Cloud Computing Advanced +250 XP

AWS Security

AWS IAM Security & Workload Role Authorization

Identity and Access Management (IAM) is the central gatekeeper of AWS resources. Security practices mandate the **Principle of Least Privilege**, meaning users and services get only the minimum permissions necessary to perform their roles.

IAM Authentication Matrix:
  • IAM Users & Groups: Assigned to human operators. Group policies consolidate permissions, while Multi-Factor Authentication (MFA) protects logins.
  • IAM Roles: Attached to services (like EC2) or assumed by external identities via the AWS Security Token Service (STS), generating temporary credentials valid for 1 hour.
  • Access Keys: Static credential keys (Access Key ID and Secret Access Key). Extremely dangerous if leaked; must be rotated every 90 days.

AWS KMS & Secrets Manager Key Protection

Securing database passwords, API tokens, and certificate keys requires dedicated cryptographic vaults. You must avoid hardcoding environment files into repositories at all costs.

**AWS Key Management Service (KMS)** manages the symmetric and asymmetric keys used to encrypt EBS volumes, S3 buckets, and RDS instances. **AWS Secrets Manager** works in tandem with KMS to store database credentials securely, featuring built-in Lambda functions that automatically rotate access keys at set intervals.

Interactive Pipeline: IAM Role Assumption via Security Token Service (STS)

Observe how contractors or third-party tools authenticate securely using IAM Roles. Instead of downloading static files, they invoke the AWS STS assume-role API, validating MFA before obtaining temporary credentials.

Pipeline T: STS Role Assumption Flow

Client
Invoke API
sts:AssumeRole with MFA
Validate
STS Auth Check
Verifies trust relationship
Credentials
Token Dispatch
Generates Session Keys (1h)
Authorized
Access Granted
Authorize S3/EC2 actions

Python boto3 KMS Decryption Script

Below is the Python script using the AWS SDK (`boto3`) to fetch a database password securely from Secrets Manager, decrypting it automatically using the VM\'s attached IAM service profile credentials:

import boto3
from botocore.exceptions import ClientError

def get_database_secret():
    secret_name = "prod-db-password"
    region_name = "us-east-1"

    # Create client using IAM Instance Profile credentials automatically
    session = boto3.session.Session()
    client = session.client(service_name='secretsmanager', region_name=region_name)

    try:
        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
    except ClientError as e:
        raise e

    # Decrypted secret payload
    secret = get_secret_value_response['SecretString']
    return secret