SlideShare a Scribd company logo
1 of 51
Download to read offline
Mastering Access Control Policies
Jeff Wierer, Identity and Access Management
November 13, 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Goals
• Know more about securing your AWS resources
• Get a deeper understanding of the policy language
• Learn some tips and tricks for most frequently asked
tasks
• Keep this a lively session via demos
–
–
–
–

Amazon S3
AWS IAM
Amazon EC2
Amazon DynamoDB
Before getting too deep… Let’s level set on
Identity and Access Management
Why IAM?
• One of customers’ biggest concerns when moving to
the cloud
CONTROL
• What do I do if…
–
–
–
–

I want to control “Who can do what”?
I want to implement security best practices?
I want to be at least as secure as on premises?
One of my employees leaves the company?
IAM Provides Granular Control to your AWS Account

You can grant or deny access by defining:
• Who can access your resources
• What actions they can take
• Which resources they can access
• How will they access your resources
This is described using a policy language
The Access Control Policy Language
The Policy Language is about Authorization
• Two facets:

– Specification: defining access policies
– Enforcement: evaluating policies
Specification
Policies
• JSON-formatted documents
• Contain statements (permissions)
which specify:

S3 Read-Only Access
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": "*"
}
]

– What actions a principal can perform
– Which resources can be accessed
}

Example of an IAM user/group/role access policy
Anatomy of a statement
{
"Statement":[{
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value" }
}
}
]
}

Principal
Action
Resource
Conditions

Conditions on request-time
metadata
• IP Address
• UserAgent
• date/time

Effect: Allow
Principal:123456789012:user/bob
Action: s3:*
Resource: jeff_bucket/*
Condition: Referer = example.com
Effect: Deny
Principal:123456789012:user/jim
Action: s3:DeleteBucket
Resource: jeff_bucket
Condition: Referer = example.com
Principal - Examples
• An entity that is allowed or denied access to a resource
• Principal element required for resource-based policies
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::account-number-without-hyphens:root" }
"Principal":{"AWS":"account-number-without-hyphens"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::account-number-without-hyphens:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"www.amazon.com"}
"Principal":{"Federated":"graph.facebook.com"}
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":["arn:aws:iam::account-number-without-hyphens:role/rolename"]}
<!-- Specific service -->
"Principal":{"Service":["ec2.amazonaws.com"]}
Action - Examples
• Describes the type of access that should be allowed or denied
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!-- S3 action -->
"Action":"s3:GetObject“
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<--Use wildcards (* or ?) as part of the action name.
"Action":"iam:*AccessKey*"

This would cover Create/Delete/List/Update-->
Understanding NotAction
•
•
•

Lets you specify an exception to a list of actions
Can sometimes result in shorter policies than using Action and denying many actions
Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]

{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]

Notice the
or
difference?

}
}

This is not a Deny. A user could still have a
separate policy that grants IAM:*

If you want to prevent the user from ever being
able to call IAM APIs use an explicit deny
Resource - Examples
• The object or objects that are being requested
• Statements must include either a Resource or a NotResource element
<-- S3 Bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*“
<-- SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:account-number-without-hyphens:queue1"
<-- IAM user -->
"Resource":"arn:aws:iam::account-number-without-hyphens:user/Bob"
<-- Multiple DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:account-number-without-hyphens:table/books_table",
"arn:aws:dynamodb:us-west-2:account-number-without-hyphens:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:account-number-without-hyphens:instance/*"
Resource-Based Policies vs. IAM Policies
• IAM policies live with
– IAM Users
– IAM Groups
– IAM Roles

{
Principal required here

"Statement":
{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {"AWS": "111122223333"},
"Action": "sqs:SendMessage",
"Resource":
"arn:aws:sqs:us-east-1:444455556666:queue1"
}

• Some services allow storing
policy with resources
– S3 (bucket policy)
– SNS (topic policy)
– SQS (queue policy)

