I am pleased to announce my second course for Linux Academy, the Identity and Access Management Deep Dive. You really can’t have a properly functioning AWS environment without properly configuring IAM. Improper configuration can lead to your users not having the access they need, or worse yet, having too much access.
Presenting a course on IAM has its challenges. At the start of the course, work with the root account and then with an Admin account throughout the rest of the course. Normally, we like to provide as many hands-on labs for the student as possible, but handing out root account access is certainly a major security risk, and it prohibited us from using our Lab environment for this course. But have no fear! This course is designed to enable you to work in the AWS IAM environment and gain that very important hands-on experience. The course uses the split screen format made famous by Thomas Haslett’s AWS CSA-A Orion Papers. Every lesson has a diagram with key points and instruction as well as the AWS Management Console or CLI in a split-screen format.
Real World Scenario
AWS Identity and Access Management Deep Dive is based off of a fictitious scenario that you can follow along with and work through using your own AWS account. IAM Secure Corporation has hired you as a Lead Architect and your job is to configure AWS IAM for the company as they prepare for a migration of their IT Services to an AWS Cloud environment. Over 90% of the lessons are task-oriented and will provide you with great hands-on experience configuring IAM for any size company.
The course concludes with a thorough investigation and implementation of IAM Roles to delegate access to Users, Groups, and Services (EC2), using techniques like Cross-Account Access and Web Identity Federation. A little intrigue will be brought to the course with the introduction of the Confused Deputy Security breach, and you’ll learn how to resolve such problems, but more importantly, learn how to avoid them using best practices. Finally, be exposed to best practices when implementing IAM and troubleshooting IAM when problems arise.
In the spirit of fun, here’s a fictitious story that involves IAM and security issues associated with an improperly configured IAM. The first user to list the correct number of security concerns in the comments section of this blog will receive a Linux Academy hoodie.
Terrence Drayton was a Fixer (picture George Clooney in the movie ‘Michael Clayton’). If the price was right, he fixed things. Anything. He just had a knack. He was in his office with his head of IT, Ivy League and AWS whiz kid, Seth Fogell (picture Jonah Hill in ‘Moneyball’). They were on a conference call with one of Terrence’s college classmates, Freddy Newman. Freddy was always the life of the party, but Terrence never imagined he’d have his own tech company. Freddy had called frantically screaming that his AWS environment had been hacked. Freddy understood that Terrence was very expensive, but he trusted Terrence to save a sinking ship.
Seth began a rapid-fire interview:
Seth: How many users in your account?
Seth: Can I get an Admin Account?
Freddy: I’ll send you the root account. We use that as Admin.
Seth: What is the password policy for your users?
Freddy: We don’t have one.
Seth: Are you using MFA for your root account?
Freddy: No, but we have access keys for the root account.
Seth: Are you using Access Keys for you users?
Seth: How many users have access keys?
Freddy: All 50 of them
Seth: How many users are making programmatic calls to AWS?
Freddy: Just our Dev team, 7 users total.
Seth: Are you rotating your access keys?
Seth: Do you give access to your account to any 3rd Parties?
Seth: Are you using Access Keys or IAM Roles for this 3rd Party access?
Freddy: IAM Roles.
Seth: Are you providing the 3rd Party with an External ID along with the Role?
Seth nodded to Terrence to indicate that he had what he needed.
Terrence chimed in, “OK Freddy; we have what we need. Give us two hours. And Freddy, I trust this check will not bounce?”.
Freddy: “C’mon Terry, you know me.”
Terrence: “Yeah, I know you, Freddy, that’s why I asked. We’ll talk again in two hours”.
Be the first to identify the correct number of security concerns in this story in the comments section and win a Linux Academy hoodie. And don’t be Freddy!
Take the Identity and Access Management Deep Dive!