사용자 관리 (Identity Management)

AWS가 제공하는 서비스들과 리소스에 대해 어떤 작업을 수행할 수 있는지를 사용자 별로 정의하고, 권한을 통제할 수 있는 기능과 관련된 영역입니다. 이 영역에 해당하는 AWS 보안 서비스들에는 다음과 같은 것들이 있습니다.

AWS IAM(Identity and Access Management)

사용자 별로 AWS 서비스들과 리소스에 대한 접근을 안전하게 통제(인증/인가)하는 기능을 제공합니다. AWS IAM을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

IAM 및 AWS STS의 보안
AWS 서비스에 사용되는 작업, 리소스 및 조건 키
Welcome to the AWS Security Token Service API Reference
Welcome to the AWS IAM Access Analyzer
동영상 [AWS Summit Seoul 2018] - 클라우드 여정을 성공적으로 수행하기 위한 AWS IAM 활용 전략
동영상 [AWS Summit Seoul 2019] - IAM 정책을 잘 알아야 AWS 보안도 쉬워진다. 이것은 꼭 알고 가자!
External - Complete AWS IAM Reference
Support - Create Cloudwatch Event rule to notify me root user account was used
Support - 일시 중지된 AWS 계정 다시 활성화
Support - Why did I receive an "AccessDenied" or "Invalid information" error trying to assume a cross-account IAM role?
Solution - Automated Account Configuration
가이드 - Automatically rotate IAM user access keys
가이드 - Send a notification when an IAM user is created
GIT - CloudTracker - CloudTrail 로그 기반으로 한번도 사용 안한 권한에 대해 리포팅하는 툴
GIT - Principal Mapper - IAM User와 Role 간의 관계를 가시화
GIT - git-secrets - git에 AccessKeypair가 유출되었는지를 Scanning
GIT - Gitleaks - git에 AccessKeypair가 유출되었는지를 Scanning
GIT - cred_scanner - git에 AccessKeypair가 유출되었는지를 Scanning
GIT - SKYARK - IAM 특권 User를 식별하고 Cloudtrail상에 기록된 중요 IAM action들을 분석하는 툴
GIT - AWS KERBEROS STS - SAML IdP 기반으로 커베로스 인증하면 1시간 짜리 STS토큰이 발급되어 CLI를 이용할 수 있게 만들어 주는 스크립트 예제
GIT - List of AWS Service Principals
GIT - assume-aws-role
GIT - Aardvark
GIT - Repokid
GIT - BLESS - Bastion's Lambda Ephemeral SSH Service
GIT - iamlive
GIT - parliament - IAM 정책 구문오류 분석
Blog - Use YubiKey security key to sign into AWS Management Console with YubiKey for multi-factor authentication
Blog - Monitor and Notify on AWS Account Root User Activity
Blog - Setting permissions to enable accounts for upcoming AWS Regions - 신규 도입 리전에 대한 IAM 활성화/비활성화 기능을 설명하는 블로그
Blog - Create fine-grained session permissions using IAM managed policies
Blog - How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory
Blog - Introducing fine-grained IAM roles for service accounts
Blog - Working backward: From IAM policies and principal tags to standardized names and tags for your AWS resources
Blog - Create fine-grained session permissions using IAM managed policies
Blog - How to centralize and automate IAM policy creation in sandbox, development, and test environments
Blog - Automate analyzing your permissions using IAM access advisor APIs
Blog - Simplify granting access to your AWS resources by using tags on AWS IAM users and roles
Blog - Add Tags to Manage Your AWS IAM Users and Roles
Blog - Delegate permission management to developers by using IAM permissions boundaries
Blog - How to Rotate Access Keys for IAM Users
Blog - Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations
Blog - Unit testing IAM policies across multiple accounts
Blog - AWS IAM introduces updated policy defaults for IAM user passwords
Blog - Easily control the naming of individual IAM role sessions
Blog - Enhance programmatic access for IAM users using a YubiKey for multi-factor authentication
Blog - New! Streamline existing IAM Access Analyzer findings using archive rules
Blog - How to automatically archive expected IAM Access Analyzer findings
Blog - New IAMCTL tool compares multiple IAM roles and policies
Blog - How to use trust policies with IAM roles
Blog - Techniques for writing least privilege IAM policies
Blog - Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service
Blog - Identify unused IAM roles and remove them confidently with the last used timestamp
Blog - How to scale your authorization needs by using attribute-based access control with S3
Blog - Validate access to your S3 buckets before deploying permissions changes with IAM Access Analyzer
Blog - Reset Your AWS Root Account’s Lost MFA Device Faster by Using the AWS Management Console
Blog - IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity
Blog - How to relate IAM role activity to corporate identity
Blog - How to use AWS IAM Access Analyzer API to automate detection of public access to AWS KMS keys
Blog - Review last accessed information to identify unused EC2, IAM, and Lambda permissions and tighten access for your IAM roles
Blog - How to implement SaaS tenant isolation with ABAC and AWS IAM
Blog - Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations
Blog - IAM makes it easier for you to manage permissions for AWS services accessing your resources
Blog - How to use trust policies with IAM roles
Blog - Automate resolution for IAM Access Analyzer cross-account access findings on IAM roles
Blog - Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail
Blog - Managing temporary elevated access to your AWS environment
Blog - Journey to Adopt Cloud-Native Architecture Series: #4 – Governing Security at Scale and IAM Baselining
Blog - Managing temporary elevated access to your AWS environment
Blog - How Setting Up IAM Users and IAM Roles Can Help Keep Your Startup Secure
Blog - How to integrate AWS STS SourceIdentity with your identity provider
Blog - How to control access to AWS resources based on AWS account, OU, or organization
Blog - How to control access to AWS resources based on AWS account, OU, or organization
Blog - Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere
Blog - Eligible customers can now order a free MFA security key
Blog - How to centralize findings and automate deletion for unused IAM roles
Blog - Announcing an update to IAM role trust policy behavior

