and the creation of VPC subnets using NACLs. So feel free to take a look at these in your own time to become more familiar on how to set these up within a real environment.
If you have any feedback on this course, positive or negative, please do leave a comment on the landing page of this course. Your feedback is greatly appreciated.
That brings us to the end of this lecture and the end of the course. I hope you have found it useful and has answered some questions you may have had. Thank you for your time and good luck with your continued learning of cloud computing. Thank you.
Lectures
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.