}
Conditions
•
•
•

•
•

Conditions are optional
Condition element can contain multiple Condition Element
conditions
Condition 1:
Condition keys can contains multiple
Key1: Value1A OR Value1BOR Value 1C
values
AND
If a single condition includes multiple
Key2: Value2A OR Value2B
values for one key, the condition is
evaluated using logical OR
AND
multiple conditions (or multiple keys in
Condition 2:
a single condition) the conditions are
evaluated using logical AND
Key3: Value3A
Condition Example

AND

"Condition" : {
"DateGreaterThan" : {"aws:CurrentTime" : "2013-08-16T12:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2013-08-16T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}

OR
Allows a user to access a resource under the following conditions:
• The time is after 12:00 p.m. on 8/16/2013
• The time is before 3:00 p.m. on 8/16/2013
• The request comes from an IP address in the 192.0.2.0 /24 or 203.0.113.0 /24 range
Policy Variables
Policy Variables
• Example use cases
– Allows users to self-manage their own credentials
– Easily set up user access to “home folder” in S3
– Manage EC2 resources using tags

• Benefits
– Reduces the need for user specific policies
– Simplifies overall management

• Variables based on request context
– Existing keys (aws:SourceIP, DateTime, etc.)
– New keys (aws:username, aws:userid, aws:principaltype, others)
– Provider-specific keys (graph.facebook.com:id, www.amazon.com:user_id)
The Anatomy of a Policy with Variables
New Version is required

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":
{"StringLike":
{"s3:prefix":["home/${aws:userid}/*"]}
}
},
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource": ["arn:aws:s3:::myBucket/home/${aws:userid}",
"arn:aws:s3:::myBucket/home/${aws:userid}/*"]
}
]
}

Grants a user a home directory in S3 that can be accessed programmatically

Variable in conditions

Variable in resource ARNs
Creating an S3 Home Directory
Demo
Giving a User a Home Directory From S3 Console
{
"Version": "2012-10-17",
"Statement": [
{"Sid": "AllowGroupToSeeBucketListInTheManagementConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]},
{"Sid": "AllowRootLevelListingOfThisBucketAndHomePrefix",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}},
{"Sid": "AllowListBucketofASpecificUserPrefix",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}},
{"Sid":"AllowUserFullAccesstoJustSpecificUserPrefix",
"Action":["s3:*"],
"Effect":"Allow",
"Resource": ["arn:aws:s3:::myBucket/home/${aws:username}",
"arn:aws:s3:::myBucket/home/${aws:username}/*"]}
]
}

Necessary to
access the S3
console
Allows listing all
objects in a folder +
its subfolders
Allows modifying
objects in the folder
+ subfolders
Allowing an IAM User to Self-manage Secrets
Demo
Grant a User Access to the IAM Console
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "ViewListOfAllUsers",
"Action": ["iam:ListUsers"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::123456789012:user/*"]
},
{
"Sid": "AllowUserToSeeListOfOwnStuff",
"Action": ["iam:GetUser","iam:GetLoginProfile",
"iam:ListGroupsForUser","iam:ListAccessKeys"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::123456789012:user/${aws:username}"]
}
]
}

• Underneath the covers the IAM
console calls these APIs
• Keep in mind the user will be able to
view limited details about all users
• The IAM user will not be able to
modify the other IAM users settings
• Alternatively, use the CLI
Allow IAM User to “Self-manage” from Console

{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["iam:*AccessKey*","iam:*SigningCertificate*"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::123456789012:user/${aws:username}"]
}
]
}

Edit these actions if you
want to modify user
permissions
Allowing an IAM user to self-manage vMFA
Demo
Allow User to Manage Own Virtual MFA from IAM
Console
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["iam:CreateVirtualMFADevice","iam:DeleteVirtualMFADevice"],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:mfa/${aws:username}"
},
{
"Action": ["iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:user/${aws:username}"
},
{
"Action": ["iam:ListVirtualMFADevices"],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:mfa/*"
}

