Why and How to Secure Access to AWS with Identity Management

February 5, 2018

How secure is your user access to AWS infrastructure and workloads? Security to protect every user’s access to apps, endpoints and infrastructure when moving to the cloud is a hot topic. AWS’ shared responsibility model means that security and compliance is just that, shared between AWS and the customer. While AWS takes case of operating, managing, and controlling the host operating system and virtualization layer, as well as the physical security of the cloud in the AWS GovCloud, your agency or department is responsible for securing its operating systems, platforms, and data “in” the cloud.

A key part of the customer’s responsibility in this shared model is identity and access management. Securing access to your agency’s AWS account, secure access to EC2 instances and secure access to existing on-premises infrastructure are critical steps in any migration to AWS.

It was a hot topic at the 2017 AWS re:Invent conference in Las Vegas late last year which attracted over 50,000 attendees. It was no surprise, therefore, that DLT partner, Centrify, announced an advanced-tier partnership with AWS and the availability of Centrify Identity Services through the AWS Marketplace.

Jason Chow, a Senior Manager of Technical Product Marketing at Centrify breaks down what securing an AWS infrastructure using an identity-centric approach in his blog: The Emerging Importance of Securing Access to AWS.

Here’s a summary:

Securing the AWS Root Account

A root account is built-in to every AWS account and provides single sign-in identity for privileged access to all AWS services and billing in the account. A root account is not used for everyday tasks even administrative ones, in these instances AWS recommends using identity access management (IAM) policies for role-based access to your AWS services. Centrify works to secure the AWS root account by vaulting the AWS root account. This improves security and promotes accountability with detailed audit trails of every checkout and helps with the centralized management of AWS accounts.

Federated Access to the AWS Management Console

Disjointed identity silos are a by-product of the explosion of cloud services. Organizations find they must manage 20+ different identities per user. But with federation, authentication and policy enforcement of cloud services is centralized to any master directory of your choosing, such as Active Directory.

This provides single sign-on (SSO) access to all resources for end users and centralized ID management, authentication and policy enforcement for administrators.  In addition, Centrify enhances AWS SSO with a zero trust approach to govern access to agency resources, such as applications, endpoints, and infrastructure, based on the legitimacy of the user.

Identity Consolidation and Privilege Access Management for EC2

As you migrate on-premises workloads to AWS, you must also extend authentication to EC2 instances from their existing on-prem directory service. Centrify makes this easy by brokering identities from your choice of directory services – Active Directory, LDAP, or Google. By securing shared account and remote access and granting just enough privilege and auditing all activity across Windows and Linux.

Why Centrify is Unique

You have many choices to secure cloud applications with identity access management, but Centrify is the only one that addresses all three of the above use cases in an integrated platform. Contact us today to learn more, call 1-800-262-4DLT or email: cybersecurity-team@www.dlt.com.