AWS Organizations

복수개의 AWS 어카운트들을 정책기반으로 관리할 수 있는 기능을 제공합니다. AWS Organization을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

AWS Organizations의 보안
Security in AWS Account Management
Best Practice - AWS Multiple Account Security Strategy – 멀티 어카운트 환경을 효율적으로 관리하기 위한 모범사례 및 관리 전략
Best Practice - Establishing your best practice AWS environment
Support - AWS Organizations의 조직 간에 계정을 이동하려면 어떻게 해야 합니까?
Support - Amazon Web Services 계정은 어떻게 해지합니까?
동영상 [AWS Summit Seoul 2017] - 멀티 어카운트 환경의 보안과 가시성을 높이기 위한 전략
GIT - access-analyzer at master
Blog - New! Set permission guardrails confidently by using IAM access advisor to analyze service-last-accessed information for accounts in your AWS organization
Blog - How to Use Service Control Policies in AWS Organizations
Blog - An easier way to control access to AWS resources by using the AWS organization of IAM principals
Blog - How to use service control policies to set permission guardrails across accounts in your AWS Organization - SCP에 추가된 Resouce, NotAction, Condition에 대한 설명
Blog - Best Practices for Organizational Units with AWS Organizations
Blog - How to use AWS Organizations to simplify security at enormous scale
Blog - Building a Shared Account Structure Using AWS Organizations
Blog - Best practices for creating and managing sandbox accounts in AWS
Blog - Cost Reporting Based on AWS Organizations Account ID Tags
Blog - Simplifying permissions management at scale using tags in AWS Organizations
Blog - Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations
Blog - How to perform automated incident response in a multi-account environment
Blog - Managing the account lifecycle in account-per-tenant SaaS environments on AWS
Blog - Update the alternate security contact across your AWS accounts for timely security notifications
Blog - Migrating accounts between AWS Organizations with consolidated billing to all features
Blog - Field Notes: Building Multi-Region and Multi-Account Tools with AWS Organizations
Blog - Securing resource tags used for authorization using a service control policy in AWS Organizations
Blog - Programmatically managing alternate contacts on member accounts with AWS Organizations
Blog - Implement AWS resource tagging strategy using AWS Tag Policies and Service Control Policies (SCPs)
Blog - Identity Guide – Preventive controls with AWS Identity – SCPs
Blog - AWS Organizations now provides a simple, scalable and more secure way to close your member accounts
Blog - Get more out of service control policies in a multi-account environment

AWS Resource Access Manager

멀티 어카운트 환경에서 어카운트 간 리소스 공유관리 기능을 제공합니다. Resource Access Manager를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