]
}
Amazon EC2 Resource Permissions
What Changes with EC2 Permissions
• Previously policies applied to all EC2 resources
• Permissions can now be set per-resource
• Ex: assign which users can stop, start, or terminate
a particular instance
EC2 Policies Before Resource Permissions
{
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":"*"
}
]
}
EC2 Policies After Resource Permissions
{
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":"*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/department": "dev"}
}
}
]
}
EC2 Policies After Resource Permissions
{
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":
"arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/department": "dev"}
}
}
]
}
EC2 Policies After Resource Permissions
{
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":
"arn:aws:ec2:us-east-1:123456789012:instance/i-abc12345"
}
]
}
Supported Resource Types
Supports many different resource types, including:
• Customer
gateway
• DHCP options
set
• Image
• Instance
• Instance profile

•
•
•
•

Internet gateway
Key pair
Network ACL
Network
interface
• Placement group

•
•
•
•
•
•

Route table
Security group
Snapshot
Subnet
Volume
VPC
APIs Currently Supported
Type of Resource

Actions

EC2 Instances

StartInstances, StopInstances, RebootInstances, TerminateInstances, RunInstance1

Customer gateway

DeleteCustomerGateway

DHCP Options Sets

DeleteDhcpOptions

Internet Gateways

DeleteInternetGateway

Network ACLs

DeleteNetworkAcl, DeleteNetworkAclEntry

Route Tables

DeleteRoute, DeleteRouteTable

Security Groups

AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress,
DeleteSecurityGroup, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

Volumes

AttachVolume, DeleteVolume, DetachVolume

1Coming

Soon

Accurate as of 11/13/2013
Categorize Your Resources
• Use tags as a resource attribute
–
–
–
–

Allows user-defined models
“Prod”/”Dev”
“Cost Center X”
“Department Y”
Using Amazon EC2 resource-level permissions
Demo
Locking Down Access to EC2 Instances
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "THISALLOWSEC2READACCESS",
"Effect": "Allow",
"Action": ["ec2:Describe*","elasticloadbalancing:Describe*",
"cloudwatch:ListMetrics","cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*","autoscaling:Describe*"],
"Resource": "*"
},
{
"Sid": "THISLIMITSACCESSTOOWNINSTANCES",
"Effect": "Allow",
"Action": ["ec2:RebootInstances","ec2:StartInstances",
"ec2:StopInstances","ec2:TerminateInstances"],
"Resource":"arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {"StringEquals":
{"ec2:ResourceTag/Owner": "${aws:username}"}}
}
]
}

New Version is required here
because we’re using variables
Allows seeing everything from
the EC2 console.

Allowed only if this tag
condition is true
Use variables for the owner
tag
Amazon DynamoDB
Fine-Grained Access Control

New
Enables Sub-table and Per-action Access Control
GetItem
BatchGetItem
Query
GetItem
BatchGetItem
Query
PutItem
UpdateItem
BatchWriteItem

Horizontal or vertical access control

Read-only or read-write access
DynamoDB Fine-Grained Access Control
• Grant or deny access to individual items by hiding tables or
index information
– Horizontally by matching primary key values
– Vertically by controlling which attributes are visible

• Use policy conditions to define level of access
– dynamodb:LeadingKeys – access items where the hash key value matches a
unique identifier (ex: aws:userid policy variable)
– dynamodb:Attributes – allows access to only a subset of attributes
– StringEqualsIfExists clause – ensures the app must always provide a list
of attributes to act opon

• You must include all primary and index key attributes if you use
dynamodb:Attributes
Configuring Fine-Grained Access Control
Demo
Example: Restricting Access to a Table
{
"Version": "2012-10-17",
New
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem", "dynamodb:BatchGetItem","dynamodb:Query",
"dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"],
"Resource": ["arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${www.amazon.com:user_id}"],
"dynamodb:Attributes": [
"UserId","GameTitle","Wins","Losses",
"TopScore","TopScoreDateTime"]
},
"StringEqualsIfExists": {"dynamodb:Select": "SPECIFIC_ATTRIBUTES"}
}
}
]
}

Version is required
Hash key value must match the
user’s ID. Results will be
horizontally filtered.

