Implementing Identity Management on AWS

Implementing Identity Management on AWS

by Jon Lehtinen
Released October 2021
Publisher(s): Packt Publishing
ISBN: 9781800562288

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Understand the IAM toolsets, capabilities, and paradigms of the AWS platform and learn how to apply practical identity use cases to AWS at the administrative and application level

Key Features

  • Learn administrative lifecycle management and authorization
  • Extend workforce identity to AWS for applications deployed to Amazon Web Services (AWS)
  • Understand how to use native AWS IAM capabilities with apps deployed to AWS

Book Description

AWS identity management offers a powerful yet complex array of native capabilities and connections to existing enterprise identity systems for administrative and application identity use cases. This book breaks down the complexities involved by adopting a use-case-driven approach that helps identity and cloud engineers understand how to use the right mix of native AWS capabilities and external IAM components to achieve the business and security outcomes they want.

You will begin by learning about the IAM toolsets and paradigms within AWS. This will allow you to determine how to best leverage them for administrative control, extending workforce identities to the cloud, and using IAM toolsets and paradigms on an app deployed on AWS. Next, the book demonstrates how to extend your on-premise administrative IAM capabilities to the AWS backplane, as well as how to make your workforce identities available for AWS-deployed applications. In the concluding chapters, you’ll learn how to use the native identity services with applications deployed on AWS.

By the end of this IAM Amazon Web Services book, you will be able to build enterprise-class solutions for administrative and application identity using AWS IAM tools and external identity systems.

What you will learn

  • Understand AWS IAM concepts, terminology, and services
  • Explore AWS IAM, Amazon Cognito, AWS SSO, and AWS Directory Service to solve customer and workforce identity problems
  • Apply the concepts you learn about to solve business, process, and compliance challenges when expanding into AWS
  • Navigate the AWS CLI to unlock the programmatic administration of AWS
  • Explore how AWS IAM, its policy objects, and notational language can be applied to solve security and access management use cases
  • Relate concepts easily to your own environment through IAM patterns and best practices

Who this book is for

Identity engineers and administrators, cloud administrators, security architects, or anyone who wants to explore and manage IAM solutions in AWS will find this book useful. Basic knowledge of AWS cloud infrastructure and services is required to understand the concepts covered in the book more effectively.

