eBooks & Reports

O'Reilly's Automating Security in the Cloud

Issue link: https://resources.threatstack.com/i/872576

Contents of this Issue


Page 19 of 32

Self-asserted identity schemes such as OpenID, which allow the individual users to select an identity provider, are appropriate for services that do not involve sensitive information. For 'corporate' users, policy information must come from the user's organization, and user profile information must come from the user's organization as well as the user. Identity schemes such as SAML, which allow the organization to select the identity provider and to require a particular strength of authentication, are necessary for organizational user profiles. If the cloud service only offers local identity services, customers should determine how to provision, deprovision, and manage identity information within the cloud service. IAM groups in the cloud A group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For exam‐ ple, you could have a group called Admins and give that group the types of permis‐ sions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user's permissions, you can remove him or her from the old groups and add him or her to the appropriate new groups. CIS Benchmark recommendations - By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are gran‐ ted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Rationale: Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. 18 | Chapter 4: Cloud Computing Foundational Security Leading Practices

Articles in this issue

view archives of eBooks & Reports - O'Reilly's Automating Security in the Cloud