AWS RAM의 보안
동영상 - youtube - AWS RAM Console Demo
Blog - VPC sharing: A new approach to multiple accounts and VPC management
Blog - One to Many: Evolving VPC Design
Blog - Control VPC sharing in an AWS multi-account setup with service control policies

AWS IAM Identity Center(Single Sign-On)

AWS콘솔과 SAML 2.0을 지원하는 비지니스 애플리케이션들에 대한 중앙 관리형 싱글 사인 온(SSO)서비스를 제공합니다(IDP역할). AWS IAM Identity Center을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

AWS Single Sign-On 의 보안
Welcome to the AWS SSO Identity Store API Reference Guide
Welcome to the AWS SSO OpenID Connect (OIDC) API Reference Guide
Welcome to the AWS SSO Portal API Reference Guide
Tutorial: Azure AD integration with AWS - Microsoft 싸이트, Azure AD와 AWS SSO 간 연계
동영상 [AWS Cloud 2018] - 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트
동영상 [AWS Unboxing Online Seminar] - AWS Single Sign-On (SSO) 서비스 집중 탐구
동영상 [AWS] - Demo of AWS Single Sign-On (SSO) with Azure Active Directory
Blog - How to create and manage users within AWS Single Sign-On - AWS SSO의 AD그룹/사용자를 Organization에 맵핑/관리하는 방법을 안내
Blog - How to retrieve short-term credentials for CLI use with AWS Single Sign-on
Blog - AWS Single Sign-On integration with SAP Fiori in S/4HANA
Blog - Enabling federation with AWS Single Sign-On and Amazon Connect
Blog - How to enable secure access to Kibana using AWS Single Sign-On
Blog - The Next Evolution in AWS Single Sign-On - Azure AD와 AWS SSO 간의 연동
Blog - Enabling AWS Single Sign-On Service (SSO) Integration with Databricks Control Plane
Blog - Single Sign-On between Okta Universal Directory and AWS
Blog - How to use G Suite as an external identity provider for AWS SSO
Blog - On-Demand SCIM provisioning of Azure AD to AWS SSO with PowerShell
Blog - Get ready for upcoming changes in the AWS Single Sign-On user sign-in process
Blog - Onboarding Amazon SageMaker Studio with AWS SSO and Okta Universal Directory
EXT. Blog - AWS IAM Privilege Escalation – Methods and Mitigation
Blog - New – Attribute-Based Access Control with AWS Single Sign-On
Blog - How to bulk import users and groups from CSV into AWS SSO
Blog - How to delegate management of identity in AWS Single Sign-On
Blog - How AWS SSO Active Directory sync enhances AWS application experiences
Blog - Federate Amazon Redshift access with Microsoft Azure AD single sign-on
Blog - Using AWS SSO with Microsoft Azure AD to federate to AWS GovCloud (US)
Blog - Field Notes: Integrating Active Directory Federation Service with AWS Single Sign-On
Blog - Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
Blog - Federated Access to AWS Single Sign-On with CyberArk Workforce Identity
Blog - How to enable secure seamless single sign-on to Amazon EC2 Windows instances with AWS SSO
Blog - Authenticate AWS Client VPN users with AWS Single Sign-On
Blog - Use new account assignment APIs for AWS SSO to automate multi-account access
Blog - Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager
Blog - Integrating Dropbox with AWS SSO for governed file sharing in an AWS Control Tower environment
Blog - Field Notes: Integrating Active Directory Federation Service with AWS Single Sign-On
Blog - Securing AWS Accounts with Azure Active Directory Federation
Blog - Getting started with AWS SSO delegated administration
Blog - Scale your workforce access management with AWS IAM Identity Center (previously known as AWS SSO)
Blog - How to use customer managed policies in AWS IAM Identity Center for advanced use cases
Blog - Manage permission sets and account assignments in AWS IAM Identity Center with a CI/CD pipeline
Blog - Accelerate AWS IAM Identity Center (Successor to AWS Single Sign-On) Implementation using AWS Cloud Development Kit (AWS CDK)
Blog - Integrate AWS IAM Identity Center (successor to AWS Single Sign-On) with AWS Lake Formation fine-grained access controls
Blog - Announcing new AWS IAM Identity Center APIs to manage users and groups at scale