Only return these attributes.
Results will be vertically filtered.
App must specify attributes.
Cannot request all.

Note that Scan is not included, because Scan would provide access to all of the leading keys
Let’s Finish Up with Enforcement
Policy Enforcement
• Remember policies can come from multiple places
– IAM users, roles, and groups
– AWS resources (S3, SQS, & SNS)
– Passed through federated users

• Well-defined evaluation logic
–
–
–
–

A request can be allowed or denied
“Deny” trumps “Allow”
If not allowed, request is denied by default
Permissions are union of all policies
Determining if a Request is Allowed or Denied
1
Decision
starts at Deny

2

3
Evaluate all
Applicable
policies

• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the action
& conditions are evaluated

Is there an
explicit
deny?

Yes

4

No

Is there an
Allow?

No

Yes

Final decision =“deny”
(explicit deny)

Final decision =“allow”

• If a policy statement
has a deny, it trumps
all other policies

• Access is granted
if there is an
explicit allow and
no deny

5
Final decision =“deny”
(default deny)
• By default, a
implicit (default)
deny is returned
Testing Policies Using the Policy Simulator
Demo
https://policysim.aws.amazon.com
Summary
• IAM provides access control for your AWS account
• Use the policy language to allow or deny granular access to AWS
resources
– Users are denied access by default
– Denys trump allow

• All policies (user, group, resource-based) are evaluated for
authorization
• Use policy variables - they make life better!
– Simplifies policy management
– Reduces the need for individual user policies

• We're continuously enabling more granular control
– EC2 / RDS Resource-level permissions
– DynamoDB fine-grained access control
Additional Resources
•
•
•
•
•

IAM detail page: http://aws.amazon.com/iam
AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76
Documentation: http://aws.amazon.com/documentation/iam/
AWS Security Blog: http://blogs.aws.amazon.com/security
Twitter: @AWSIdentity
All IAM-Related Sessions at re:Invent
ID

Title

Time, Room

CPN205

Securing Your Amazon EC2 Environment with AWS IAM
Roles and Resource-Based Permissions

Wed 11/13 11am, Delfino 4003

SEC201

Access Control for the Cloud: AWS Identity and Access
Management (IAM)

Wed 11/13 1.30pm, Marcello 4406

SEC301

TOP 10 IAM Best Practices

Wed 11/13 3pm, Marcello 4503

SEC302

Mastering Access Control Policies

Wed 11/13 4.15pm, Venetian A

SEC303

Delegating Access to Your AWS Environment

Thu 11/14 11am, Venetian A

Come talk security with AWS

Thu 11/14 4pm, Toscana 3605
Please give us your feedback on this
presentation

SEC302
As a thank you, we will select prize
winners daily for completed surveys!

More Related Content

What's hot

(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
 
AWS APAC Webinar Week - Securing Your Business on AWS
AWS APAC Webinar Week - Securing Your Business on AWSAWS APAC Webinar Week - Securing Your Business on AWS
AWS APAC Webinar Week - Securing Your Business on AWSAmazon Web Services
 
Keynote: Future of IT - future of enterprise it Canada
Keynote: Future of IT - future of enterprise it CanadaKeynote: Future of IT - future of enterprise it Canada
Keynote: Future of IT - future of enterprise it CanadaAmazon Web Services
 
Migrate your Data Warehouse to Amazon Redshift - September Webinar Series
Migrate your Data Warehouse to Amazon Redshift - September Webinar SeriesMigrate your Data Warehouse to Amazon Redshift - September Webinar Series
Migrate your Data Warehouse to Amazon Redshift - September Webinar SeriesAmazon Web Services
 
