%3CLINGO-SUB%20id%3D%22lingo-sub-2044693%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%3A%20How%20to%20protect%20AWS%20Admins%20and%20Developers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2044693%22%20slang%3D%22en-US%22%3E%3CP%3Eare%20there%20any%20recommendations%20about%20how%20to%20do%20this%20when%20there%20are%20many%20(dozens%2Fhundreds)%20of%20accounts%20in%20AWS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1995938%22%20slang%3D%22en-US%22%3EMCAS%3A%20How%20to%20protect%20AWS%20Admins%20and%20Developers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1995938%22%20slang%3D%22en-US%22%3E%3CP%3EBy%20Richard%20Diver%2C%20Alex%20Weinert%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F33891%22%20target%3D%22_blank%22%3E%40Matt%20Soseman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3C%2FP%3E%3CDIV%20class%3D%22video-embed-left%20video-embed%22%3E%3CIFRAME%20class%3D%22embedly-embed%22%20src%3D%22https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Fsrc%3Dhttps%253A%252F%252Fwww.youtube.com%252Fembed%252Fqu5T16Nizho%253Ffeature%253Doembed%26amp%3Bdisplay_name%3DYouTube%26amp%3Burl%3Dhttps%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253Dqu5T16Nizho%26amp%3Bimage%3Dhttps%253A%252F%252Fi.ytimg.com%252Fvi%252Fqu5T16Nizho%252Fhqdefault.jpg%26amp%3Bkey%3Db0d40caa4f094c68be7c29880b16f56e%26amp%3Btype%3Dtext%252Fhtml%26amp%3Bschema%3Dyoutube%22%20width%3D%22600%22%20height%3D%22337%22%20scrolling%3D%22no%22%20title%3D%22YouTube%20embed%22%20frameborder%3D%220%22%20allow%3D%22autoplay%3B%20fullscreen%22%20allowfullscreen%3D%22true%22%3E%3C%2FIFRAME%3E%3C%2FDIV%3E%3CP%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20blog%2C%20I%20am%20going%20to%20tell%20you%20about%20a%20new%20deployment%20guide%20that%20will%20help%20you%20to%20apply%20several%20advanced%20security%20controls%20for%20access%20to%20AWS%20environments%2C%20using%20Microsoft%20Security%20solutions%20%E2%80%93%20this%20is%20one%20of%20the%20simplest%20implementations%20that%20can%20solve%20a%20myriad%20of%20problems%20when%20trying%20to%20provision%20identities%20and%20govern%20access%20to%20systems%20that%20may%20be%20business%20critical%20and%20hold%20very%20sensitive%20information.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESecuring%20Access%20to%20AWS%20Environments%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EManagement%20of%20AWS%20identities%20can%20be%20complex%2C%20especially%20when%20there%20are%20multiple%20environments%20to%20manage.%20The%20risk%20of%20compromise%20to%20administrators%20and%20developers%20is%20increasing%20as%20attackers%20attempt%20to%20gain%20access%20to%20critical%20resources.%20There%20is%20also%20a%20risk%20of%20misconfiguration%20and%20potential%20loss%20of%20data%20if%20the%20user%20credentials%20are%20not%20properly%20monitored%20for%20suspicious%20activity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20AD%20supports%20single%20sign-on%20integration%20with%20AWS%20SSO.%20With%20AWS%20SSO%20you%20can%20connect%20Azure%20AD%20to%20AWS%20in%20one%20place%20and%20use%20AWS%20SSO%20to%20centrally%20govern%20access%20across%20hundreds%20of%20accounts%20and%20AWS%20SSO%20integrated%20applications%2C%20and%20have%20a%20seamless%20Azure%20AD%20sign-in%20experience%20to%20use%20the%20AWS%20CLI.%20Refer%20to%20this%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Factive-directory%252Fsaas-apps%252Famazon-web-service-tutorial%26amp%3Bdata%3D04%257C01%257CSarahzin.Chowdhury%2540microsoft.com%257C7c30458dea014fc2e95e08d8ddb106ee%257C72f988bf86f141af91ab2d7cd011db47%257C0%257C0%257C637503099815725952%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dxjmo9oVbdBcBDbz290SChdvJJsVe4g3e6xFAdhb8vWY%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ETutorial%3A%20Azure%20Active%20Directory%20single%20sign-on%20(SSO)%20integration%20with%20Amazon%20Web%20Services%20(AWS)%20%7C%20Microsoft%20Docs%3C%2FA%3E%20for%20more%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20blog%20post%20for%20Azure%20AD%20(%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAWSIdentity%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAWSIdentity)%3C%2FA%3E%2C%20you%20can%20read%20about%20the%20implementation%20of%20secure%20authentication%20for%20AWS%20using%20Azure%20AD%20SSO.%20When%20the%20authentication%20and%20single%20sign-on%20with%20Azure%20AD%20is%20setup%20for%20AWS%2C%20you%20can%20implement%20advanced%20Conditional%20Access%20policies%20with%20MCAS%20to%20enable%20Session%20Control%20policies%3A%20this%20is%20the%20ability%20to%20continuously%20monitor%20the%20activities%20of%20the%20AWS%20user%20as%20they%20interact%20with%20resources.%20The%20diagram%20below%20shows%20some%20of%20the%20options%20available%20today%20with%20Microsoft%20Cloud%20App%20Security%2C%20when%20integrated%20with%20Azure%20AD%20to%20protect%20AWS%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Photo.png%22%20style%3D%22width%3A%20732px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241219iB83F0B782FD25B3A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Photo.png%22%20alt%3D%22Photo.