Chapter 2. Authorization and Authentication Basics
In Chapter 1, I talked about how security professionals may employ certain measures called controls (also known as countermeasures) to reduce the aggregate risk of any application. Some controls are better than others at applying nuanced security logic, to block only the unauthorized requests without affecting the experience of authorized users. Controls that are effective at identifying unauthorized requests and denying them access are said to be precise or sharp. The objective of this chapter is to examine two of the most precise security controls that an organization can employ on AWS:authorization and authentication. The level of granularity at which these controls work allows them to be sharpened enough to incorporate organizational nuance, resulting in well-tuned precision. This sharpening makes these controls your strongest and most targeted defense against potential threats.
Note
The concepts from this chapter are applicable to all applications running on AWS, not just microservices. Identity and access controls are the fundamental building blocks of every secure system. However, throughout the chapter, I will point at places where these controls benefit from the modularity that is provided by microservices.
To begin introducing these controls, let me define some terms. Each interaction or request within the cloud infrastructure can be thought of as initiated by some calling entity, called a principal. A principal can ...