Table of contents

  1. Implementing Identity Management on AWS
  2. Foreword
  3. Contributors
  4. About the author
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Share Your Thoughts
  6. Section 1: IAM and AWS – Critical Concepts, Definitions, and Tools
  7. Chapter 1: An Introduction to IAM and AWS IAM Concepts
    1. Technical requirements
    2. Understanding IAM
      1. IAM applied to real-world use cases
    3. Exploring AWS IAM
      1. IAM for AWS and IAM on AWS
      2. The AWS IAM dashboard
      3. Principals, users, roles, and groups – getting to know the building blocks of AWS IAM
      4. Authentication – proving you are who you say you are
      5. Authorization – what you are allowed to do and why you are allowed to do it
    4. Putting it all together
      1. Signing in with the root user
    5. Summary
    6. Questions
  8. Chapter 2: An Introduction to the AWS CLI
    1. Technical requirements
    2. Exploring the AWS CLI basics
      1. What is the AWS CLI?
      2. Installing the AWS CLI
      3. AWS CLI configuration
      4. Testing out the CLI
      5. Profiles
    3. Using the AWS CLI
      1. Discovering command syntax
    4. Putting it all together – creating a functional IAM user with the AWS CLI
      1. Attaching an administrator policy
      2. Creating and attaching a password
      3. Creating and attaching the programmatic credentials
      4. Using the new profile
      5. Scripting
    5. Summary
    6. Questions
    7. Further reading
  9. Chapter 3: IAM User Management
    1. Technical requirements
    2. What is an IAM user account?
      1. Principals
    3. Managing and securing root IAM user accounts
      1. Differences between root user account and IAM user accounts
    4. Managing and securing IAM user accounts
      1. IAM user lifecycle management
      2. Password management
      3. Access key management
      4. MFA credential management
    5. Managing federated user accounts
      1. AWS Single Sign-On and federated users
    6. Summary
    7. Questions
  10. Chapter 4: Access Management, Policies, and Permissions
    1. Technical requirements
    2. What is access management?
    3. Introducing the AWS access policy types
    4. The anatomy of an AWS JSON policy document
      1. Defining JSON policy document elements
    5. Exploring the AWS policy types
      1. Identity-based policies
      2. Resource-based policies
      3. IAM permissions boundaries
      4. Service control policies
      5. Access control lists
      6. Session policies
    6. Policy evaluation
    7. Governance
      1. Access Analyzer
      2. AWS CloudTrail
    8. Summary
    9. Questions
    10. Further reading
  11. Chapter 5: Introducing Amazon Cognito
    1. Technical requirements
    2. What is Amazon Cognito?
      1. Amazon Cognito user pools
      2. Amazon Cognito identity pools
    3. Amazon Cognito use cases
      1. User authentication for application access
      2. User authentication and authorization for access to application resources
      3. User authentication and access to AWS services exposed through an application
      4. Federated user authentication and access to AWS services exposed through an application
    4. Creating an Amazon Cognito user pool
      1. Populating users in a user pool
      2. Bulk importing with CSV files
      3. Creating a user pool using the AWS CLI
    5. Exploring the hosted UI
    6. Creating an Amazon Cognito identity pool
      1. Creating an identity pool with the CLI
    7. Summary
    8. Questions
  12. Chapter 6: Introduction to AWS Organizations and AWS Single Sign-On
    1. Technical requirements
    2. What is AWS SSO?
      1. Requirements to use AWS SSO
    3. AWS Organizations
      1. Configuring AWS Organizations using the Management Console
      2. AWS organizations in the AWS CLI
    4. Configuring AWS SSO in the Management Console
      1. AWS SSO settings
      2. Creating and managing users
      3. Connecting AWS accounts to AWS SSO
    5. Configuring AWS SSO from the CLI
    6. Summary
    7. Questions
    8. Further reading
  13. Chapter 7: Other AWS Identity Services
    1. Technical requirements
    2. Understanding AWS Directory Service
      1. AWS Managed Microsoft AD
      2. Active Directory Connector
      3. Simple Active Directory
      4. Amazon Cognito
    3. Encryption and secrets management
      1. AWS Key Management Service
      2. AWS Secrets Manager
    4. Logging and auditing
      1. AWS CloudTrail
      2. Amazon CloudWatch
    5. Summary
    6. Questions
    7. Further reading
  14. Section 2: Implementing IAM on AWS for Administrative Use Cases
  15. Chapter 8: An Ounce of Prevention – Planning Your Administrative Model
    1. Technical requirements
    2. Evaluating the organization's current IAM capabilities
    3. Evaluating the business structure and account schema
    4. Designing the AWS organizational structure
      1. Mapping business functions to OUs
      2. Designing and applying organizational service control policies
    5. Summary
    6. Questions
    7. Further reading
  16. Chapter 9: Bringing Your Admins into the AWS Administrative Backplane
    1. Technical requirements
    2. Defining our organization's identity source
      1. Connecting our IDP to AWS SSO
    3. Provisioning administrative accounts in AWS – account linking
      1. Limitations of manual provisioning and account linking
    4. Provisioning administrative accounts in AWS – SCIM provisioning
      1. How SCIM works
      2. Enabling automatic provisioning in AWS SSO
      3. SCIM in action
    5. Summary
    6. Questions
    7. Further reading
    8. Code samples
  17. Chapter 10: Administrative Single Sign-On to the AWS Backplane
    1. Technical requirements
    2. Why use federation for AWS administrators?
      1. Federated sign-in using an external IDP
    3. Assigning access to AWS accounts
      1. Signing in to the administrative console
    4. Implementing fine-grained access management for administrators
      1. Permission sets and managed authorization policies
      2. Permission sets and custom authorization policies for fine-grained access control
      3. Putting it all together for administrative authorization
    5. Administrative SSO using the AWS CLI
    6. Summary
    7. Questions
    8. Further reading
  18. Section 3: Implementing IAM on AWS for Application Use Cases
  19. Chapter 11: Bringing Your Users into AWS
    1. Technical requirements
    2. Distinguishing administrative users from non-administrative users
    3. Solutions to non-administrative user use cases for apps on AWS
    4. Using Managed AD and trusts
      1. Creating a Managed Microsoft AD instance
      2. Preparing the on-premises AD for a trust – conditional forwarders
      3. Creating the trusts between on-premises and AWS Managed AD
      4. Preparing the Managed AD for a trust – conditional forwarders
    5. Creating the trust between AWS Managed AD and on-premises AD
    6. Summary
    7. Questions
    8. Further reading
  20. Chapter 12: AWS-Hosted Application Single Sign-On Using an Existing Identity Provider
    1. Technical requirements
    2. Defining the use case and solution architecture
    3. Creating a user pool
    4. Connecting Amazon Cognito to an external IdP – SAML
      1. Restricting application access to just the external IdP
      2. Populating the Amazon Cognito user pool through JIT provisioning
    5. Connecting Amazon Cognito to an external IdP – OIDC
      1. Restricting application access to just the external IdP
      2. Populating the Amazon Cognito user pool through JIT provisioning
    6. Assuming roles with identity pools
    7. Summary
    8. Questions
    9. Further reading
    10. Why subscribe?
  21. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts

Product information

  • Title: Implementing Identity Management on AWS
  • Author(s): Jon Lehtinen
  • Release date: October 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781800562288