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20real-time%20data%20loss%20prevention%20(DLP)%2C%20MCAS%20can%20use%20both%20the%20built-in%20content%20inspection%20or%20the%20Data%20Classification%20Service%20(Microsoft%20Information%20Protection)%20integration%20to%20block%20uploads%20or%20downloads.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%20MCAS%20session%20controls%20apply%20to%20browser-based%20sessions.%20For%20thick%20clients%2C%20MCAS%20can%20only%20apply%20access%20policies%20(via%20Conditional%20Access%20App%20Control).%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImplementing%20Advanced%20Security%20Controls%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMicrosoft%20Cloud%20App%20Security%20is%20a%20key%20component%20of%20securing%20any%20cloud%20application.%20When%20used%20to%20secure%20AWS%2C%20it%20can%20also%20be%20used%20to%20scan%20the%20environment%20and%20provide%20recommendations%20against%20the%20CIS%20Benchmark%20to%20ensure%20the%20correct%20configuration%20and%20security%20controls%20have%20been%20implemented.%20The%20diagram%20below%20explains%20the%20layers%20of%20security%20that%20can%20be%20gained%20by%20using%20some%20of%20the%20Microsoft%20security%20solutions%20together%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22photo%202.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241220i6E3099F8FCD58AB1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22photo%202.png%22%20alt%3D%22photo%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20take%20advantage%20of%20this%20defense%20in%20depth%20approach%20using%20integrated%20solutions%20you%20very%20likely%20already%20own!%20Get%20the%20latest%20version%20of%20the%20deployment%20guides%20below%20and%20learn%20more%20about%20how%20to%20enable%20this%20within%2030%20minutes%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EImplement%20Azure%20AD%20to%20secure%20AWS%20Authentication%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAWSIdentity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAWSIdentity%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EImplement%20advanced%20Microsoft%20Security%20solutions%20for%20AWS%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAWSSecurity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAWSSecurity%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20read%20more%20about%20how%20Microsoft%20Cloud%20App%20Security%20helps%20to%20protect%20your%20AWS%20environment%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fprotect-aws%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fprotect-aws%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ETo%20learn%20more%20about%20Microsoft%20Cloud%20App%20Security%2C%20check%20out%20the%20resources%20below%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EBest%20Practices%3A%26nbsp%3B%3C%2FEM%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fbest-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fbest-practices%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMCAS%20POC%3A%26nbsp%3B%3C%2FEM%3E%3CEM%3EAka.ms%2Fmcaspoc%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMCAS%20Podcast%3A%26nbsp%3B%3C%2FEM%3E%3CEM%3EAka.ms%2FMCASPodcast%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMCAS%20Ninja%20Training%3A%26nbsp%3B%3C%2FEM%3E%3CEM%3EAka.ms%2FMCASNinja%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1995938%22%20slang%3D%22en-US%22%3E%3CP%3EEnable%20SSO%2C%20Conditional%20Access%2C%20and%20advanced%20security%20controls%20to%20protect%20all%20your%20AWS%20Environments%2C%20in%2030%20minutes!%20%26nbsp%3BIn%20this%20new%20guide%20we%20will%20show%20you%20how%20to%20deploy%20Microsoft%20Cloud%20App%20Security%20to%20manage%20session%20controls%2C%20baseline%20security%2C%20continuous%20monitoring%20and%20threat%20controls%20for%20all%20AWS%20role-based%20administrator%20and%20developer%20activities.%3C%2FP%3E%0A%3CP%3E%3C%2FP%3E%3CDIV%20class%3D%22video-embed-left%20video-embed%22%3E%3CIFRAME%20class%3D%22embedly-embed%22%20src%3D%22https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Fsrc%3Dhttps%253A%252F%252Fwww.youtube.com%252Fembed%252Fqu5T16Nizho%253Ffeature%253Doembed%26amp%3Bdisplay_name%3DYouTube%26amp%3Burl%3Dhttps%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253Dqu5T16Nizho%26amp%3Bimage%3Dhttps%253A%252F%252Fi.ytimg.com%252Fvi%252Fqu5T16Nizho%252Fhqdefault.jpg%26amp%3Bkey%3Db0d40caa4f094c68be7c29880b16f56e%26amp%3Btype%3Dtext%252Fhtml%26amp%3Bschema%3Dyoutube%22%20width%3D%22600%22%20height%3D%22337%22%20scrolling%3D%22no%22%20title%3D%22YouTube%20embed%22%20frameborder%3D%220%22%20allow%3D%22autoplay%3B%20fullscreen%22%20allowfullscreen%3D%22true%22%3E%3C%2FIFRAME%3E%3C%2FDIV%3E%3CP%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1995938%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20%26amp%3B%20Access%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInformation%20Protection%20%26amp%3B%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Cloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

By Richard Diver, Alex Weinert, @Matt Soseman 

 

 

In this blog, I am going to tell you about a new deployment guide that will help you to apply several advanced security controls for access to AWS environments, using Microsoft Security solutions – this is one of the simplest implementations that can solve a myriad of problems when trying to provision identities and govern access to systems that may be business critical and hold very sensitive information.

Securing Access to AWS Environments

Management of AWS identities can be complex, especially when there are multiple environments to manage. The risk of compromise to administrators and developers is increasing as attackers attempt to gain access to critical resources. There is also a risk of misconfiguration and potential loss of data if the user credentials are not properly monitored for suspicious activity.

 

Azure AD supports single sign-on integration with AWS SSO. With AWS SSO you can connect Azure AD to AWS in one place and use AWS SSO to centrally govern access across hundreds of accounts and AWS SSO integrated applications, and have a seamless Azure AD sign-in experience to use the AWS CLI. Refer to this Tutorial: Azure Active Directory single sign-on (SSO) integration with Amazon Web Services (AWS) | M... for more details.

 

In this blog post for Azure AD (https://aka.ms/AWSIdentity), you can read about the implementation of secure authentication for AWS using Azure AD SSO. When the authentication and single sign-on with Azure AD is setup for AWS, you can implement advanced Conditional Access policies with MCAS to enable Session Control policies: this is the ability to continuously monitor the activities of the AWS user as they interact with resources. The diagram below shows some of the options available today with Microsoft Cloud App Security, when integrated with Azure AD to protect AWS:

 

Photo.png

 

For real-time data loss prevention (DLP), MCAS can use both the built-in content inspection or the Data Classification Service (Microsoft Information Protection) integration to block uploads or downloads.

 

Note: MCAS session controls apply to browser-based sessions. For thick clients, MCAS can only apply access policies (via Conditional Access App Control).

 

Implementing Advanced Security Controls

Microsoft Cloud App Security is a key component of securing any cloud application. When used to secure AWS, it can also be used to scan the environment and provide recommendations against the CIS Benchmark to ensure the correct configuration and security controls have been implemented. The diagram below explains the layers of security that can be gained by using some of the Microsoft security solutions together:

 

photo 2.png

 

You can take advantage of this defense in depth approach using integrated solutions you very likely already own! Get the latest version of the deployment guides below and learn more about how to enable this within 30 minutes:

 

  

You can also read more about how Microsoft Cloud App Security helps to protect your AWS environment here: https://docs.microsoft.com/en-us/cloud-app-security/protect-aws

 

To learn more about Microsoft Cloud App Security, check out the resources below:

 

Best Practices: https://docs.microsoft.com/en-us/cloud-app-security/best-practices

MCAS POC: Aka.ms/mcaspoc

MCAS Podcast: Aka.ms/MCASPodcast

MCAS Ninja Training: Aka.ms/MCASNinja

 

Thank you!

 

 

 

1 Comment
Respected Contributor

are there any recommendations about how to do this when there are many (dozens/hundreds) of accounts in AWS?