Chapter 5. Controlling Access Through Automation

In this chapter, we will focus on identity. Specifically, we will discuss enabling authentication and authorization through automation. You will learn about tools you can use to prevent and detect misconfigurations related to identity and access management within your environment.

As a reminder, authentication is how you prove who you are, or validate your identity; authorization means granting a user permission to do something.

Let’s start by thinking about the environment in which you currently work, if applicable. Do you know how many accounts are overly permissive? How many of your permissions are actually used?

There are two types of identities: human and machine. Human identities are accounts used by humans for daily, noncritical, or one-off operations. Accounts with machine identities are used by machines for automating or carrying out certain privileged operations. In an ideal world, human identities would only be used for reading data that is maintained by machine identities. All operations should be automated as much as possible through machine identities.

In our case study, the members of the Automatoonz DevSecOps team need to provide identities to the users of their infrastructure (humans), as well as to the infrastructure itself (machines). Machine identities will allow services such as EC2 or S3 to communicate with each other. If the infrastructure within AWS does not have the right permissions, you will always get ...