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesImproving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesAmazon Web Services
 
BDA402 Deep Dive: Log analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log analytics with Amazon Elasticsearch ServiceBDA402 Deep Dive: Log analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log analytics with Amazon Elasticsearch ServiceAmazon Web Services
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte ScaleAmazon Web Services
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & ComplianceAmazon Web Services
 
AWS Webcast - Build high-scale applications with Amazon DynamoDB
AWS Webcast - Build high-scale applications with Amazon DynamoDBAWS Webcast - Build high-scale applications with Amazon DynamoDB
AWS Webcast - Build high-scale applications with Amazon DynamoDBAmazon Web Services
 
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyDeploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyAmazon Web Services
 
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...Amazon Web Services
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best PracticesAmazon Web Services
 
AWS APAC Webinar Week - Understanding AWS Storage Options
AWS APAC Webinar Week - Understanding AWS Storage OptionsAWS APAC Webinar Week - Understanding AWS Storage Options
AWS APAC Webinar Week - Understanding AWS Storage OptionsAmazon Web Services
 
Deep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksDeep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksAmazon Web Services
 
Breaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - TorontoBreaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - TorontoAmazon Web Services
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
 
DevOps on AWS: Deep Dive on Infrastructure as Code - Toronto
DevOps on AWS: Deep Dive on Infrastructure as Code - TorontoDevOps on AWS: Deep Dive on Infrastructure as Code - Toronto
DevOps on AWS: Deep Dive on Infrastructure as Code - TorontoAmazon Web Services
 

What's hot (20)

(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
AWS APAC Webinar Week - Securing Your Business on AWS
AWS APAC Webinar Week - Securing Your Business on AWSAWS APAC Webinar Week - Securing Your Business on AWS
AWS APAC Webinar Week - Securing Your Business on AWS
 
Keynote: Future of IT - future of enterprise it Canada
Keynote: Future of IT - future of enterprise it CanadaKeynote: Future of IT - future of enterprise it Canada
Keynote: Future of IT - future of enterprise it Canada
 
Migrate your Data Warehouse to Amazon Redshift - September Webinar Series
Migrate your Data Warehouse to Amazon Redshift - September Webinar SeriesMigrate your Data Warehouse to Amazon Redshift - September Webinar Series
Migrate your Data Warehouse to Amazon Redshift - September Webinar Series
 
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesImproving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
 
BDA402 Deep Dive: Log analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log analytics with Amazon Elasticsearch ServiceBDA402 Deep Dive: Log analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log analytics with Amazon Elasticsearch Service
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOps
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance
 
AWS Webcast - Build high-scale applications with Amazon DynamoDB
AWS Webcast - Build high-scale applications with Amazon DynamoDBAWS Webcast - Build high-scale applications with Amazon DynamoDB
AWS Webcast - Build high-scale applications with Amazon DynamoDB
 
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyDeploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
 
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
 
AWS APAC Webinar Week - Understanding AWS Storage Options
AWS APAC Webinar Week - Understanding AWS Storage OptionsAWS APAC Webinar Week - Understanding AWS Storage Options
AWS APAC Webinar Week - Understanding AWS Storage Options
 
Deep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksDeep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
 
Deep Dive on Amazon S3
Deep Dive on Amazon S3Deep Dive on Amazon S3
Deep Dive on Amazon S3
 
Breaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - TorontoBreaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - Toronto
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
DevOps on AWS: Deep Dive on Infrastructure as Code - Toronto
DevOps on AWS: Deep Dive on Infrastructure as Code - TorontoDevOps on AWS: Deep Dive on Infrastructure as Code - Toronto
DevOps on AWS: Deep Dive on Infrastructure as Code - Toronto
 

