0%

Understand the IAM toolsets, capabilities, and paradigms of the AWS platform and learn how to apply practical identity use cases to AWS at the administrative and application level

Key Features

  • Learn administrative lifecycle management and authorization
  • Extend workforce identity to AWS for applications deployed to Amazon Web Services (AWS)
  • Understand how to use native AWS IAM capabilities with apps deployed to AWS

Book Description

AWS identity management offers a powerful yet complex array of native capabilities and connections to existing enterprise identity systems for administrative and application identity use cases. This book breaks down the complexities involved by adopting a use-case-driven approach that helps identity and cloud engineers understand how to use the right mix of native AWS capabilities and external IAM components to achieve the business and security outcomes they want.

You will begin by learning about the IAM toolsets and paradigms within AWS. This will allow you to determine how to best leverage them for administrative control, extending workforce identities to the cloud, and using IAM toolsets and paradigms on an app deployed on AWS. Next, the book demonstrates how to extend your on-premise administrative IAM capabilities to the AWS backplane, as well as how to make your workforce identities available for AWS-deployed applications. In the concluding chapters, you'll learn how to use the native identity services with applications deployed on AWS.

By the end of this IAM Amazon Web Services book, you will be able to build enterprise-class solutions for administrative and application identity using AWS IAM tools and external identity systems.

What you will learn

  • Understand AWS IAM concepts, terminology, and services
  • Explore AWS IAM, Amazon Cognito, AWS SSO, and AWS Directory Service to solve customer and workforce identity problems
  • Apply the concepts you learn about to solve business, process, and compliance challenges when expanding into AWS
  • Navigate the AWS CLI to unlock the programmatic administration of AWS
  • Explore how AWS IAM, its policy objects, and notational language can be applied to solve security and access management use cases
  • Relate concepts easily to your own environment through IAM patterns and best practices

Who this book is for

Identity engineers and administrators, cloud administrators, security architects, or anyone who wants to explore and manage IAM solutions in AWS will find this book useful. Basic knowledge of AWS cloud infrastructure and services is required to understand the concepts covered in the book more effectively.

Table of Contents

  1. Implementing Identity Management on AWS
  2. Foreword
  3. Contributors
  4. About the author
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Share Your Thoughts
  6. Section 1: IAM and AWS – Critical Concepts, Definitions, and Tools
  7. Chapter 1: An Introduction to IAM and AWS IAM Concepts
    1. Technical requirements
    2. Understanding IAM
    3. IAM applied to real-world use cases
    4. Exploring AWS IAM
    5. IAM for AWS and IAM on AWS
    6. The AWS IAM dashboard
    7. Principals, users, roles, and groups – getting to know the building blocks of AWS IAM
    8. Authentication – proving you are who you say you are
    9. Authorization – what you are allowed to do and why you are allowed to do it
    10. Putting it all together
    11. Signing in with the root user
    12. Summary
    13. Questions
  8. Chapter 2: An Introduction to the AWS CLI
    1. Technical requirements
    2. Exploring the AWS CLI basics
    3. What is the AWS CLI?
    4. Installing the AWS CLI
    5. AWS CLI configuration
    6. Testing out the CLI
    7. Profiles
    8. Using the AWS CLI
    9. Discovering command syntax
    10. Putting it all together – creating a functional IAM user with the AWS CLI
    11. Attaching an administrator policy
    12. Creating and attaching a password
    13. Creating and attaching the programmatic credentials
    14. Using the new profile
    15. Scripting
    16. Summary
    17. Questions
    18. Further reading
  9. Chapter 3: IAM User Management
    1. Technical requirements
    2. What is an IAM user account?
    3. Principals
    4. Managing and securing root IAM user accounts
    5. Differences between root user account and IAM user accounts
    6. Managing and securing IAM user accounts
    7. IAM user lifecycle management
    8. Password management
    9. Access key management
    10. MFA credential management
    11. Managing federated user accounts
    12. AWS Single Sign-On and federated users
    13. Summary
    14. Questions
  10. Chapter 4: Access Management, Policies, and Permissions
    1. Technical requirements
    2. What is access management?
    3. Introducing the AWS access policy types
    4. The anatomy of an AWS JSON policy document
    5. Defining JSON policy document elements
    6. Exploring the AWS policy types
    7. Identity-based policies
    8. Resource-based policies
    9. IAM permissions boundaries
    10. Service control policies
    11. Access control lists
    12. Session policies
    13. Policy evaluation
    14. Governance
    15. Access Analyzer
    16. AWS CloudTrail
    17. Summary
    18. Questions
    19. Further reading
  11. Chapter 5: Introducing Amazon Cognito
    1. Technical requirements
    2. What is Amazon Cognito?
    3. Amazon Cognito user pools
    4. Amazon Cognito identity pools
    5. Amazon Cognito use cases
    6. User authentication for application access
    7. User authentication and authorization for access to application resources
    8. User authentication and access to AWS services exposed through an application
    9. Federated user authentication and access to AWS services exposed through an application
    10. Creating an Amazon Cognito user pool
    11. Populating users in a user pool
    12. Bulk importing with CSV files
    13. Creating a user pool using the AWS CLI
    14. Exploring the hosted UI
    15. Creating an Amazon Cognito identity pool
    16. Creating an identity pool with the CLI
    17. Summary
    18. Questions
  12. Chapter 6: Introduction to AWS Organizations and AWS Single Sign-On
    1. Technical requirements
    2. What is AWS SSO?
    3. Requirements to use AWS SSO
    4. AWS Organizations
    5. Configuring AWS Organizations using the Management Console
    6. AWS organizations in the AWS CLI
    7. Configuring AWS SSO in the Management Console
    8. AWS SSO settings
    9. Creating and managing users
    10. Connecting AWS accounts to AWS SSO
    11. Configuring AWS SSO from the CLI
    12. Summary
    13. Questions
    14. Further reading
  13. Chapter 7: Other AWS Identity Services
    1. Technical requirements
    2. Understanding AWS Directory Service
    3. AWS Managed Microsoft AD
    4. Active Directory Connector
    5. Simple Active Directory
    6. Amazon Cognito
    7. Encryption and secrets management
    8. AWS Key Management Service
    9. AWS Secrets Manager
    10. Logging and auditing
    11. AWS CloudTrail
    12. Amazon CloudWatch
    13. Summary
    14. Questions
    15. Further reading
  14. Section 2: Implementing IAM on AWS for Administrative Use Cases
  15. Chapter 8: An Ounce of Prevention – Planning Your Administrative Model
    1. Technical requirements
    2. Evaluating the organization's current IAM capabilities
    3. Evaluating the business structure and account schema
    4. Designing the AWS organizational structure
    5. Mapping business functions to OUs
    6. Designing and applying organizational service control policies
    7. Summary
    8. Questions
    9. Further reading
  16. Chapter 9: Bringing Your Admins into the AWS Administrative Backplane
    1. Technical requirements
    2. Defining our organization's identity source
    3. Connecting our IDP to AWS SSO
    4. Provisioning administrative accounts in AWS – account linking
    5. Limitations of manual provisioning and account linking
    6. Provisioning administrative accounts in AWS – SCIM provisioning
    7. How SCIM works
    8. Enabling automatic provisioning in AWS SSO
    9. SCIM in action
    10. Summary
    11. Questions
    12. Further reading
    13. Code samples
  17. Chapter 10: Administrative Single Sign-On to the AWS Backplane
    1. Technical requirements
    2. Why use federation for AWS administrators?
    3. Federated sign-in using an external IDP
    4. Assigning access to AWS accounts
    5. Signing in to the administrative console
    6. Implementing fine-grained access management for administrators
    7. Permission sets and managed authorization policies
    8. Permission sets and custom authorization policies for fine-grained access control
    9. Putting it all together for administrative authorization
    10. Administrative SSO using the AWS CLI
    11. Summary
    12. Questions
    13. Further reading
  18. Section 3: Implementing IAM on AWS for Application Use Cases
  19. Chapter 11: Bringing Your Users into AWS
    1. Technical requirements
    2. Distinguishing administrative users from non-administrative users
    3. Solutions to non-administrative user use cases for apps on AWS
    4. Using Managed AD and trusts
    5. Creating a Managed Microsoft AD instance
    6. Preparing the on-premises AD for a trust – conditional forwarders
    7. Creating the trusts between on-premises and AWS Managed AD
    8. Preparing the Managed AD for a trust – conditional forwarders
    9. Creating the trust between AWS Managed AD and on-premises AD
    10. Summary
    11. Questions
    12. Further reading
  20. Chapter 12: AWS-Hosted Application Single Sign-On Using an Existing Identity Provider
    1. Technical requirements
    2. Defining the use case and solution architecture
    3. Creating a user pool
    4. Connecting Amazon Cognito to an external IdP – SAML
    5. Restricting application access to just the external IdP
    6. Populating the Amazon Cognito user pool through JIT provisioning
    7. Connecting Amazon Cognito to an external IdP – OIDC
    8. Restricting application access to just the external IdP
    9. Populating the Amazon Cognito user pool through JIT provisioning
    10. Assuming roles with identity pools
    11. Summary
    12. Questions
    13. Further reading
    14. Why subscribe?
  21. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
3.86.235.207