🏇 Starting in a few minutes: "Building for the future with @AWSIdentity Services" with Karen Haberkorn, Director of Product Management for AWS Identity 💫 I'll be tweeting the highlights. @AWSIdentity @AWSSecurityInfo #reInforce Image
1/ Building for the future with @AWSIdentity Services: Karen notes our exceptional year - not just for humans, but also for companies, who have shifted to accommodate remote work; a shift to remote identities and their access controls. @AWSIdentity @AWSSecurityInfo #reInforce
3/ "ZT is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters." @AWSIdentity @AWSSecurityInfo #reInforce
5/ Karen: We know we have to securely manage identities, resources, and permissions to move towards ZT.
6/ AWS provides the foundation for this through scale (400M requests per second for #AWSIAM!) and with a breadth of functionality - attribute-based access control, access analysis, integration with AWS services & partners. @AWSIdentity @AWSSecurityInfo #reInforce
7/ Now Karen is moving on to how we can use AWS to help create this identity & access management foundation.
8/ Organizing your AWS environment: use your AWS account as a security boundary for your apps. Structure your accounts with AWS Organizations. Check out AWS Control Tower. All this to help you govern centrally! @AWSIdentity @AWSSecurityInfo #reInforce Image
9/ There's a white paper on organizing your AWS environment: docs.aws.amazon.com/whitepapers/la… @AWSIdentity @AWSSecurityInfo #reInforce
10/ Centralizing identity management: "Come as you are" - not just a Nirvana song, it's also AWS's identity philosophy. @AWSIdentity @AWSSecurityInfo #reInforce
11/ AWS will let you use the identities you already have whether they're on-prem, in AWS, or with an AWS partner. That's what #AWSSSO is about. @AWSIdentity @AWSSecurityInfo #reInforce
12/ 📝Reminder from Karen: You can use #AWSSSO along with what you use already. Integrate it with your existing IdP. Or use it with the your existing way you're accessing AWS. Many options to get started - your choice! @AWSIdentity @AWSSecurityInfo #reInforce
13/ Establishing a data perimeter: What's this? It's a "set of preventative guardrails that ensures that access to trusted resources is restricted to trusted identities from expected network locations". @AWSIdentity @AWSSecurityInfo #reInforce
14/ How do you put one together? With these components: service control policies, VPC endpoint policies, and resource-based policies. And more to come! [I'm guessing that this means more goodies in the future for us!] @AWSIdentity @AWSSecurityInfo #reInforce
15/ The last foundational component - the Journey to Least Privilege. @AWSIdentity @AWSSecurityInfo #reInforce
16/ SET permissions by using Access Analyzer to generate policies from your access activity. And you can do this through your org's CloudTrail logs! And validate your policies with the new policy validation feature. @AWSIdentity #reInforce
17/ VERIFY your proposed permissions with AA's policy preview. And this integrates with Security Hub. aws.amazon.com/about-aws/what… @AWSIdentity @AWSSecurityInfo #reInforce
18/ Finally, REFINE your permissions with the action last accessed feature, which tells you what AWS services were last used so that you can pare down your policies. And we'll more investment & automation to come in this area. @AWSIdentity @AWSSecurityInfo #reInforce
19/ Now @bjohnso5y, Sr. SDM @AWSIdentity and Jesse Fuchs, Sr. Security Solutions Architect join the convo with Karen about identity and access!
20/ Many companies had to change due to the past year. AWS has seen this reflected in customers' AWS Cognito usage. Another customer pivoted to implementing a new mobile drink dispenser solution.
21/ Data perimeters: Jesse sees customers implementing more ZT-relevant services & protocols - higher usage of OAuth, API Gateway. Brigid: we're seeing a blend of identity centric, network centric controls as holistic data perimeters. @AWSIdentity @AWSSecurityInfo #reInforce
22/ The least-privilege journey - Brigid's been in the permissions space for years! It was common for central security teams to create IAM policies. Then they needed to delegate policy creation to developers for more agility. Customers realize this is a process.
23/ AWS is moving towards having policy creation and validation earlier in the development cycle to help the dev process. IAM's policy validation feature now has 100's of checks, and customers are putting this in their dev pipelines! @AWSIdentity @AWSSecurityInfo #reInforce
24/ @bjohnso5y welcomes your suggestions for new additional policy validation checks! (this is your opportunity to ping her, go for it!). @AWSIdentity @AWSSecurityInfo #reInforce Image
25/ AWS will keep on iterating for all these validation and last access checks. Example, last week IAM Access Analyzer now can point to your Organization's trail - a central log aggregated from all your org's accounts. @AWSIdentity @AWSSecurityInfo #reInforce
26/ #AWSSSO allows you to update your permission sets centrally, propagating policies to all targeted accounts. #AWSIAM has role last used info to help you know if you need those extra roles in your accounts. All this helps you organize your perms in AWS. @AWSIdentity #reInforce
27/ Tips for our customers? Continually get educated on the different policy types! docs.aws.amazon.com/IAM/latest/Use… @AWSIdentity @AWSSecurityInfo #reInforce
28/ Tip #2: Make trimming down permissions part of your culture, and do this with automation! @AWSIdentity @AWSSecurityInfo #reInforce
29/ That's a wrap for the Building for the future with @AWSIdentity Services! Thanks for checking in to this tweet thread.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Michael Chan

Michael Chan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mchancloud

21 Jun
1/ 📣🎉 @Identiverse, the premier conference for identity professionals, begins today! AWS is a sponsor and will be presenting in-person and live sessions the next few weeks. For those who are attending, here's a thread of the sessions not to miss. @AWSIdentity
2/ And if you're not attending, be sure to check this page in the following weeks for the recorded sessions: identiverse.gallery.video
3/ Here's the sessions! All times are MDT:

Fostering Identity Excellence (Keynote): Tue 6/22, 10am - @Sarah_Cecc
identiverse.com/idv2021/sessio…
Read 9 tweets
4 Dec 19
⏱️Starting now! ⏱️ @AWSIdentity – presenting our session SEC316 with Brigid @bjohnso5y on Access Control Confidence. 💪⚡ I will be live tweeting the highlights!
@AWSIdentity @bjohnso5y Access control is a journey towards least privilege. Brigid is going to share with us how to make it a confident one.
@AWSIdentity @bjohnso5y Access control confidence. Brigid breaks it down into three parts – permission guardrails, attribute-based access control, and reining in permissions using analytics.
Read 22 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(