Viewers also liked

RMG204 Optimizing Costs with AWS - AWS re: Invent 2012
RMG204 Optimizing Costs with AWS - AWS re: Invent 2012RMG204 Optimizing Costs with AWS - AWS re: Invent 2012
RMG204 Optimizing Costs with AWS - AWS re: Invent 2012Amazon Web Services
 
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANAAWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANAAmazon Web Services
 
AWS Summit 2011: Customer Presentation - NYTimes
AWS Summit 2011: Customer Presentation - NYTimesAWS Summit 2011: Customer Presentation - NYTimes
AWS Summit 2011: Customer Presentation - NYTimesAmazon Web Services
 
Digital media in the aws cloud, hugo lerias
Digital media in the aws cloud, hugo leriasDigital media in the aws cloud, hugo lerias
Digital media in the aws cloud, hugo leriasAmazon Web Services
 
Accelerating Organizations with Flexible IT - AWS Summit 2012 - NYC
Accelerating Organizations with Flexible IT - AWS Summit 2012 - NYCAccelerating Organizations with Flexible IT - AWS Summit 2012 - NYC
Accelerating Organizations with Flexible IT - AWS Summit 2012 - NYCAmazon Web Services
 
AWS Sydney Summit 2013 - Understanding your AWS Storage Options
AWS Sydney Summit 2013 - Understanding your AWS Storage OptionsAWS Sydney Summit 2013 - Understanding your AWS Storage Options
AWS Sydney Summit 2013 - Understanding your AWS Storage OptionsAmazon Web Services
 
AWS Webcast - Build Agile Applications in AWS Cloud
AWS Webcast - Build Agile Applications in AWS CloudAWS Webcast - Build Agile Applications in AWS Cloud
AWS Webcast - Build Agile Applications in AWS CloudAmazon Web Services
 
AWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows Server
AWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows ServerAWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows Server
AWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows ServerAmazon Web Services
 
February 2016 Webinar Series Migrate Your Apps from Parse to AWS
February 2016 Webinar Series   Migrate Your Apps from Parse to AWSFebruary 2016 Webinar Series   Migrate Your Apps from Parse to AWS
February 2016 Webinar Series Migrate Your Apps from Parse to AWSAmazon Web Services
 
AWS Cloud School - London April 2012
AWS Cloud School - London April 2012AWS Cloud School - London April 2012
AWS Cloud School - London April 2012Amazon Web Services
 
AWS Sydney Summit 2013 - Technical Lessons on How to do DR in the Cloud
AWS Sydney Summit 2013 - Technical Lessons on How to do DR in the CloudAWS Sydney Summit 2013 - Technical Lessons on How to do DR in the Cloud
AWS Sydney Summit 2013 - Technical Lessons on How to do DR in the CloudAmazon Web Services
 
Scaling the Platform for Your Startup
Scaling the Platform for Your StartupScaling the Platform for Your Startup
Scaling the Platform for Your StartupAmazon Web Services
 
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...Amazon Web Services
 
REA Sydney Customer Appreciation Day
REA Sydney Customer Appreciation DayREA Sydney Customer Appreciation Day
REA Sydney Customer Appreciation DayAmazon Web Services
 
Un backend: pour tous vos objets connectés
Un backend: pour tous vos objets connectésUn backend: pour tous vos objets connectés
Un backend: pour tous vos objets connectésAmazon Web Services
 
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud Amazon Web Services
 
MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012Amazon Web Services
 
Using Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSUsing Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSAmazon Web Services
 

Viewers also liked (20)

RMG204 Optimizing Costs with AWS - AWS re: Invent 2012
RMG204 Optimizing Costs with AWS - AWS re: Invent 2012RMG204 Optimizing Costs with AWS - AWS re: Invent 2012
RMG204 Optimizing Costs with AWS - AWS re: Invent 2012
 
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANAAWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
 
