As you learned in Chapter 7, the AWS Resource Access Manager (RAM) is an AWS management utility that allows you to share the AWS resources created in one AWS account and make it available to other AWS accounts.
You can create a resource in one account using the Resource Access Manager to make that resource usable in multiple other AWS accounts. This limits the duplication of resources in different accounts by sharing them using RAM.
RAM supports many different AWS resources including App Mesh, Amazon Aurora, AWS Private Certificate Authority, CodeBuild, EC2, EC2 Image Builder, Glue, License Manager, Migration Hub Refactor Spaces, Network Firewall, Outposts, S3 on Outposts, Resource Groups, Route 53, SageMaker, Service Catalog AppRegistry, Systems Manager Incident Manager, VPCs, and Cloud WAN. Additional resources are always being added. Check the online documentation for a current listing.
In this section, you will learn what authentication and authorization are and how they are used in AWS; then we will discuss some of the specific applications used in AWS to perform these functions.
Authentication is the method used to sign in to AWS or other systems using your login. Authentication is used to identify who you are, and based on this, you will be granted access to allowed services. It determines who is making the request, and authorization is what the user is allowed to do. Authentication is the combination of proving who the user is and that you are who you say you are.
The two primary methods used for access control are authentication and authorization. Open access to the public is called anonymous access and acts as “any access.” If there are restrictions, which there almost always are, then a method is needed to identify who the user or service is, and based on that authentication, rights can be granted to permit or deny operations inside of AWS.
Authentication is accomplished when you sign in to your AWS account using an account created in the IAM service, which is usually a root user, IAM user, or role defined in IAM. Users have either usernames and passwords that are long-term credentials or a set of access keys.
Authentication verifies the identity of a user or service, and authorization determines the access rights used to protect systems and information.
For a user to authenticate from the AWS graphical web management console, you sign in using your username and password. There are other ways to authenticate such as with the AWS CLI or using an AWS API. The two primary methods here are to use access and secret keys or to use temporary credentials.
It is important to remember that IAM is both an authentication and authorization application. Once IAM determines who you are, you are granted access to approved services, which is the authorization process.
Authentication and authorization are the security systems that control all AWS API operations. Remember, all AWS console interactions use API calls even if you are working on a CLI, SDK, web console, or any other method to interface with AWS; underneath it is always an API call.
Once a user has been identified, authorization is used to determine what the identity is allowed to do and what it is restricted from doing. Authorization is defined in IAM and can be rather complex to configure and manage. IAM is beyond the scope of the Advanced Networking blueprint and is covered in the Security specialty certification. Authorization includes factors such as who is making the request, whether it is a user or other identity such as a software application, how the request was made, request data such as date and time, the source IP address, the operation that includes what operation is being requested, which service and policies are attached to the service, and which operations are allowed to be performed.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
