Sergey Nivens - Fotolia


Manage AWS access to control security

AWS administrators can establish encryption keys and user and S3 policies to protect unwanted access to cloud resources.

AWS cloud administrators spend a significant amount of time implementing security controls, including encryption, AWS access control policies and user privileges. At one time, encryption was mostly a concern for e-commerce sites that needed to ensure customers that their credit card numbers could be transmitted safely over the Internet. Now, encryption of data in motion and data at rest is standard practice for many Web scale companies.

The Amazon Web Services (AWS) Key Management Service (KMS) provides centralized control of encryption keys used in a variety of AWS products, including Amazon S3, Relational Database Service, Redshift and Elastic Block Store. With KMS, administrators can create, configure and easily rotate keys, as well as audit their use.

For example, if an administrator wants to encrypt data at rest in Redshift, he can specify a key stored in the KMS when creating a Redshift cluster. The work needed to distribute keys and configure encryption on Redshift is managed for the user.

Pricing for KMS is based on the number of keys in the account -- billed at $1 per month -- and the number of operations that use the keys -- billed at $0.03 per 10,000 requests.

Controlling AWS access with policies

Users often control access to S3 storage objects, and there are two primary ways to establish access privileges on S3 buckets and files: S3 policies and user policies.

An S3 policy is a set of rules that defines the types of operations allowed on an object or bucket. Rules can specify restrictions on an operation based on its network connection properties. For example, an admin might specify that only source IP addresses from a specified range are allowed to read and write files. In other cases, an admin may specify that only encrypted connections are allowed when reading data from a particular bucket.

An S3 policy is specified as a JavaScript Object Notation structure that contains four elements: a resource, action, effect and principal. Resources are buckets and objects specified by their Amazon Resource Name. Actions are operations -- if an admin needs to list the contents of a bucket or get an object. The two types of effects allow or deny an action. The principal is the user or account service that can perform actions on the objects specified in the policy.

In addition to specifying access rules in S3 policies, administrators can use Amazon's Identity and Access Management (IAM) service to specify AWS access controls. IAM is a comprehensive service for managing users, groups and permissions on resources and services. One of the first things an AWS admin should do is create a user for performing administrative actions rather than logging into AWS with root account credentials. When multiple users access the same account, it is imperative to create and configure account privileges according to each user's operational needs. IAM helps administrators follow best practices, such as the principles of least privilege and separation of duties.

With IAM, admins can restrict users to use only the resources they need. For example, a business intelligence analyst might use Redshift to query a data warehouse but would not have permission to create any EC2 instances. Administrators can also specify S3 access control policies for individuals in IAM.

It is considered a good practice to require AWS Multi-Factor Authentication (MFA) on administrator accounts or other sensitive accounts; this is configured in IAM. AWS supports both virtual MFA devices, such as Google Authenticator, and hardware devices that are available through Amazon.

Instead of assigning privileges directly to users, assign policies to groups to allow administrators to streamline authorization by dictating permissions for a group instead of individual users. Using groups reduces the risk of error when a large number of permissions must be granted to multiple individuals, especially when permissions change over time. Administrators can create groups based on functional roles and then customize AWS access controls to each role.

Roles are another important element of the AWS security system. Roles are similar to users in that they are assigned a set of permissions, but they are not assigned to an individual like a username is. Instead, roles are temporarily assigned when needed to perform a particular action.

AWS offers an array of access control mechanisms. With the right combination, administrators can improve the security of their resources without creating undue administrative overhead.

Next Steps

Boost security with AWS Key Management Service

AWS security groups, firewalls provide different features

Defend your AWS cloud with these security measures

Dig Deeper on Amazon S3 (Simple Storage Service) and backup