AWS Summit 2011: Customer Presentation - NYTimes
AWS Summit 2011: Customer Presentation - NYTimesAWS Summit 2011: Customer Presentation - NYTimes
AWS Summit 2011: Customer Presentation - NYTimes
 
Digital media in the aws cloud, hugo lerias
Digital media in the aws cloud, hugo leriasDigital media in the aws cloud, hugo lerias
Digital media in the aws cloud, hugo lerias
 
Accelerating Organizations with Flexible IT - AWS Summit 2012 - NYC
Accelerating Organizations with Flexible IT - AWS Summit 2012 - NYCAccelerating Organizations with Flexible IT - AWS Summit 2012 - NYC
Accelerating Organizations with Flexible IT - AWS Summit 2012 - NYC
 
AWS Sydney Summit 2013 - Understanding your AWS Storage Options
AWS Sydney Summit 2013 - Understanding your AWS Storage OptionsAWS Sydney Summit 2013 - Understanding your AWS Storage Options
AWS Sydney Summit 2013 - Understanding your AWS Storage Options
 
AWS Webcast - Build Agile Applications in AWS Cloud
AWS Webcast - Build Agile Applications in AWS CloudAWS Webcast - Build Agile Applications in AWS Cloud
AWS Webcast - Build Agile Applications in AWS Cloud
 
AWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows Server
AWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows ServerAWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows Server
AWS Webcast - Launch & Learn: Amazon EC2 for Microsoft Windows Server
 
6 rules for innovation
6 rules for innovation6 rules for innovation
6 rules for innovation
 
February 2016 Webinar Series Migrate Your Apps from Parse to AWS
February 2016 Webinar Series   Migrate Your Apps from Parse to AWSFebruary 2016 Webinar Series   Migrate Your Apps from Parse to AWS
February 2016 Webinar Series Migrate Your Apps from Parse to AWS
 
AWS Cloud School - London April 2012
AWS Cloud School - London April 2012AWS Cloud School - London April 2012
AWS Cloud School - London April 2012
 
AWS Sydney Summit 2013 - Technical Lessons on How to do DR in the Cloud
AWS Sydney Summit 2013 - Technical Lessons on How to do DR in the CloudAWS Sydney Summit 2013 - Technical Lessons on How to do DR in the Cloud
AWS Sydney Summit 2013 - Technical Lessons on How to do DR in the Cloud
 
Scaling the Platform for Your Startup
Scaling the Platform for Your StartupScaling the Platform for Your Startup
Scaling the Platform for Your Startup
 
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
 
REA Sydney Customer Appreciation Day
REA Sydney Customer Appreciation DayREA Sydney Customer Appreciation Day
REA Sydney Customer Appreciation Day
 
Un backend: pour tous vos objets connectés
Un backend: pour tous vos objets connectésUn backend: pour tous vos objets connectés
Un backend: pour tous vos objets connectés
 
Canberra Symposium Keynote
Canberra Symposium KeynoteCanberra Symposium Keynote
Canberra Symposium Keynote
 
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
 
MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012
 
Using Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWSUsing Security to Build with Confidence in AWS
Using Security to Build with Confidence in AWS
 

Similar to Mastering Access Control Policies (SEC302) | AWS re:Invent 2013

Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control PoliciesAmazon Web Services
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or LessAmazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaAmazon Web Services
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG   Deep dive IAM 2 - no json101Windsor AWS UG   Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014Amazon Web Services
 
best aws training in bangalore
best aws training in bangalorebest aws training in bangalore
best aws training in bangalorerajkamal560066
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityAmazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on awsAWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on awsAWS Riyadh User Group
 
(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live ByAmazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Amazon Web Services
 

Similar to Mastering Access Control Policies (SEC302) | AWS re:Invent 2013 (20)

Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy Ninja
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
 
