Can anyone give a good example of the AAA model when it comes to security?
So when accessing AWS, you first have to log in with your username and password; your credentials are verified to ensure that your account exists. Once verified, you’re given access to the AWS platform. If your account isn’t verified (e.g., wrong username, incorrect password, or both), you wouldn’t have access to the console, which is a security feature. That is what they are talking about in regards to Authentication.
Once you’re logged in, you should only have access to the things that have to do with your job and nothing else. For example, whether you can create a user account, change user permissions, or have read-only access within the console. Putting it in another way, think of how an auditor should not create user accounts because that should be an administrator’s job. You should only have permission for what you’re authorized to do as it pertains to your position. This is done using Policies within AWS, and that is what Authorization is all about.
With Accounting, it has to do with monitoring things that you are doing within the AWS platform. This is to ensure that you’re doing what you’re supposed to do. As mentioned in the video, once CloudTrail is turned on, every API call you make is recorded and logged. This may include the date, the time, the action performed, and the account used to perform that action.
I hope I offered a better explanation of how AAA relates to security, but just in case, I provided a short YouTube video that may also help.