momius - Fotolia
Documenting resource use within a public cloud is pivotal for meeting governance and regulatory compliance. Logging...
within AWS enables administrators to record and search details of end-user actions and affected resources.
Various AWS tools provide security logging capabilities, including Amazon CloudFront, Amazon CloudWatch, AWS Config and Amazon Simple Storage Service logs requests to storage buckets. But many developers prefer to use AWS CloudTrail to log AWS Identity and Access Management (IAM) activity. Other AWS IAM tools can generate access policies, but they have limitations.
AWS CloudTrail logs all API requests made to IAM and AWS Security Token Service, which includes some non-authenticated requests from web-based identity providers. This enables requests to be mapped back to federated end users. CloudTrail also logs API requests to other native services -- recording details about the end user or AWS tool that generated the request. Admins can quickly determine whether a request was made using IAM credentials, temporary credentials for federated users or roles or by another service. Additionally, CloudTrail logs sign-in events -- both successful and failed attempts -- to services like the AWS Management Console, AWS Marketplace and forums.
Third-party tools can help with automation, streamlining and common management tasks. Chalice, for example, is an open source, Python-based, serverless, microframework for AWS that helps businesses create and deploy serverless applications based on Amazon API Gateway and AWS Lambda. A microframework is a highly extensible collection of software components that admins can easily modify. Chalice has a command-line interface that developers can use to create, view, deploy and manage applications in AWS.
Chalice also automates the creation of IAM policies, allowing an application to easily access AWS tools. However, Chalice requires a high level of cloud application design expertise. In practice, developers automatically generate IAM policies when deploying a package using the chalice deploy command, which sends the deployment package to the serverless cloud environment. This helps ensure proper access policy management, while minimizing the time and effort needed to set policies, and frees up developers to focus on other tasks.
The trouble with third-party IAM tools
Third-party tools such as Skeddly are designed to schedule automation for the cloud. These tools also generate IAM policy documents for AWS permissions, allowing the tool to interact with AWS resources within an account.
These AWS IAM tools are only examples; while they help enterprises achieve complex cloud goals, they have limitations when compared to native services. Primarily, third-party tooling often lacks flexibility. Policies are dynamic entities that can be a challenge to create, test and maintain. Working directly with a cloud provider's native IAM services is often more convenient and predictable; they offer testing with fewer unintended consequences than engaging with third-party AWS IAM tools to automatically create policies.
In addition, third-party IAM tools must adapt with the evolution of public cloud services. For example, each time AWS updates an IAM API, a third-party vendor must also update its tool accordingly. Therefore, third-party tools can lag behind IAM development, adding a layer of uncertainty for enterprise IT teams.
Manage cloud access with IAM permissions
Know these AWS security best practices
Should we use IAM roles or users to protect AWS access?
Dig Deeper on AWS security
Related Q&A from Stephen J. Bigelow
Eliciting performance requirements from business end users necessitates a clearly defined scope and the right set of questions. Expert Mary Gorman ... Continue Reading
Requirements fall into three categories: business, user and software. See examples of each one, as well as what constitutes functional and ... Continue Reading
Navigating data center malfunctions when hardware is off premises can be tricky. Organizations must have strong SLAs with their colo provider to ... Continue Reading