13-02 Zero Trust on AWS
Identity Security Controls you can implement on AWS to meet the Zero Trust Model
# AWS Identity and Access Management (IAM)
- IAM Policies
- Permission Boundaries
- Service Control Policies (Organization-wide Policies)
- IAM Policy Conditions
aws:SourceIp– Restrict on IP Addressaws:RequestedRegion– Restrict on Regionaws:MultiFactorAuthPresent– Restrict if MFA is turned offaws:CurrentTime– Restrict access based on time of day
# Your AWS Resources
Note
AWS does not have ready-to-use identity controls that are intelligent, which is why AWS is considered to not have a true Zero Trust offering for customers, and third-party services need to be used.
A collection of AWS Services can be setup to intelligent-ish detection of identity concerns but requires expert knowledge
# AWS CloudTrail
- Tracks all API calls
# Amazon GuardDuty
- Detects suspicious or malicious activity based on CloudTrail and other logs
# Amazon Detective
#aws-service
- Used to analyze, investigate and quickly identify security issues (can ingest findings from Guard Duty)