엔터프라이즈 고객들을 위해, AWS의 멀티 어카운트를 위한 각종 모범사례를 기반으로, 안전하고 Well-architected된 멀티 어카운트 환경을 자동으로 구성해 주는 서비스입니다. AWS Organization, Single Sign-On, Config, Service Catalog 등 멀티어카운트 환경을 효율적이고 확장성 있게 관리하는 데 필요한 각종 서비스들이 자동으로 구성됩니다. AWS Control Tower를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

Amazon Cognito

고객의 웹 및 모바일 애플리케이션 환경을 위한 사용자 등록, 인증, 접근제어 기능을 제공합니다. Amazon Cognito를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

Amazon Cognito의 보안
API - SetUICustomization - Cognito User Pool을 이용하는 빌트인 App의 인증 화면에 대한 Logo, CSS 커스터마이징 API
Authenticate Users Using an Application Load Balancer - ALB에서 OIDC나 Cognito User Pool을 이용하여 모든 요청자에 대해 인증하는 방법 안내
동영상 [AWS Summit Seoul 2018] - Serverless 개발에서의 인증 완벽 가이드
GIT - aws-cognito-apigw-angular-auth
GIT - AWS Lambda SAP OAuth Token Generator
GIT - Amazon Cognito sample application for Node.js
GIT - Amazon Cognito Sync Manager for JavaScript
GIT - Identity and Access Control for Custom Enterprise Applications - CUP와 OpenID, SAML, Social IDP 간의 연계 샘플
GIT - JWT 토큰을 이용한 빌트인 로그인과 애플리케이션간의 연동 과정에 대한 데모
GIT - Okta : Integrating IdP Sign In with Cognito
GIT - Angular Lib for OpenID Connect & OAuth2
GIT - cognito-learning: Learning how Cognito implements the OAuth flows
QucikStart - Cognito User Profiles Export Reference Architecture
Support - Okta를 Amazon Cognito 사용자 풀의 SAML 자격 증명 공급자로 설정하려면 어떻게 해야 합니까?
Support - Auth0을 Amazon Cognito 사용자 풀의 SAML 자격 증명 공급자로 설정하려면 어떻게 해야 합니까?
Support - Amazon Cognito 사용자 풀에서 SAML 자격 증명 공급자로서 AD FS를 설정하려면 어떻게 해야 합니까?
Support - OneLogin을 Amazon Cognito 사용자 풀의 SAML 자격 증명 공급자로 설정하려면 어떻게 해야 합니까?
Support - How can I decode and verify the signature of an Amazon Cognito JSON Web Token?
Support - How do I enable TOTP as a multi-factor authentication for Amazon Cognito user pools?
Support - Remember devices in an Amazon Cognito user pool
QuickStart - Amazon Cognito를 사용한 SaaS 자격 증명 및 격리
Solution - Multi-Region User Pools - 멀티 리전상에서 Cognito를 구성하는 CFN 템플릿
Solution - Cognito User Profiles Export Reference Architecture
가이드 - Access AWS services from an ASP.NET Core app using Amazon Cognito identity pools
Blog - How to Set Up Player Authentication with Amazon Cognito
Blog - Implementing passwordless email authentication with Amazon Cognito
Blog - Understanding Amazon Cognito user pool OAuth 2.0 grants
Blog - Building ADFS Federation for your Web App using Amazon Cognito User Pools
Blog - Serverless File Upload with AWS Cognito and S3
Blog - AWS Cognito User Pool Access Token Invalidation
Blog - Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway
Blog - Now generally available: Amazon Cognito Authentication Extension Library
Blog - Migrating Users to Amazon Cognito User Pools
Blog - Simplify Login with Application Load Balancer Built-in Authentication - ALB 사용자 인증 기능에 대한 데모 싸이트 및 기능 구성을 설명
Blog - Use Amazon QuickSight Federated Single Sign-On with Amazon Cognito User Pools - API G/W, Lambda를 이용하여 Cognito User Pool과 QuickSight간 SAML2.0 기반 SSO연동을 설명하는 블로그
Blog - Role-based access control using Amazon Cognito and an external identity provider
Blog - How to configure Duo multi-factor authentication with Amazon Cognito
Ext. Blog - Setup AWS Cognito User Pool with an Azure AD identity provider to perform single sign-on (SSO) authentication in mobile app (Part 1)
Ext. Blog - Cognito Wiki
Blog - How to implement password-less authentication with Amazon Cognito and WebAuthn
Blog - How to add authentication to a single-page web application with Amazon Cognito OAuth2 implementation
Blog - Managing SaaS Identity Through Custom Attributes and Amazon Cognito
이제 Amazon Cognito에서 Amazon SNS에서 SMS Sandbox를 지원합니다
Blog - Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM
Blog - How to Use Cognito Pre-Token Generation trigger to Customize Claims In ID Tokens
Blog - Implementing passwordless email authentication with Amazon Cognito
Blog - Protect public clients for Amazon Cognito by using an Amazon CloudFront proxy
Blog - How to set case sensitivity in the Amazon Cognito console
Blog - Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda
Blog - How to set up Amazon Cognito for federated authentication using Azure AD
Blog - Extending Amazon Cognito with Email OTP for 2FA using Amazon SES
Blog - How to set up Amazon Cognito for federated authentication using Azure AD
Blog - Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda
Blob - Tracking and Remembering Devices Using Amazon Cognito Your User Pools
Blog - Understanding Amazon Cognito user pool OAuth 2.0 grants
Blog - Enriching Amazon Cognito features with an Amazon API Gateway proxy
Blog - Amazon Cognito launches support for in-Region integration with Amazon SES and Amazon SNS
Blog - Use Amazon Cognito to add claims to an identity token for fine-grained authorization
Blog - Web application access control patterns using AWS services

