Don Edwards
Eric Hammond@DMEdwards
Why does AWS charge for some of the services that help users keep their accounts secure? Surely this would be something that AWS wants for all customers.
I'm about to turn off one of them across my personal accounts for cost savings.
@esh I am not involved in pricing decisions. I should have been more clear that I was offering technical help. 😁
@DMEdwards
Got it 😄 but feel free to pass on a customer's concern.
Got it 😄 but feel free to pass on a customer's concern.
@esh I’ll be happy to relay the message. Can you please send me the services you are concerned about? My email is [email protected]
@DMEdwards
heh. That's another challenge with the security services at AWS. It feels like there are a number of closely related services that all do similar things, and I can't keep them straight in my brain.
I went into my bill again and I can't remember if it was AWS GuardDuty, or AWS Detective, or if I was thinking about the fact that AWS Trusted Advisor only shows some checks to accounts with paid support plans.
@DMEdwards
Found it! AWS SecurityHub is costing me over $60/year, and I couldn't tell you what it does off the top of my head.
@esh Think of AWS Security Hub as being an aggregation engine for information that comes out of services like Amazon Macie, Amazon GuardDuty, and AWS Config, plus automated assessments for following best practices and guidance from frameworks like PCI and CIS.
@DMEdwards
So I'm paying for an AWS service that is designed to help overcome usage issues with other AWS services. It kind of makes sense given how AWS teams are organized and run, but as a customer it's a bit frustrating.
Note: This may be coming across as an attack, but I'm a huge fan of AWS. I'm just open with sharing about areas where I get confused and where I see see room for improvement. Sometimes those things get improved.
@esh We love hearing that feedback! A large part of my job is asking for this kind of feedback and making it actionable for our service teams. One area we are investing heavily in is improving the quality of information that comes out alerting and monitoring services. Not every alert is important to every customer, so sometimes it does require some tuning.
@DMEdwards
I currently sign in to AWS with an IAM user that has no permissions except to assume (cross-account) roles, all of which require MFA.
Should I switch to a different method of authenticating myself within AWS? Is there something newly released that I should take a deeper look at for this?
@esh In general, IAM Identity Center is the future of workforce identity (human access to AWS accounts). A large part of the reason for that is that most customers benefit from having multiple AWS accounts grouped into an AWS Organization. For details on why a multi-account strategy is often the right way to go (plus information on how to organize it), I recommend looking at the multi-account strategy whitepaper:
Organizing Your AWS Environment Using Multiple Accounts - Organizing Your AWS Environment Using Multiple Accounts
Using multiple AWS accounts to help isolate and manage your business applications and data can help you optimize across most of the AWS Well-Architected Framework pillars including operational excellence, security, reliability, and cost optimization. This paper provides best practices for organizing your overall AWS environment. The extent to which you use these best practices depends on your stage of the cloud adoption journey and your specific business needs.
@esh One benefit of IAM Identity Center is that it creates the roles for you across all of those accounts.
@DMEdwards
I'm sold in the multi-account approach. I have 41 accounts in my personal AWS Organization. I create a new one for each project or exploration.
Each account has an "admin" role, and my IAM user has permission to assume "admin" in any account.
@DMEdwards
Is it true that IAM Identity Center requires me to create a directory of some sort (e.g., Active Directory, Cognito User Pool)?
That seems overkill for a single user, or even a handful of users.
Are there intrinsic benefits of Identity Center that can be weighed against the extra cost, complexity, and risk?
@esh Not any more - IAM Identity Center now has its own identity store as one of the three options (Active Directory or a SAML-based Identity Provider are the other two).
With 41 accounts, it sounds like Identity Center would greatly simplify administration. It's a zero-cost service and works alongside whatever you have set up in IAM, so you might consider looking at it.
Here's a good primer video:
AWS re:Invent 2022 - Simplify your existing workforce access with IAM Identity Center (SEC207)
Ben Kehoe@DMEdwards @esh co-sign, you want to be using Identity Center, even as a single-human Org
@ben11kehoe @DMEdwards
On the one hand, I was hoping Ben would smell this conversation and enter to declare the truth. On the other hand, I was hoping that I could get away with my current setup for a while longer.
On the one hand, I was hoping Ben would smell this conversation and enter to declare the truth. On the other hand, I was hoping that I could get away with my current setup for a while longer.
@DMEdwards
Let me know when office hours are over 🙂
Is the "IAM Identity Center delegated administrator account" different from the "delegated admin account for AWS Account Management"?
I'm a fan of the aws-cli and documenting what I do for repeatability, so I'm trying to see if I can designate a delegated account in the CLI.
(Every minute I spend trying to figure out things like this is one minute closer to giving up trying to use Identity Center for the day.)
@DMEdwards
Links to the two things I'm comparing:
https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html
vs
https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html
Delegated administration - AWS IAM Identity Center (successor to AWS Single Sign-On)
Delegated administration provides a convenient way for assigned users in a registered member account to perform most IAM Identity Center administrative tasks. When you enable IAM Identity Center, your IAM Identity Center instance is created in the management account in AWS Organizations by default. This was originally designed this way so that IAM Identity Center can provision, de-provision, and update roles across all your organization's member accounts. Even though your IAM Identity Center instance must always reside in the management account, you can choose to delegate administration of IAM Identity Center to a member account in AWS Organizations, thereby extending the ability to manage IAM Identity Center from outside the management account.
@esh Oh, wait! I lie! Those are two different concepts.
@esh The "delegated admin account for AWS Account Management" is a separate thing from the Identity Center delegated administration account.
@esh The "delegated admin account for AWS Account Management" is a delegated administration account for AWS Organizations management, which is a separate thing from Identity Center management.
@esh The reason those are two separate things is that some large companies have different groups who manage Service Control Policies and workforce user access. Often it makes sense to delegate each of those administrative functions to different AWS accounts because they have automation built around Organizations and Identity Center and they don't want that automation to be built in the same AWS account.
@esh I reached out on LinkedIn - do you mind if I follow up with you on some this stuff in the coming days? This is super important and I want to make sure I'm capturing all of your feedback well. It's a bit late here in Ireland, and I'm not on the top of my game at the moment. :)
@DMEdwards
Of course. You are also welcome to simply go live life and reply two days later. This is async.
Maybe we can get you into the AWS Heroes slack.
@esh I didn't know there was such an animal. I'll look into it tomorrow.
@DMEdwards
@DMEdwards
Thanks! I say one of my superpowers is that I am confused easily and completely willing to share when I get confused, but it's still nice to know it may be a little justified here.
@DMEdwards
Thanks! I say one of my superpowers is that I am confused easily and completely willing to share when I get confused, but it's still nice to know it may be a little justified here.
@esh The GTM lead for Workforce Identity (Harvinder from that video) and I are working to improve all of the documentation and enablement materials, so this is really helpful and timely. Both of those delegated administrator accounts are the same thing. The basic idea is that instead of using the AWS Organizations management account (the top account of the Organization) you can designate another AWS account in the Organization to be the administration account for Identity Center.
Jader Dias@DMEdwards How can CloudFront users with limited budgets protect themselves against an attacker that causes an useless explosion of outbound traffic by requesting large responses thousands of times more often than legitimate users? I heard some your competition allows users to set limited quotas on their CDNs, but I don't see a way to limit CloudFront quotas. #cloudfront
@jader Rate limiting per IP can be done through Rate-Based Rules in AWS Web Application Firewalls (WAF) which can be associated with Cloudfront distributions. There is a cost for using AWS WAF, so you will need to weigh that cost against the potential cost of excessive website use.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html