AWS Managed Microsoft AD
Managed Microsoft AD is actually accessed through the AWS Directory Service, as are a number of directory management tools like Amazon Cloud Directory and Cognito. (Cloud Directory is a way to store and leverage hierarchical data like lists of an organization’s users or hardware assets.) What the Directory Service tools all share in common is the ability to handle large stores of data and integrate them into AWS operations. Technically, Managed Microsoft AD is called AWS Directory Service for Microsoft Active Directory. But whichever way you refer to it, the goal is to have Active Directory control the way Microsoft SharePoint, .NET, and SQL Server–based workloads running in your VPC connect to your AWS resources. It’s also possible to connect your AWS services to an on-premises Microsoft Active Directory using AD Connector. Managed Microsoft AD domain controllers run in two VPC availability zones. As a managed service, AWS automatically takes care of all necessary infrastructure administration, including data replication and software updates.
AWS Single Sign-On
Single sign-on (SSO) allows you to provide users with streamlined authentication and authorization through an existing Microsoft Active Directory configured within AWS Directory Service. The service works across multiple AWS accounts within AWS Organizations. SSO also supports access to popular applications such as Salesforce, Box, and Office 365 in addition to custom apps that support Security Assertion Markup Language (SAML) 2.0. AWS Organizations, by the way, is a service that can manage policy-based controls across multiple AWS accounts. Companies with more than one AWS account can use AWS Organizations to unify and integrate the way their assets are exposed and consumed no matter how distributed they might be.
AWS Key Management Service
As you saw regarding encryption keys for EBS volumes in Chapter 2 and relating to bothserver-side and client-side encryption for S3 buckets in Chapter 3, “Amazon Simple Storage Service and Amazon Glacier Storage,” KMS deeply integrates with AWS services to create and manage your encryption keys.
The value of KMS lies in how it provides fully managed and centralized control over your system-wide encryption. The service lets you create, track, rotate, and delete the keys that you’ll use to protect your data. For regulatory compliance purposes, KMS is integrated with AWS CloudTrail, which records all key-related events. Key creation and administration happens through the console, AWS CLI, or SDKs. Key administration powers can be assigned to individual IAM users, groups, or roles.
AWS Secrets Manager
You already know that you can manage identity authentication to AWS services using IAM roles. However, roles won’t help you securely pass credentials—referred to as secrets in this context—to third-party services or databases. Instead, the passwords and third-party API keys for many of the resources your applications might need can be handled by the AWS Secrets Manager. Rather than having to hard-code secrets into your code and then having to regularly update them when they change, with Secrets Manager, you can deliver the most recent credentials to applications on request. The manager will even automatically take care of credential rotation.
Also read this topic: Introduction to Cloud Computing and AWS -1
AWS CloudHSM
CloudHSM (where the HSM stands for “hardware security module”) launches virtual compute device clusters to perform cryptographic operations on behalf of your web server infrastructure. One typical goal is to off-load the burden of generating, storing, and managing cryptographic keys from your web servers so their resources can be focused exclusively on serving your applications. While CloudHSM provides a service that’s similar to AWS KMS, according to AWS
documentation (https://aws.amazon.com/cloudhsm/faqs/), it is particularly useful for the following:
■ Keys stored in dedicated, third-party validated hardware security modules under your exclusive control
■ Federal Information Processing Standards (FIPS) 140-2 compliance ■ Integration with applications using Public Key Cryptography Standards (PKCS)#11, Java JCE (Java Cryptography Extension), or Microsoft CNG (Cryptography API: Next Generation) interfaces
■ High-performance in-VPC cryptographic acceleration (bulk crypto) You activate an HSM cluster by running the CloudHSM client as a daemon on each of
your application hosts. The client is configured to fully encrypt communication with the HSM.
AWS CLI Example
The following commands create a new user named steve and confirm that the user now exists:
$ aws iam create-user ––user-name steve
$ aws iam get-user ––user-name steve
The list-policies command will return a long list of the preset policies IAM provides. Among them is AmazonEC2ReadOnlyAccess, which permits its assignee only descriptions of running EC2 resources. You can attach a policy to a user by supplying the policy’s Amazon Resource Name (ARN) as follows:
$ aws iam list-policies
$ aws iam attach-user-policy \
––policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess \
––user-name steve
Here’s the AmazonEC2ReadOnlyAccess policy in JSON format:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:Describe“, “Resource”: ““
},
{
“Effect”: “Allow”,
“Action”: “elasticloadbalancing:Describe“, “Resource”: ““
},
{
“Effect”: “Allow”,
“Action”: [
“cloudwatch:ListMetrics”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:Describe“
],
“Resource”: ““
},
{
“Effect”: “Allow”,
“Action”: “autoscaling:Describe“, “Resource”: ““
}
]
}
The list-access-keys command will return the names of any existing keys associated with the specified username. If you don’t specify a name, keys belonging to root will be returned. The create-access-key command will create a new key (make sure you copy and save the key data that’s returned), and delete-access-key will delete the specified key.
$ aws iam list-access-keys ––user-name steve
$ aws iam create-access-key ––user-name steve
$ aws iam delete-access-key ––user-name steve ––access-key-id AKIAJAP<. . .>
People also ask this Questions
- What is a defense in depth security strategy how is it implemented?
- What is AWS Solution Architect?
- What is the role of AWS Solution Architect?
- Is AWS Solution Architect easy?
- What is AWS associate solutions architect?
- Is AWS Solutions Architect Associate exam hard?
Infocerts, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – https://www.infocerts.com