We are coming to the end of this section, where we have introduced and explored the identity services that are available on AWS. The two previous chapters deep dived into the customer and enterprise identity services, but in this chapter, we will be taking a slightly different approach. This chapter will provide a brief overview of several additional identity and identity-adjacent services. While familiarity with these services and their use cases is an important part of a well-rounded education for implementing identity on AWS, these services don't merit as deep a dive, nor as much of a practical exploration for our purposes, before we move on to the next section of this book.

The first service we will look at is AWS Directory Service. This service primarily deals with supporting Active Directory (AD) workloads on AWS and extending an organization's (organization meaning enterprise, not organization as in AWS Organization) AD footprint...

To get the most out of this chapter, you will need an AWS account.

Microsoft AD is a complex and feature-rich enterprise directory service. Beyond basic LDAP capabilities for user management and authentication, it can also be used for machine management, including device authentication and authorization, DNS, certificate authority services, endpoint policy management and enforcement, and federation services. Over the years, it has been positioned and marketed as a one-stop-shop for enterprise workloads. Unfortunately, the feature-richness that made AD an enterprise mainstay for over 20 years is also why it can become insecure or misconfigured. This is why AD implementations are at the heart of so many security incidents. Its monolithic nature, broad set of services, and wide network port utilization also make it a tempting target for bad actors and limit its capability to securely operate outside of an established network perimeter.

Though traditional on-premises AD may not be naturally suited for an internet...

Confidentiality is one of the three pillars of information security. Encryption preserves the confidentiality of data both in transit and at rest. To decrypt encrypted data, we need the appropriate keys.

AWS offers services for both managing the cryptographic keys that encrypt the data used within an AWS account, as well as a service for preserving secrets used for accessing AWS resources. We will go over these services briefly.

AWS Key Management Service

Several services within AWS offer encryption for the data at rest and in transit. S3 buckets, RDS instances, EBS volumes, and other resources leverage encryption to secure the data they store. By default, each AWS service capable of leveraging AWS KMS can generate their own instance of a default, AWS-managed encryption key that is used to encipher that data for that AWS account. However, some organizations would prefer to retain control of their encryption keys. In either case, AWS Key Management...

Unlike the identity services that merited their own chapters, or even the services we looked at earlier within this chapter, AWS CloudTrail and Amazon CloudWatch may not seem worth much of a mention. However, logging and auditing are essential components of non-repudiation. Non-repudiation is when we have assurances that something, such as an action, signature, or event, cannot be denied by a person. IAM ties the event, action, account, and others to the individual, and auditing and logging help prove that the event occurred.

We will quickly look at the two services AWS provides for audit and logging. The first is AWS CloudTrail, which captures the events that occur within an AWS account. The second is Amazon CloudWatch, which is a monitoring and logging service that can be used with AWS services and resources.

AWS CloudTrail

AWS CloudTrail captures events that occur within an AWS account to help us address compliance, governance, and operational and risk...

Now that you have finished this chapter, you should be familiar with some of the additional identity and identity-adjacent capabilities you can use to solve identity challenges on AWS. AWS Directory Service supports Active Directory workloads on AWS and extends an organization's AD footprint into AWS. AWS Secrets Manager allows programmatic secret storage and rotation, while AWS Key Management Service allows you to manage cryptographic keys that are used for encryption. Finally, AWS CloudTrail acts as the audit log for all actions taken on AWS services, while Amazon CloudWatch acts as a logging and resource monitoring service.

This concludes this section of this book, where we looked at specific AWS services. The next section will see us pivot toward practically applying these services to solve an enterprise-grade identity use case. In the next chapter, we will plan what we intend to accomplish with our practical implementation by using enterprise-grade tools and design...

1. What version of AWS Managed Microsoft AD, either Standard or Enterprise, would be best suited for an organization consisting of 2,000 employees that requires support for full AD workloads?
2. An organization consisting of 2,000 employees only needs LDAP services for their applications in AWS. Which AWS Directory Service would be the most appropriate?
3. What is a customer master key?
4. AWS Secrets Manager can automatically rotate credentials for which three services, without requiring a custom Lambda function?
5. What is non-repudiation?
6. True/False: Amazon CloudWatch only provides logging aggregation.

• AWS Key Management Service Developer Guide: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
• AWS Secrets Manager User Manual: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
• AWS CloudTrail User Manual: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
• Amazon CloudWatch User Manual: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html