Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Demystifying identity on AWS

Session by Amit Jha, developer advocate, AWS on demystifying identity with AWS with focus on authentication and authorization

  • Be the first to comment

Demystifying identity on AWS

  1. 1. Demystifying Identity @ AWS IdentitydiscussionfromEnterpriseCustomers/workloadpov/focus Amit Jha , Developer Advocate @amitkjha_rjn https://www.linkedin.com/in/amitjhanyc/
  2. 2. Agenda Enterprise Cloud – Trends (Modernization) Overview Basics of Identity on AWS Federation, OpenID Connect, OAuth2 Use cases, use cases and Identity solution options.. Q&A
  3. 3. Enterprise customer – Begin their journey to the cloud
  4. 4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Initial Enterprise Setup - AWS Control Tower(Multiacctmodel) Set up an AWS landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
  5. 5. What are the key characteristics of successful customer migration-modernization look like?
  6. 6. Modernization Area Identity(AuthZ, AuthN) Association Automation Builder Identity Application Architecture Identity for Apps DevSecOps, Datalake Role driven or Attribute based authentication & authorization Microservices Different identity protocol needs (oAuth, OpenID Connect, SAML) Operating model Role, Attribule, Team permissioning
  7. 7. Corporate vs Consumer Identities Corporate Consumers Quick…Identity Basics
  8. 8. AuthN = Authentication AuthZ = Authorization MFA = Multi Factor Authentication Identity Management Access Management Resource Management AWS Account WHO CAN ACCESS WHAT
  9. 9. Federation Delegating an individual’s or entity’s authentication responsibility to a trusted external party. Identity Provider (IDP) Security Assertion Markup Language(SAML) Service Provider(SP) Relying Party(RP) The trusted identity providers can be on-premises federation services, corporate directories or even social identity providers like Facebook, Google and Twitter.
  10. 10. User logs in to portal Corporate data center Enterprise (identity provider) AWS (service provider) Browser interface Identity store IdP portal 1 3 2 4 5 AWS sign-in User authenticated Receive response (SAML assertion) Post the SAML assertion to sign-in Redirected to AWS Management Console Identity federation with SAML 2.
  11. 11. OpenID Connect, oAuth2 OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub etc.
  12. 12. JWT Json Web Tokens are implemented as a part of Open ID Connect and Oauthv2. Imagine that a user is logged in an application and each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Tokens • Identity • Access • Refresh *expiration
  13. 13. SCIM & JIT SCIM(System for Cross-domain Identity Management) is a protocol built by teams from Oracle, Salesforce, Sailpoint and Nexus Technology. A good example is AWS customers that want to integrate AWS SSO with Azure AD. When you enable automatic provisioning, SCIM provisions users between clouds. The Identity is provided, in this scenario by Azure AD, but the rules of access and resource definitions are done by the Service Provider. Meaning you can federate AWS with Azure AD but AWS SSO Permissions would rule for your SCIM synchronized objects. JIT provisioning is also a method of automating user account creation for web applications, it uses the SAML protocol to pass information from the identity provider to web applications
  14. 14. Security before the cloud Corporate data center 
  15. 15. Then Security Corporate firewall Identity Employees Resources Hundreds, in a few buildings Compliance Employee passwords Administration Centralized Cloud Up in the sky
  16. 16. Disruptors Mobile Consumerization of IT Globalization IoT New privacy laws Microservices SaaS applications Cloud
  17. 17. Security before the cloud Security in the cloud Corporate data center  AWS Cloud
  18. 18. AWS IAM Basics • IAM User • Entity that you create in AWS, representing the person or service who uses the IAM user to interact with AWS • IAM Group • Collection of IAM users (A management convenience) • IAM Role • Similar to a user but does not have standard long-term credentials (e.g. password or access keys) associated with it • An IAM User can assume a Role to take on the permissions of the role IAM User Role Permissions Policy attached to Request to Assume Role AWS STS Temporary security credential AWS Identity and Access Management
  19. 19. AWS Identity – Brief History Launch Brief Detail AWS Root User One account, One user IAM IAM Users One account, Many users SAML Federation Corp Directory users One account, Corporate users Switch Role Ability to switch role Same user switching roles AWS Organization SSO Service SSO users Many account, Many users SSO External Directory SSO + Corporate directory users Many accounts, Corporate users
  20. 20. AWS Security Token Service STS The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)
  21. 21. © 2020, Amazon Web Services, Inc. or its Affiliates. Quick Demo .NET SDK – IAM Manipulation IDE integration AWS Toolkit for Visual Studio AWS Toolkit for Visual Studio Code Programmable SDK Command line tools AWS Tools for PowerShell AWS SAM for Windows AWS CLI ‘dotnet’ CLI extensions CI/CD integration AWS Tools for Azure DevOps AWS CodePipline/ CodeBuildAWS CDK for .NET AWS Toolkit for Rider AWS SDK for .NET
  22. 22. Human Access
  23. 23. Accounts in AWS AWS Account
  24. 24. Accounts in AWS AWS Account AWS Organization AWS Account AWS Account Organizational Unit AWS Account: MASTER Organizational Unit
  25. 25. Organization
  26. 26. Security invariants with AWS Organizations AWS Cloud AWS Organization Organization Unit Account Region: us-east-1 Region: us-east-2 Region: ap-southeast-1 Region: eu-west-1 … Service Control Policy: Region Restriction
  27. 27. Simplifying the complexity Managing resources at scale can be broken down into three steps
  28. 28. Tag policies • Export a cross-account, cross-region report to easily aggregate and view tag policy compliance • Define tag key capitalization and allowed tag values • Apply the tag policy to entire organization, specific organizational units, and individual accounts Standardize the tagging of your AWS resources Audit tagged resources Works with AWS Organizations New!
  29. 29. IAM users Works best when you have: • A relatively small number of users (limit is 5,000) • One AWS account, or a relatively small number of them • A need for long-term credentials • No user directory, or no ability to connect your directory to AWS • Your very first AWS account AWS Account AWS Organization AWS Account Organizational Unit AWS Account: MASTER
  30. 30. AWS Single Sign-On user pool AWS Account AWS Organization AWS Account Organizational Unit AWS Account: MASTER Admin ReadOnly Admin ReadOnly Works best when you have: • A relatively small number of users (limit is 500) • Simple authorization schemes of humans into AWS • Rules to map groups of users to AWS environments • No user directory, or no ability to connect your directory to AWS
  31. 31. Azure AD Enterprise customer requests
  32. 32. Active Directory Federation Services Works best when you have: • Corporate users in a Microsoft Active Directory, either on-premises or managed in AWS • An ADFS connected to your directory • Control over ADFS claims • A need for granular control over user permissions AWS Account AWS Organization AWS Account Organizational Unit AWS Account: MASTER Admin ReadOnly Admin ReadOnly ADFS
  33. 33. User logs in to portal Corporate data center Enterprise (identity provider) AWS (service provider) Browser interface Identity store IdP portal 1 3 2 4 5 AWS sign-in User authenticated Receive response (SAML assertion) Post the SAML assertion to sign-in Redirected to AWS Management Console Identity federation with SAML 2.
  34. 34. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD on AWS supports many options Run or extend AD-dependent workloads onto EC2 or AWS Managed Services Actual Microsoft AD, HIPAA and PCI Eligible, Trust support, Group-based policies, SSO, Seamless domain join, AWS Management Console Federation, Daily snapshots A modern, hybrid approach to AD that shares privileges and data from on-premises AD to AWS Managed Microsoft AD on AWS AD as a Managed Service True hybrid AD AD-enabled cloud
  35. 35. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use case #1: Amazon EC2 - Windows and Linux instances High Fidelity • Workloads: SharePoint Server, .NET Apps, SQL Server Always-On, Amazon EC2 Linux • Active Directory security groups to control AWS resource access (RBAC or ABAC) • Create GPO’s for • standardizing settings & configurations • managing Amazon EC2 instances and Amazon WorkSpaces • Schema extension for customized applications • LDAPS and read/write LDAP • Kerberos delegation • Amazon EC2 Seamless domain join (Windows and Linux*) • Cross Account and cross VPC support * Release expected
  36. 36. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use case #2: AWS Managed Services • Centrally Managed Services - Windows file server and db’s • Scale deployments across multiple accounts and VPC’s • Flexibility to choose between on-prem or cloud identities • Seamless integration with your existing Active Directory • Supported Services • Amazon RDS for SQL Server • Amazon RDS for PostgreSQL • Amazon RDS for Oracle • Amazon RDS for MySQL • Amazon FSx for Windows File Server
