MFA (Multi-factor authentication) adds an extra layer of security by asking users to provide multiple forms of identification, such as a password PLUS entering a temporary code from a mobile app.
AWS Secrets Manager helps secure sensitive information, like passwords and API keys, by managing credentials in one place and a special feature called automatic credential rotation.
AWS IAM Identity Center simplifies authentication, allowing users to log in once to access all their AWS accounts (SSO), and the choice to log in with their corporate and social media credentials (identity federation).
Cross-Account IAM Roles let users in one AWS account access resources in another without making a new IAM user.
All right, so far we've learnt these key things about IAM:
Now let's dive into some handy tools that help us be the ultimate bouncers for our AWS accounts!
Have you ever signed in to a website with your password, but it also asked you to type in a code they sent to your phone or email?
That code is a second form of authentication. This is an example of multi-factor authentication (MFA), which provides an extra layer of security for your account.
You can enable MFA for the root user and IAM users. As a best practice, enable MFA for the root user and all IAM users in your account.
This is what MFA looks like for someone trying to log in:
Manages sensitive information such as API keys, passwords, and database credentials securely.
AWS Secrets Manager serves as the guardian of sensitive information. It offers a centralised and secure vault for API keys, passwords, and database credentials.
One of its standout features is the automatic rotation of credentials! Credential rotation = regularly updating or changing sensitive passwords or access keys, which adds an extra layer of defense against potential security threats. Changing credentials makes it harder for potential attackers to access your AWS account. Even if they do get access to your account, their access stops when your credentials update. Here's how it typically works:
AWS IAM Identity Center, previously called AWS Single Sign-On (SSO), simplifies authentication by making users log in just once to access all their AWS accounts.
SSO isn't just used in AWS:
SSO brings two key benefits:
IAM Identity Center doesn't just help you set up SSO for your AWS accounts. It's also the place to set up federated access.
Identity federation means transferring identity and authentication information to another system. Users with accounts with an external party can get access to your AWS account without you needing to set up a new user. These external parties can be Amazon, Facebook, Google, or an employee's company account (for example, if a user already has a firstname.lastname@example.org address that lets them access a company's internal resources).
Cross-account IAM Roles makes it easy for people in one AWS account to use things in another account without making a new IAM user.
To understand how it works, imagine you manage two AWS accounts called Account A and Account B: