AWS Resource Access Manager (RAM) There is also an alternative for sharing resources across multiple accounts. AWS RAM is a central service that allows you to share resources you own in one account with multiple accounts either within your own AWS OU or beyond. There is one caveat, though: you cannot share all types of […]

IAM roles’ Trust Policies Cross-account access is made possible because of IAM roles. IAM roles have a distinct capacity to act both as an identity and as a resource, and as such, you can associate both identity-based policies and resource-based policies with IAM roles. In the case of IAM roles, resource-based policies are also called […]

Additional Considerations for Resiliency As a best practice, it is recommended to have at least two separate connections at two different DX locations. In this case, you end up with two DX connections. This will provide resiliency against connectivity failure due to a device failure, a network cable cut, or an entire location failure. To […]

Various Flavors of AWS DX You can use AWS DX provided that one of the following applies: There exist three types of DX connections. That said, only the first two types listed in the following section are recommended when you require a consistent connection capacity, which is eventually the main reason to set up a […]

AWS VPN CloudHub AWS VPN CloudHub is a hub-and-spoke VPN solution to securely connect multiple branch offices together and a VPC on AWS. It leverages the AWS Managed VPN service, but instead of creating CGWs for a single on-premises location, you create as many CGWs as you have remote branches/offices that need a VPN connection […]

Networking is a key aspect in meeting the security and compliance requirements of an organization. It determines whether and how resources in your Amazon Web Services (AWS) environment can be accessed from anywhere in your organization and beyond. This chapter will cover the services on AWS that can be used to design hybrid networks, allowing […]

Leveraging Access Delegation You are now going to investigate access delegation. Access delegation is essentially used for the following reasons: Now, start by examining these cases. Temporary Access Delegation Take for instance, the first use case where you need to provide trusted users, applications, or AWS services with temporary security credentials so that they can […]

Limitations AD Connector is not compatible with Amazon RDS for SQL Server or with Amazon FSx for Windows File Server. When to Use It AD Connector is recommended when you want to use your existing on-premises directory with compatible AWS services. Managed Microsoft AD Managed Microsoft AD essentially lets you run Microsoft AD as a […]

Examining Access Control In this section, you will investigate two different approaches organizations can take to control access, either based on a principal’s role or based on specific properties, also known as attributes, characterizing a principal. Role-Based Access Control (RBAC) This is the traditional access control approach where the permissions defining the actions that a […]

Permissions Boundaries Permissions boundaries allow us to define the maximum permissions that identity-based policies can give to IAM entities (user or role). An entity can then only perform actions allowed by both its identity-based policies and its permissions boundaries. Setting a permissions boundary does not give permissions on its own but it limits what the […]