# Identity and Access Management (IAM)
## Identity management
Identities, such as AWS usernames, are required to authenticate you to your AWS account.<br>
This authentication process is managed in 2 stages:
1. Define who you are, effectively presenting your identity, e.g. AWS username. This identification is unique within IAM for your account, so IAM would prevents having 2 identical user accounts with the same name within the same AWS account.
2. Verification of your identity - this is achieved by supplying additional data, and when using our AWS usernames we can verify this by suppling a password.

## Access management 
Access management relates to authorisation and access control.<br>
Authorisation determines what an identity can access within your AWS account once it has been autehnticated.<br>
For example, the user's list of permissions to access specific AWS resources and whether they had full access to EC2 or read-only to RDS.

Access Control is a method of accessing secured resources.<br>
For example using the following:
* Username and password (authentication and verification)
* Multifactor authentication (MFA)
* Federated access (no AWS IAM user credentials needed)

# IAM Features
IAM provides the components to maintain this management of access, but it is only as strong and secure as you configure it.

It is up to the user to define how secure the access control procedures have to be:
* How secure access control procedures must be?
* How much restruction on users accessing certain resource?
* How complex a password policy must be?
* Should users be using Multi-Factor Authentication (MFA)?

The level of security meaures will likely depend on your Information Security Management System (ISMS).

# Federated Access
You have created a new app the requires access to an S3 bucket to store media.<br>
Your app requires permission to S3 to upload and download media.<br>
Long-term credentials into the application code goes against security best practices.<br>
The solution should be designing the app to request temporary access from authenticaed users through web identity federation.

## Web Identity Federation?
Identity federation is a method of authentication where two different providers can establish a level of trust, allowing users to authenticate from one provider, autherising them to access resources from the other provider.

During the federation process, one party would as the Identity Provider (IdP), the other would be the Service Provider (SP).<br>
The IdP authenticates the user, the SP grants access to services or resources based on the IdP's authentication.

So our application running on AWS would be the SP, whilst the IdP could be Google or Facebook.

When users authenticate to the app via web identity federation, they receive an authentication token.<br>
This toek nis then exchanged for temporary security credentials in AWS.

This grants them the relevant access to Amazon S3 provided by the role, to carry out the operations needed by the application.

## Security Assestion Markup Language (SAML) 2.0
Web Identity Federation is used for large, wide scale of access from unknown users.

SAML 2.0 is used to exchange authentication and authorisation between countless security domains which exchanges information between SMAL consumer and Identity provider.

For example, a company is already using Microsoft Active Directory (MSAD) to authenticate employees to the internal network.<br>
There would be a lot of work to create users in AIM for their own set of credentials.<br>
It would be easier to allow them to federate their access through via SAML, integrating with the ADFS server.<br>
This reduced the administration required within IAM and it allows for a single sign-in solution.

# IAM AWS Policy Types
## Identity-based Policies
Policies that are attached to any entity that depicts an identity: users, user groups, or roles within IAM.

### Managed policies
Managed policies are saved within the IAM library of policies and can be attached to any user, user group, or role.<br>
The same policy can be attached to multiple entities.

They can be managed in 2 ways:
* AWS managed - These policies have been pre-configured by AWS for the most common permissions assigned.
* Customer managed - These policies will be configured by yourself when the default policies do not meet your security requirements.

### Inline policies
Inline policies are embedded directly into the entity.<br>
The policy is not saved and stored in the IAM library policy, its only existence is within the associated eneity.<br>
It cannot be easily replicated to other entities.

## Resource-based Policies
Resource-based policies are similar to inline policies that are associated with a resource instead of an identity.

For example, S3 has bucket policies, where permissions to the bucket are defined at the resource level and define which principles can access the bucket based upon different actions.

When using roles within AIM, the role has a Trust Relationship policy, which is a resource-base policy.<br>
As a result, the permissions of the trust are embedded inline within the role itself.

## Permission Boundaries
Policies that define the maximum level of permissions that can be granted to a user or role.

They act as a guide rail to limit the maximum level of permissions that the user or role can be given.

The policy configured can be managed by AWS or by the customer.

For example, a user has an identity-based policy that allows full access to S3 and full access to EC2.<br>
If a Permission boundary was configured which only grants read only access to S3, the user will still have full access to EC2 but only read only to S3.

## Organisation Service Control Policies (SCPs)
Policies that are associated with an AWS account or Organisation Unit (OU) when working with AWS organisations and govern the maximum permissions to members of those accounts.

