All Notes
AWS
AWS
  • AIM
  • General Stuff about AWS
  • AWS Global Infrastructure
  • Interacting with AWS
  • AWS Identity and Access Management
    • AWS Organizations
    • Users
    • Policies and Permissions
    • Groups and Roles
    • Federation
    • Access Control (via available tools)
    • AWS Cognito
    • AWS IAM Identity Center
  • Networking and Content Delivery in AWS
    • AWS VPC
    • AWS Route 53
    • Elastic Load Balancing
    • AWS CloudFront
    • Amazon API Gateway
  • AWS Storage Services
    • Amazon EBS
    • Amazon EFS
    • Amazon FSx
    • S3
    • AWS Databases Services
      • Amazon RDS
      • Amazon DymanoDB
      • Amazon Elasticache
      • Amazon RedShift
      • Amazon DocumentDB
  • AWS Compute Services
    • EC2
    • Elastic BeanStalk
    • AWS Lambda
    • Container Services
      • ECR and ECS
      • EKS
      • AppRunner
  • Other AWS Services
    • CloudFormation
    • AWS Key Management Services (KMS)
    • AWS Secrets Manager
    • AWS Certificate Manager (ACM)
    • AWS Messaging Services
      • AWS SNS (Simple Notification Service)
      • AWS Simple Queue Service (SQS)
    • AWS Systems Manager
      • Application Management
      • Node Management
    • Logging and Monitoring
      • AWS CloudTrail
      • AWS CloudWatch
    • AWS Macie
    • AWS Inspector
    • AWS GuardDuty
Powered by GitBook
On this page
  1. AWS Identity and Access Management

Access Control (via available tools)

PreviousFederationNextAWS Cognito

Last updated 7 months ago

IAM Access Control

Tools that can help in monitoring Access Control are as follows:

  • Credential Report - It can be used to identify unused credentials and maintain compliance evidences by providing a CSV about password and access keys usage of a particular IAM user with its ARN, creation time, password or access key last used, last changed, next rotation date and MFA active, last used service and also X.509 certificates

  • Access Analyzer - A feature in IAM that allows to monitor the usage of policies so that unwanted policies can either be modified or removed. It has service name, policy granting permissions, last accessed, access by members. This is particularly useful to see if a person who has changed jobs or moved from the organization does not have that same level of access, which it discovers by telling IAM policy not getting used. Apart from all these, it can be used to monitor external access also

In short, it identifies resources shared with external principals for few resources such as:

Feel free to navigate to the following link to have a more hands-on approach:

  • AWS Trusted Advisor - Useful for newly created AWS account to know the must do's. It helps with Cost optimization, performance, fault tolerance, security etc. It has lot of many checks, but are behind a paywall. First thing post setup should be to check suggestions from IAM

  • AWS Config - This paid service from Amazon, assesses, audits and evaluates configurations of AWS resources, but where it really shines is its nature for enforcement. It is kind of File Integrity Monitoring but for AWS configurations. Hence the feature list is as follows:

    1. Continuous Monitoring of configurations when it differs from baseline

    2. Continuous Assessment of configurations when it differs from baseline whether the change is permitted or not.

    3. Change Management - view all the changes

    4. Operational Troubleshooting - if any flow breaks, then it can help in that

    5. Helps in Compliance

W.r.t IAM, AWS config can help in:

Setup example for AWS Config:

Note, one can create its own Rules using Lambda and Guard

AWS CloudTrail - One of the foundational AWS logging service that can be used to monitor as collect forensic evidence. More details on.

https://aws.amazon.com/blogs/security/iam-access-analyzer-simplifies-inspection-of-unused-access-in-your-organization/
AWS CloudTrail page
Working Model for Access Analyzer