Define how security is dealt with using the native AWS cloud services.
- [Instructor] So let's talk about Cloud security in terms of Amazon Web Services. There are three options for controlling direct access to AWS services. Number one is the use of federation to authenticate users and then pass a SAML token to get a temporary token that assumes an AWS role with rights to AWS resources. This is used typically by organizations that want simple access to AWS where there is no compliance issue or other security requirements that really are dictating that you take another path.
Second is to assume an AWS role directly that has permissions to access AWS resources. So we're assuming based on somebody that comes into the system that authenticates to us that they have permission to access the AWS resources that are in the account in a coarse grain way. So instead of identity access management, which is the second thing we're going to talk about, this provides you access to all resources that are basically assigned to that particular account, such as EC2, RDS, S3, things like that.
Finally, AWS API access keys that provide programmatic access to AWS resources. These are based on permissions granted to the AWS IAM user, so this is about API access. So if we're authenticating an application API to the particular system, then we're authenticated to access particular resources. We talked about identity access management in the last video and really this is about implementing identity access management scenarios where an application is identified and the user of the application is identified to having access rights to AWS APIs.
So we're able to gain access to the particular systems that AWS is able to provide and we're able to authenticate those systems through identity access management. Also, the federation approach, this is extremely handy. Looking at this example here, we have the identity broker which authenticates to the user access broker, and basically at the corporate identity store says that this is a valid user. They're valid to the on-premise systems in the company that we're residing in. From there we can make a call-out to AWS.
AWS has a security token service which is able to provide a temporary security credential. Once that credential is provided, the users are redirected to a console and the users have access to the API and all the resources that are there. This is extremely resourceful because we can take our existing security systems that we're leveraging on premise currently and integrate them directly with the AWS security system, such as identity access management. This means that we do not have to replicate security, we don't have to replicate usernames and passwords across between the on-premise systems and AWS, and it becomes a much more integrated and easy-to-manage package.
- Cloud security on the infrastructure, application, and data levels
- Identity and access management
- Cloud security services: AWS, Microsoft, and third-party solutions
- Cloud encryption
- Cloud compliance services
- Planning cloud security