For example, a user has full access to S3, RDS, and EC2 via an identity-based policy.<br>
If the SCP associated with that AWS account denied access to the S3 service, then the user would only be able to access RDS and EC2, despite having full access to S3.<br>
The SCP would serve to prevent the service from being used within the AWS account.<br>
The SCP has the overriding precendence and determine the maximum level of permissions allowed.

# AWS Organisations
As a business expand their footprint on AWS and utilise more services to build and deploy their applications, it will soon become apparent that the need for multiple AWS accounts is required to manage the environment and infrastructure effectively.

A multi-account strategy is beneficial for:
* Cost optimisation and billing
* Security and governance
* Management and control of workloads
* Resource grouping
* Helpinf to define business units

The more accounts you have, the more distributed your environment becomes and the associated security risks and exposures increase and multiply.

AWS operates with a hieratchy of services.<br>
The components are:
1. Organisations
2. Root
3. Organisational units
4. Accounts
5. Service control policies

## Organisations
An Organisation is an element that serves to form a hieracrchical structure of multiple AWS accounts.
<br>
Think of the Organisation as a family tree which provides a graphical view of your entire AWS account structure.

At the top of the Organisation is the Root container

## Root
The Root object is a container that resides at the top of the organisation.<br>
All of the AWS accounts and Organisational Units, are underneath Root.<br>
Within any Organisation, there is only one single Root object.

## Organisational Units
Organisational Units (OUs) provide a means of categorising your AWS accounts.<br>
Like Root, these are simply containers that allow you to group together specific AWS accounts.<br>
An OU can connect directly below Root or even below another OU (can be nested 5 times).<br>
Creating a hierarchical structure.

## Accounts
These are AWS accounts that are used and created to be able to configure and provision AWS resources.<br>
Each AWS account has a 12 digit account number.

## Service Control Policies (SCPs)
SCPs allow you to control what services and features are accessible from within an AWS account.<br>
Thse SCPs can either be associated with Root, OUs, or individual accounts.<br>
When an SCP is applied to any of these objects, its associated controls are fed down to all child objects.<br>
They are permission boundaries that set the maximum permission level for the objects that they are applied to.

## Benefits
<u>Master Account</u><br>
The primary benefit of AWS Organisations is its ability to centrally manage multiple Accounts from a single AWS account - the Master Account.<br>
You can start by inviting exisitng accounts to an Organisation, then creating new accounts directly from the Master Account.

<u>Greater control over your AWS environment</u><br>
Through the use of Service Control Policies attached to Root, Organisation Units, or individual accounts, administrators of the master account gain powerful control over which services and features (down to specific API calls), that an IAM user within those accounts can use, regardless of the user's identity-based or resource-based permissions.

<u>Consolidated billing</u><br>
The Master Account of the AWS Organisation can be used to consolidate the billing and costs from all AWS accounts.<br>
This allows greater overall cost management across the individual AWS accounts.

<u>Categorisation and grouping of accounts</u><br>
By leveraging OUs, you can segregate and group-specific AWS accounts together, applying different SCPs associated to each OU.<br>
For example, there are a number of AWS accounts that must not have access to AWS Analytical servers.<br>
A way to resolve this would be creating an OU with these accounts and assign an SCP that denies this functionailty.

# AWS Web Application Firewall (WAF)
When delivering web contenct using a Web Application Firewall, you could be exposing your websites and web apps to potentially harmful and malicious traffic, leading to security risks within your environment.

WAF is a service that helps prevent websites and web applications from maliciously attacked by common web attack patterns.

AWS WAF is faster to implement than a standard web application firewall, simplier and easier to manage as well.

There are a nnumber of components of the WAF service:
* Web Access Control Lists (ACLs)
    * It is used as the component that is associated with one of the supported resources to detemine which web requests are considered safe or not.
    * ACls contain rules, which contains specific controls and criteria checks that assess each web request to determining whether it should be allowed or blocked.
* Rules
    * Rules contain statements and actions focusing on specific criteria that web requests are inspected against. If the inspected request matches the criteria set out in the statement, then that is considered a match. The result of this ma`tch can follow an action of:
        * Allow - the request is forwarded onto the resouce.
        * Block - the request is dropped and a response is sent back, informing them that the request was denied.
        * Count - counts the number of matching requests.
* Rule Groups
    * Rule groups are a collection of rules that can be applied to different Web ACLs as needed.