AWS Directory Service

AWS가 제공하는 관리형 MS Active Directory 환경을 제공합니다. AWS Directory Service를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

사용자 관리와 관련된 기타 유용한 링크들

AWS 보안 자격 증명
AWS 계정 루트 사용자 자격 증명과 IAM 사용자 자격 증명의 비교
AWS 계정 루트 사용자 자격 증명이 필요한 AWS 작업
보안 자격 증명 이해 및 가져오기
AWS 계정 식별자
AWS 액세스 키 관리를 위한 모범 사례
AWS 계정 루트 사용자 사용자의 액세스 키 관리
Best Practice - AWS Secure Initial Account Setup – AWS 어카운트를 최초 생성했을때 체크하거나 고려해야 될 여러가지 보안 설정, 기능들에 대한 소개
AWS 리전 관리
Support - 내 계정을 다른 사람 또는 기업에 양도하려면 어떻게 해야 합니까?
Support - AWS 계정에서 무단 활동이 발견되면 어떻게 해야 합니까?
Real-Time Insights on AWS Account Activity – CloudTrail상의 콘솔 로그인 이벤트들을 바탕으로 각종 통계치와 비정상적인 이벤트들을 추출하여 대쉬보드로 보여주는 템플릿
AWS Best Practice: Azure AD SAML Authentication Configuration for AWS Console - 외부 싸이트, Azure AD와 AWS 콘솔간 SAML 기반 인증 연계 방법
AWS Landing Zone - AWS가 권장하는 모범사례 기반으로 안전한 멀티 어카운트 환경을 구성하기 위한 솔루션을 소개
GIT - terraform-aws-secure-baseline - CIS Benchmark 1.2 기준이 적용된 AWS account 환경을 만들어 주는 테라폼
GIT - AWS Secure Environment Accelerator
Centrify : Adding and configuring a Custom SAML application - 외부 문서
G-Suite : Set up your own custom SAML application - 외부 문서
PING Identity : Add or update a SAML application - 외부 문서
Blog - How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory
Blog - Zero Trust architectures: An AWS perspective
Blog - Approaches for authenticating external applications in a machine-to-machine scenario
Blog - Essential security for everyone: Building a secure AWS foundation
Blog - Automatically tag new AWS resources based on identity or role
Blog - How to think about Zero Trust architectures on AWS
Blog - Defining an AWS Multi-Account Strategy for a Digital Bank
Blog - Enhance programmatic access for IAM users using a YubiKey for multi-factor authentication
Blog - Top 10 security items to improve in your AWS account
Blog - Essential security for everyone: Building a secure AWS foundation
Blog - How UnitedHealth Group Improved Disaster Recovery for Machine-to-Machine Authentication
Blog - Establishing a data perimeter on AWS

Remarks

이 사이트의 모든 내용은 바뀌거나 수정될 수 있습니다.
공식적인 상세한 내용은 http://aws.amazon.com 의 내용을 참조하십시오.
제공되는 내용에 이견이 있거나 잘못된 링크를 발견하시면, 관리자(gisunlim@amazon.com)에게 메일을 주시면 대단히 감사하겠습니다.

x