  37. 37. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use case #3: AWS Single Sign-On • Create Workforce Identities once • Provision and Sync users via SCIM • Centrally Manage Identities • On-premises AD, AD on AWS EC2, AWS Managed Microsoft AD • AWS SSO, Okta, Ping Identity, OneLogin, Azure AD • Centrally Manage AWS access • Preferred interface via SAML: AWS Management Console, CLIv2, AWS mobile app • SSO access across all AWS accounts in your organization, and business apps - for employees, contractors, business partners • Smart Sign-in Security with Authenticator applications • Authy, Google Authenticator • AWS SSO (native) Integrated apps • Amazon SageMaker • AWS IoT Core • AWS Management Console
  38. 38. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use case #4: AWS Applications • Use a centrally managed Identity store • Use Active Directory security groups for controlled access • Remote desktop access, file or folder permissions • AWS application access • Amazon Chime • Amazon WorkMail • Amazon Connect • Amazon Client VPN • Amazon QuickSite • Amazon WorkSpaces • Amazon AppStream 2.0 • Amazon Workdocs
  39. 39. AWS SSO with AWS Directory Service AWS Cloud VPC
  40. 40. Provisioning and AWS application integration 1 2 3 4
  41. 41. Using AWS SSO with Azure Active Directory with SCIM Azure AD
  42. 42. Authenticating to AWS: Quick decision framework If you have an existing user directory: • AWS SSO with directory integrations • Bring your own SAML federation (e.g., ADFS) • Advanced use cases: Custom federation If you don’t have an existing user directory: • AWS SSO with user pools • IAM Users
  43. 43. IAM roles for non-human access AWS Account Use IAM roles for access to AWS resources from: • Your application running on an AWS compute environment, e.g., EC2 instance, Lambda function, etc. • Permission to an AWS service to access your resources (not shown) EC2 instance Lambda function Amazon S3 buckets Amazon DynamoDB Table
  44. 44. Creating IAM roles for non-human access
  45. 45. Assigning Permissions
  46. 46. Assigning AWS managed policies
  47. 47. Example: Administrator policy
  48. 48. Example: Read-only policy
  49. 49. Recommendation: Have at least these two IAM roles AWS Account AWS Organization AWS Account AWS Account Organizational Unit AWS Account: MASTER Organizational Unit Admin ReadOnly Admin ReadOnly Admin ReadOnly Admin ReadOnly
  50. 50. Auth-Auth in AWS
  51. 51. Example 1: Read data from DynamoDB EC2 instance with IAM role DynamoDB table  Least-privilege face of judgment Read/write data
  52. 52. Example 1: Read data from DynamoDB EC2 instance with IAM role DynamoDB table  Read/write data
  53. 53. Example 1: Read data from DynamoDB EC2 instance with IAM role DynamoDB table  Read/write data
  54. 54. Reading the IAM documentation page https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
  55. 55. Example 1: Read data from DynamoDB EC2 instance with IAM role DynamoDB table  Read/write data
  56. 56. { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": [ "arn:aws:dynamodb:us-east-2:111122223333:table/MyTable" ] } dynamodb.putItem({ TableName:"MyTable", Item: { "Id": { S: "a1b2c3d4" … }); How authorization works in AWS EC2 instance with IAM role DynamoDB table The “PutItem” action and the “table” resource match the Allow statement, so the request is allowed
  57. 57. Permission across AWS Accounts
  58. 58. AWS Account AWS Account AWS Account Accessing resources in another AWS account AWS Account 444455556666 AWS Organization AWS Account 111122223333 AWS Account: MASTER example-bucket  "Principal": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgId": "o-a1b2c3" } } Allow the entire Organization
  59. 59. Recommendations for cross-account access Keep it simple: • Use resource-based policies when available • Unless you have a specific reason to do otherwise: • Trust the entire other account, or • Trust the AWS Organization • Use IAM roles if resource-based policies are not available • Follow the above rules for their trust policies (i.e., resource-based policies for IAM roles)
  60. 60. Identity at different layers Amazon Web Services (AWS) Infrastructure Application Builders Operators Users AWS Command Line Interface (AWS CLI)
  61. 61. Identity for the AWS layer: Managing console, AWS CLI, and API access @scale
  62. 62. Your options SAML to IAM AWS Single Sign- On (AWS SSO) Custom Broker
  63. 63. Identity “for” and “of” the infrastructure Operating systems Database engines EC2 instances DynamoDB Table S3 Bucket with objects for of
