I'm considering AWS IAM vs usual ACL (django-guardian, passport.js, ...) to manage permissions and monitor the costs per user on my current project.
I wonder if IAM can be used to manage authorization of the application users or if it is only aimed to the developer team ?
Is there some examples of people using it this way on a regular basis ?
Is it a good practice ?
Will there be some caveats or hard limitations? (if you've experience it)
I already found this 2 years old answer : Should you use AWS IAM roles and permission for application users? but it lacked a return of experience on this question
You can use AWS Cognito UserPools with Users and Groups feature to handle both authentication and authorization of your web application.
For more information refer the Amazon Cognito Groups and Fine-Grained Role-Based Access Control blog post by AWS.
IAM is mainly built to provide authentication and authorization to AWS Services but not for web application. Because of this, it will become challenging to use IAM for web application authentication and authorization.
I recommend AWS Cognito instead.
IAM is suited better for developers and applications/services.
Related
I'm using text-to-speech API on Google Cloud. I'm used with service accounts, roles or API Keys on GCP, but I feel lost with this AP and don't understand how I can set the permission to access this API.
The API forbid anonymous call, but I tried to create a service account with no specific permission, and it can access the API. Have this API only project level permission (API enabled or not)? How can I set what account can access the API?
In Google Cloud Platform the restriction works the other way around than what you described, you create Service Account and you limit to what resource they can access. Please see documents: Understanding service accounts and Service accounts to learn more, and specifically Permissions for service accounts to learn how to restrict permissions on your Service Accounts.
Added to the above, this API Console Help document contains best practices and further information on API security
I've tried reading different guides and documentation about Azure users and roles, but nothing looks similar to IAM on AWS.
Where I can limit users to use only certain services in the Azure console/portal?
Could someone provide me with a link to the relevant documentation or describe to be a way to do this (if it is possible to do)?
Thanks for everyone time by the way.
Azure provides this functionality through Role Based Access Control (RBAC). Using RBAC, you can provide granular permissions to users, groups or applications (also known as Service Principal) in your Azure AD. Azure provides a number of in-built roles that cover a variety of scenarios. It also provides you an ability to create custom roles if an in-built role does not suit your requirements.
You can learn more about RBAC here: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview.
Azure Portal provides a comprehensive user experience for managing RBAC. You can learn more about it here: https://learn.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal.
From AWS docs:
When to Create an IAM User (Instead of a Role)
...
You want to use the command-line interface (CLI) to work with AWS.
When to Create an IAM Role (Instead of a User)
- You're creating an application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance and that application makes requests to AWS.
- You're creating an app that runs on a mobile phone and that makes requests to AWS.
- Users in your company are authenticated in your corporate network and want to be able to use AWS without having to sign in again—that is, you want to allow users to federate into AWS.
But it seems like companies heavily use roles for everything:
Role for groups by creating roles with specific policies and creating custom policies to apply to groups.
Assume role to use the CLI.
Switch role to use different accounts.
Is that excessive or real work based solution?
Is that excessive or real work based solution?
Based on my own experience with AWS, heavily using roles is a real work based solution because, in my company, we use only roles to give access to users (yes, we have 0 users registered in your AWS environments). I'll list the reasons why we chose this way:
We are using AWS Control Tower.
This service enables AWS Organizations with at least 3 AWS accounts to manage your organization. It'd be a mess with we had to create a user for each AWS account. Also, AWS Control Tower enables AWS Single Sign-On.
We're using AWS Single Sign-On.
This service correlates multiples AWS accounts with multiples roles with multiples users. Description:
AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. Your users simply sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all their assigned accounts and applications from one place.
Please, check out some features offered by this service. There are a lot of benefits using roles instead of users. In my point of view, with AWS SSO, AWS itself facilitates the use of roles.
The only disadvantage I found is that every time I need to use AWS CLI, I need to access AWS SSO portal, copy the credentials and paste in my terminal because credentials expires after some time. But in the end, this disadvantage is small compared to the security that this process offers - if my computer is stolen, AWS CLI couldn't be accessed because of credentials expiration.
After quite a battle I have written a testing desktop app that allows a user to authenticate with AWS Cognito. I can allow AWS to handle the authentication, password storage, etc. This solves some issues - why reinvent the wheel?
Now my question is I have various resources in the app that needs granular permissions for. How would I use Cognito to control access to non AWS resources in my app?
I would recommend using a custom attribute since you mentioned non-AWS services. Creating an attribute named customer:role with the value of ROLE_USER, ROLE_ADMIN and so on.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes
Once they are authenticated in the app you can control their permissions from decoding the custom attribute. This tutorial is more for permissions with AWS services in a SAAS multi-tenant approach. However, I found it extremely useful to learn from.
https://aws-quickstart.s3.amazonaws.com/saas-identity-cognito/doc/saas-identity-and-isolation-with-cognito-on-the-aws-cloud.pdf
I'm doing some analysis for a customer regarding multiple end-user applications they run. Right now, both have a separate user databases and now want to provide an SSO experience.
They threw out a bunch of SSO providers, specifically the new AWS SSO service. From reading what AWS SSO, my question is, AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.
Is my understanding of the purpose of AWS SSO correct? Like, I'm sure AWS SSO could work with end-user clients, but is that the applicable use case here? Is there a better SSO provide in this case to deal with SSO for end users?
Definitely, is not a good choice for end-users.
This is the entry splash at AWS Console.
Before you can start managing SSO access to your AWS accounts, you must go to the AWS Organizations console and create an organization with All features enabled. For more information, see AWS SSO Prerequisites
Look at this splash from AWS Console
AWS Organizations console and create an organization
That phrase explains what target was created for. So you're right:
AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.
I recommend you to use AWS Cognito as Single-sign-on
Using Cognito you will have a few challenges:
The problem would be passing token(with an expiry value) from site A to B securely. There is no built in SSO facility provided by Cognito. You would have to manage the encrytion, storage & transfer of tokens yourself. Reference: How to use AWS Cognito as Single-sign-on?
Take a look at this post:
Use Amazon QuickSight Federated Single Sign-On with Amazon Cognito User Pools
Hope this gives you a little more information to accomplish your scenario.