Understanding How IAM Works

By Ashwin Venugopal -

 





Overview

As IAM offers the infrastructure essential to control the authentication and authorization of an account, its elements given below should also be understood by everyone. 

Principal

It is a person or application that can make a request for an action or operation on an AWS resource because it is authenticated as the AWS account Root User or an IAM entity to do that. As stated before, it's strongly recommended to not use the root user credentials on daily basis, instead, create different IAM entities or support federated users or programmatic access to allow an application to access the AWS account.

Request

Whenever a Principal uses the AWS Management Console, API, or CLI, a request is sent to AWS which includes the following information-  
  1. Actions or Operations- The actions or operations to be done for the principal can be an action in the AWS Management Console, or an operation in AWS CLI or AWS API.
  2. Resources- The resource object on which the actions or operations are performed.
  3. Principal- It's a person or application that uses an entity to send a request. 
  4. Environment Data- It generally includes the information regarding the IP address, user agent, SSL enabled status, or the time of day.
  5. Resource Data- As the name suggests, it is the data related to the resource that's being requested. 

Authentication

As the principal that's using their credentials to send a request to AWS must be authenticated from the console as a root user, the sign should be done via the registered email address and password. After that, the account Id (or alias), username, and password should be given. However, in order to authenticate from the API or AWS CLI, the access key and the secret key must be provided along with the any kind of additional security related information.

Authorization

Now, the request must also be authorized to complete it. The request context's values are used by AWS to check for any policies that can be applied to the request and if one want permissions to access the AWS resources in their own account, then, only the identity-based policies are required as resource-based ones are generally used for granting cross-account access. Each and every policy is checked for its permission, and even if a single one denies action, then, AWS denies the whole request and stop evaluating it which is also known as an Explicit Deny as the requests are denied by default.

Actions or Operations

After the successful authorization and authentication of a request, the actions or operations in your request are approved by AWS. Operations are the services containing the things that can be done to a resource like- viewing, creating, editing, deleting, etc. and in order to allow a principal to perform an operation, the necessary actions must be included in the policy that can apply to the principal or the affected resource.

Resources

Finally, after approval of the operations in the request, they can be now performed on the related resources within an account. A resource is an object that exists within a service and the particular service defines a set actions that can performed on each resource. However, if a request to perform an unrelated action on a resource is made, it is denied instantly.

























Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more