  64. 64. “For” the infrastructure: Options Traditional *Utopia
  65. 65. “Of” Infrastructure - Base primitive: IAM roles AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS) Permissions Role Temporary security credential Your code Operating system EC2 instance AWS resources
  66. 66. AWS Secrets Manager (e.g. conn string, config etc) Authorized call to Secrets Manager DB creds loaded DB creds returned Connection established Safe rotation Combo provides a reliable, secure, auto-rotating solution for ALL credentials Permissions Role Temporary security credential Your code Operating system EC2 instance AWS resources VPC DBA
  67. 67. For the humans and the machines Credentials Container Lambda Function Service 1 Service 2 Service to serviceHuman to application
  68. 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito Get AWS credentials Access AWS services Authenticate 1 Redirect / Post back Access serverless backend Federating IdP IdP Token CUP TokenCUP Token CUP Token AWS STS AWS STS User pool tokens are used to access backend resources Identity pools provide AWS credentials to access AWS services User pools authenticate users and returns standard tokens 2 3 4 56
  69. 69. Amazon Cognito • Application identity Swiss army knife •Offloads identity focused undifferentiated heavy lifting • Normalizing layer for applications •Native and/or federated users – App doesn’t need to care • Vends standard tokens •CUP tokens – Accessing your APIs •AWS Security Token Service (AWS STS) – Accessing AWS APIs • Clean integrations with adjacent services •Amazon API Gateway – AuthN/Z for your APIs •Application Load Balancer – AuthN/Z for your apps Wikimedia Commons - By James Case from Philadelphia, Mississippi, U.S.A.
  70. 70. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Support for OAuth 2.0 in Cognito User Pools • OAuth 2.0 flows: • Authorization code • Implicit • Client credentials • Resource owner password credentials • Custom scopes defined for resource servers
  71. 71. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Cognito: Identity Scenarios Business to Consumer Business to Business Business to Employee IoT Scenarios Enterprise DirectoryEnterprise Directory SAML Enterprise Directory SAML AWS IoT
  72. 72. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Cognito: Services User Pools Federated Identity (Identity Pools) • Sign up/sign in • User profiles • Issue tokens • Hosted UIs • OAuth2/OIDC Identity Provider/Client • SAML2 Service Provider Federation • Guest access • AWS credentials
  73. 73. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Cognito User Pools - Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign-In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one- time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
  74. 74. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Cognito User Pools - Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  75. 75. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. SDKs for Cognito User Pools Native Mobile app AWS Mobile SDK for iOS, Android Web app, Custom UI AWS Amplify Backend Service AWS SDK e.g., Java, Python, Node.js, etc. Web app, Hosted UI AWS Amplify OR Cognito Auth SDK for JavaScript Hybrid Mobile app AWS Amplify
  76. 76. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. AWS Integrated Authorization Amazon API Gateway AWS Application Load Balancer AWS Credentials (Any AWS service) Cognito Tokens Cognito Tokens Cognito Tokens Amazon Cognito API GW Amazon Cognito Amazon Cognito DynamoDB, S3, etc. ALB
  77. 77. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Identity Pools Custom Identity Providers AWS IAM authorization Lambda Authorizers Cognito Authorizers
  78. 78. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Amazon Cognito User Pools Amazon Cognito Identity Pools Custom Identity Providers AWS IAM authorization Lambda Authorizers API Gateway: three types of authorization Cognito Authorizers
  79. 79. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Mobile app 6. Access AWS Resources Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Cognito User Pools Authorizers
  80. 80. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Amazon Cognito User Pools Custom Identity Providers AWS IAM authorization Lambda Authorizers Cognito Authorizers API Gateway: three types of authorization Amazon Cognito Identity Pools
  81. 81. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Mobile app 8. Invoke Lambda Lambda function Amazon API Gateway Amazon Cognito User Pools AWS Identity & Access Management Amazon DynamoDB IAM-based authorization Amazon Cognito Identity Pools
