Every organization has its unique set of tools, systems, environments, projects, and core functions. Within an organization, there exist many groups of people, departments, and business units that share the same services. However, each group will require varying levels of access to those services depending on their function and role within the organization.

For example, developers will require access to development environments that allow them to experiment and design new application features, whereas their access to production environments must be restricted. Similarly, junior system administrators should only be allowed to execute certain tasks and not have full administrative rights on critical workloads.

In this section, you will learn about AWS IAM and see how it may be used to implement crucial elements of cloud security. AWS IAM is a fully managed service that can help you define who or what can access your AWS account, what services can be accessed...

MFA is a security feature that enhances the authentication process by requiring users to input a six-digit token in addition to their usernames and passwords. AWS strongly recommends enabling MFA for your root user account and IAM users to increase security.

When MFA is enabled, a trusted source must provide an authentication code to access the Management Console. MFA can be set up for API calls to AWS and user console logins using a hardware- or software-based (virtual) MFA device.

AWS offers the Universal 2nd Factor (U2F) as an MFA option based on an open authentication standard. U2F can use specialized USB keys or near-field communication (NFC) devices such as smart card technology, but AWS only supports USB-based U2F and not NFC devices for MFA.

For more details on U2F, feel free to review the information at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_u2f.hml.

Security Token-Based MFA

Users must...

In this section, we discuss another option that leverages an existing IdP: Microsoft AD and SAML 2.0 for authentication with your AWS account. SAML 2.0 is an open standard for exchanging authentication and authorization tokens between an IdP such as Microsoft AD FS and a service provider (SP), in this case, AWS. SAML 2.0 is often used to facilitate single-sign-on (SSO) capabilities, which enables users to access multiple services with a single set of credentials without having to log in separately to each service.

Many businesses use an AD environment to manage authentication and authorization for on-premises-hosted services. In large organizations with thousands to millions of users, their credentials, permission policies, and access across multiple platforms can become increasingly difficult to manage. Identity federation enables you to grant permissions to external identities to use the AWS Management...

Most web and mobile applications require some form of authentication and authorization at the application layer before an end user can use its services.

In the case of the new Todo List application, customers will need to sign up for a subscription. Next, to ensure that only valid customers can access this application, a sign-in process will need to be built as part of the authentication and authorization security feature of the application.

Developing a database of users and verifying their credentials is a crucial step in any application’s development life cycle. However, storing credentials data within the application code or on devices is highly insecure and risky. To address this issue, Amazon recommends using web identity federation for web and mobile application authentication workflows. This allows applications to request temporary security credentials dynamically from an IdP, and an IAM role can generate...

Amazon Cognito is an identity service for your web and mobile applications. The service allows you to create a user directory or federate with external IdPs such as Google, Amazon, and Facebook to name a few. The internal directory (or external IdP) is used to verify a user’s identity and authorize their access to your application. This service removes the overhead associated with trying to create your own custom identity service for your application.

Amazon Cognito comprises two key components, which can either be used independently or in tandem. We discuss these next.

Amazon Cognito User Pools

Amazon Cognito user pool is a user directory service that offers user creation, management, and authentication services for your applications. End users can sign up for a user account, which results in creating a user profile. You can create an independent user directory hosted in Amazon Cognito and use OIDC-generated...

IAM Identity Center is designed to help centrally create and manage your workforce identities. This service is really an overlay of IAM and AWS Single Sign-On services. With the IAM Identity Center, you can use the default internal AWS IdP or connect and synchronize to an external IdP such as Microsoft AD Domain Services. This makes granting SSO capabilities much more straightforward than standard IAM.

You can use multi-account permissions to assign users access to all AWS accounts within AWS Organizations. This is a much easier approach than trying to configure cross-account access and multiple IAM roles to allow users from one AWS account access to other AWS accounts within your organization.

With the IAM Identity Center, you can also assign access to applications that integrate with the Identity Center or third-party applications that offer SAML 2.0 integration. Several use cases exist for using the IAM Identity Center instead of AWS...

In this exercise, you will create an IAM user using your existing AWS development account, which you created in the previous chapter. This IAM user will have both console and programmatic access to AWS This user will be utilized in the subsequent exercises throughout this study guide, providing practical experience and aiding you in preparing for the AWS Certified Developer Associate exam. Follow these steps to create an IAM user and an IAM group within your development account:

1. Log into your AWS development account, which was created in Chapter 1, Introduction to AWS Accounts and Global Infrastructure. You will be logging in as the root user, as you do not have any IAM users created.
2. In the top search bar, search IAM, and from the drop-down list that appears, select the IAM service. You will then be taken to the IAM dashboard.

Figure 2.10 –...

To complete all upcoming project tasks, ensure you log into your AWS Developer Account as the IAM user Alice.

In this project task, you will start working on the Developer project that we discussed in the previous chapter. As discussed, you will work with several AWS services and create multiple AWS resources designed to host and manage the application for our fictitious client, Todo Plus Limited.

In this task, you will create an Amazon Cognito user pool that will be used to authenticate and authorize end-user sign-up and sign-in capabilities for the application.

The following diagram highlights the area of the overall architectural plan you will work on in this project task.

Figure 2.16 – Project Task – Create Cognito user pool

1. Log in to your AWS development account as the user Alice, which you created in the last exercise.
2. Navigate to the Cognito service by searching for it in the top search bar.
3. Click the Create user pool button on the...

In this chapter, you have learned about the AWS IAM service. AWS IAM offers authentication and authorization services to allow you to define who or what can access your AWS accounts, its services, and resources. You have covered the concepts of IAM users, groups, and roles, and how these features of IAM can help you address different access requirements.

Amazon Cognito was also discussed, which allows you to build an authentication and authorization service for your web and mobile applications. With Amazon Cognito, you can create a user pool to host your own user directory or federate with external IdPs such as those that are OIDC and SAML 2.0 compatible.

Finally, we looked at the new AWS Identity Center, which is a more streamlined process of managing your workforce identities and offers SSO features with external IdPs, such as Microsoft AD.

In the next chapter, we introduce you to the different types of storage services and specifically focus on Amazon S3, which...

Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That is why working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

How to Access These Materials

To learn how to access these resources, head over to the chapter titled Chapter 17, Accessing the Online Resources.

To open the Chapter Review Questions for this chapter, perform the following steps:

1. Click the link – https://packt.link/DVAC02_CH02.

   Alternatively, you can scan the following QR code (Figure 2.26):

Figure 2.26 – QR code that opens Chapter Review Questions...

Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 2.1 – Sample timing practice drills on the online platform

Note

The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your “...