Authentication and authorization (for example, SAML, Active Directory)

Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.

📘AWS Certified Advanced Networking – Specialty

1. What Are Authentication and Authorization?

  • Authentication: This is the process of verifying who you are.
    • Example in IT: When a user logs into the AWS Management Console or an application, AWS checks their identity.
    • Tools/standards:
      • IAM Users and Roles – AWS native identities.
      • SAML (Security Assertion Markup Language) – Lets users log in with corporate credentials.
      • Active Directory (AD) – Centralized directory for managing users and permissions.
  • Authorization: This is the process of deciding what you are allowed to do once you’re authenticated.
    • Example in IT: A developer can access the VPC logs but cannot delete a VPC.
    • Tools/standards:
      • IAM Policies – JSON documents that define permissions for users/roles.
      • Resource-based Policies – Permissions attached directly to resources like S3 buckets or VPC endpoints.

2. Why Authentication and Authorization Matter in Multi-Account & Multi-VPC Environments

In AWS networking, organizations often use multiple AWS accounts and VPCs for:

  • Isolation between environments (development, testing, production)
  • Security boundaries between business units
  • Regional expansion

Problem: How do you let users or services access resources across accounts and VPCs without giving full access everywhere?

Solution: Use federated authentication (SAML/AD) and fine-grained authorization (IAM and resource policies).

3. Authentication Across Multiple Accounts

3.1. IAM Roles with Cross-Account Access

  • You can create a role in Account B and allow a user from Account A to assume it.
  • Workflow:
    1. User in Account A logs in (authenticated).
    2. They request to assume a role in Account B.
    3. AWS checks trust policies (authorization) and gives temporary credentials.
  • Trust Policy Example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::111122223333:user/DevUser"},
      "Action": "sts:AssumeRole"
    }
  ]
}
  • Key Point for Exam: IAM Roles + STS are essential for secure cross-account authentication.

3.2. Federated Access with SAML or AD

  • Lets corporate users log in without creating AWS-specific accounts.
  • How it works:
    1. User logs in to corporate identity provider (IdP).
    2. IdP generates a SAML assertion.
    3. AWS validates the assertion and grants temporary access via IAM Role.
  • Exam Tip: Federated users don’t need long-term IAM credentials. Always prefer temporary credentials for security.

4. Authorization Across Multiple Accounts and VPCs

4.1. IAM Policies

  • Define who can access what.
  • Example: Developer role can:
    • Read logs in VPC Flow Logs
    • Modify security groups in dev VPC
    • Cannot delete production VPCs
  • IAM policies are evaluated at the time of the request:
    • Allow takes precedence if no explicit Deny
    • Explicit Deny always wins

4.2. Resource-based Policies

  • Attached directly to resources like:
    • S3 buckets
    • VPC endpoints
    • KMS keys (for encrypted data in transit)
  • They control who can use the resource, regardless of IAM policies.

4.3. Using VPC Endpoints with Policies

  • For private connectivity between VPCs and services:
    • Example: A VPC endpoint for S3 with a policy allowing only a specific account.
  • Exam Tip: Know the difference between IAM policies (identity-based) and resource-based policies.

5. Authentication & Authorization Best Practices in Multi-Account Networking

  1. Use IAM roles instead of IAM users for cross-account access.
  2. Use temporary credentials with STS wherever possible.
  3. Federate users via SAML or Active Directory for centralized login.
  4. Implement least privilege: give users the minimum permissions they need.
  5. Use resource policies for sensitive resources to enforce cross-account access controls.
  6. Audit regularly using AWS CloudTrail to ensure policies are enforced correctly.

6. Key AWS Services & Features You Must Know for the Exam

CategoryService/FeatureExam Focus
AuthenticationIAM Users & RolesBasic login and cross-account access
AuthenticationSTS (Security Token Service)Temporary credentials for cross-account access
AuthenticationSAML FederationEnterprise login without IAM users
AuthenticationActive Directory (Managed AD)Centralized user management
AuthorizationIAM PoliciesIdentity-based permissions
AuthorizationResource PoliciesFine-grained access to S3, VPC endpoints, KMS
MonitoringCloudTrailTrack who accessed what and when

7. Summary for the Exam

  • Authentication = Who are you? → IAM, SAML, AD
  • Authorization = What can you do? → IAM policies, resource policies
  • Multi-account & VPC scenario:
    • Use IAM Roles + STS for cross-account access
    • Use federated login for corporate users
    • Apply least privilege principle
  • Always audit and monitor access for compliance.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by