  82. 82. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Amazon Cognito User Pools Custom Identity Providers AWS IAM authorization Lambda Authorizers API Gateway: three types of authorization Amazon Cognito Identity Pools Cognito Authorizers
  83. 83. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY. Custom Authorizer Lambda function Mobile app Amazon API Gateway 8. Invoke AWS Identity & Access Management Lambda function Amazon DynamoDB Lambda Authorizers
  84. 84. Service to service in AWS using IAM Container Lambda Function Service 1 Service 2 Permissions Role Temporary security credential Permissions  AWS takes care of credential distribution  Centrally defined authorizations in IAM policies  Resource-based policies allows access across AWS accounts AWS Cloud
  85. 85. How authentication works in AWS POST https://dynamodb.us-east-2.amazonaws.com/ HTTP/1.1 Host: dynamodb.us-east-2.amazonaws.com X-Amz-Date: 20180918T150746Z X-Amz-Target: DynamoDB_20120810.ListTables X-Amz-Security-Token: FQoGZXIvYXdzEKH////////// … Content-Type: application/x-amz-json-1.0 Authorization: AWS4-HMAC-SHA256 Credential=ASIAXXXXXXXXXXXXXXXX/20180918/us-east- 1/dynamodb/aws4_request, SignedHeaders=content- type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=c1b4bc2df0c47c86cbcfa54d932e8aaa455b6b7c38e65d84 0f722254add1ea9e
  86. 86. Service to service in AWS using Amazon Cognito (OAuth) Container Lambda Function Service 1 Service 2 Permissions Role AWS Cloud CUP Token  Alignment with human based authorization  Bearer token model familiar to developers • You perform credential distribution (using AWS primitives)
  87. 87. Attribute-based access control (ABAC) “If the tag on the principal matches the tag on the resource, allow, otherwise deny.”
  88. 88. Session tags Principal tags → dynamic policies Session tags → dynamic roles New!
  89. 89. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:StartSession", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringLike": { "ssm:resourceTag/project": "${aws:PrincipalTag/project}", "ssm:ResourceTag/team": "${aws:PrincipalTag/team}" } } }, { "Effect": "Allow", "Action": "ssm:TerminateSession", "Resource": [ "arn:aws:ssm:*:*:session/${aws:username}-*“ ] } ] } Session tags ABAC policy Identity policy attached to IAM role for SAML federated user
  90. 90. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111122223333:saml-provider/MyIDP }, "Action": [ "sts:AssumeRoleWithSAML", "sts:TagSession" ], "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" }, "StringLike": { "aws:RequestTag/project": "*", "aws:RequestTag/team": "*" } } } ] } Session tags role trust policy trust policy attached to IAM role for SAML federated user
  91. 91. Configure IdP for session tags AWS Security Blog Attributes → standard Configurations → IdP specific
  92. 92. ABAC (Attribute Based Access Control) – Leverage session tags https://aws.amazon.com/blogs/mt/configure-session-manager- access-for-federated-users-using-saml-session-tags/
  93. 93. Suitable for some very unique authorization usecases : Custom brokers Custom Broker Underlying compute IAM role AWS Cloud Example Corp. user AuthN/Z Determine granular entitlements Assess environment and/or context Generate session policy sts:AssumeRole with session policy “on behalf of” the authorized user
  94. 94. Fine grained permissioning AWS lake formation helps you set up a secure data lake in days. A data lake is a centralized, curated, and secured repository that stores all your data, both in its original form and prepared for analysis. • You can use Lake Formation to centrally define security, governance, and auditing policies in one place, versus doing these tasks per service • Eliminates the need to manually configure them across security services like AWS Identity and Access Management and AWS Key Management Service, storage services like S3, and analytics and machine learning services like Redshift, Athena, and (in beta) EMR for Apache Spark. This reduces the effort in configuring policies across services and provides consistent enforcement and compliance. • E.g. https://aws.amazon.com/blogs/big-data/enable-fine-grained-permissions- for-amazon-quicksight-authors-in-aws-lake-formation/
  95. 95. New: Access Analyzer
  96. 96. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security Learn security with AWS Training and Certification Visit aws.amazon.com/training/paths-specialty/ Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities Validate expertise with the AWS Certified Security - Specialty exam Resources created by the experts at AWS to help you build and validate cloud security skills
  97. 97. Access management is a journey CC0 Public domain

×