SID314_IAM Policy Ninja
SID314_IAM Policy NinjaSID314_IAM Policy Ninja
SID314_IAM Policy Ninja
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG   Deep dive IAM 2 - no json101Windsor AWS UG   Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
 
best aws training in bangalore
best aws training in bangalorebest aws training in bangalore
best aws training in bangalore
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on awsAWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
 
Becoming an IAM Policy Ninja
Becoming an IAM Policy NinjaBecoming an IAM Policy Ninja
Becoming an IAM Policy Ninja
 
(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change:
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 

Recently uploaded (20)

The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 

Mastering Access Control Policies (SEC302) | AWS re:Invent 2013

  • 1. Mastering Access Control Policies Jeff Wierer, Identity and Access Management November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Goals • Know more about securing your AWS resources • Get a deeper understanding of the policy language • Learn some tips and tricks for most frequently asked tasks • Keep this a lively session via demos – – – – Amazon S3 AWS IAM Amazon EC2 Amazon DynamoDB
  • 3. Before getting too deep… Let’s level set on Identity and Access Management
  • 4. Why IAM? • One of customers’ biggest concerns when moving to the cloud CONTROL • What do I do if… – – – – I want to control “Who can do what”? I want to implement security best practices? I want to be at least as secure as on premises? One of my employees leaves the company?
  • 5. IAM Provides Granular Control to your AWS Account You can grant or deny access by defining: • Who can access your resources • What actions they can take • Which resources they can access • How will they access your resources This is described using a policy language
  • 6. The Access Control Policy Language
  • 7. The Policy Language is about Authorization • Two facets: – Specification: defining access policies – Enforcement: evaluating policies
  • 9. Policies • JSON-formatted documents • Contain statements (permissions) which specify: S3 Read-Only Access { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] – What actions a principal can perform – Which resources can be accessed } Example of an IAM user/group/role access policy
  • 10. Anatomy of a statement { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Conditions Conditions on request-time metadata • IP Address • UserAgent • date/time Effect: Allow Principal:123456789012:user/bob Action: s3:* Resource: jeff_bucket/* Condition: Referer = example.com Effect: Deny Principal:123456789012:user/jim Action: s3:DeleteBucket Resource: jeff_bucket Condition: Referer = example.com
  • 11. Principal - Examples • An entity that is allowed or denied access to a resource • Principal element required for resource-based policies <!-- Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::account-number-without-hyphens:root" } "Principal":{"AWS":"account-number-without-hyphens"} <!-- Individual IAM user --> "Principal":"AWS":"arn:aws:iam::account-number-without-hyphens:user/username" <!-- Federated user (using web identity federation) --> "Principal":{"Federated":"www.amazon.com"} "Principal":{"Federated":"graph.facebook.com"} "Principal":{"Federated":"accounts.google.com"} <!-- Specific role --> "Principal":{"AWS":["arn:aws:iam::account-number-without-hyphens:role/rolename"]} <!-- Specific service --> "Principal":{"Service":["ec2.amazonaws.com"]}
  • 12. Action - Examples • Describes the type of access that should be allowed or denied • Statements must include either an Action or NotAction element <!-- EC2 action --> "Action":"ec2:StartInstances" <!-- IAM action --> "Action":"iam:ChangePassword" <!-- S3 action --> "Action":"s3:GetObject“ <!-- Specify multiple values for the Action element--> "Action":["sqs:SendMessage","sqs:ReceiveMessage"] <--Use wildcards (* or ?) as part of the action name. "Action":"iam:*AccessKey*" This would cover Create/Delete/List/Update-->
  • 13. Understanding NotAction • • • Lets you specify an exception to a list of actions Can sometimes result in shorter policies than using Action and denying many actions Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] Notice the or difference? } } This is not a Deny. A user could still have a separate policy that grants IAM:* If you want to prevent the user from ever being able to call IAM APIs use an explicit deny
  • 14. Resource - Examples • The object or objects that are being requested • Statements must include either a Resource or a NotResource element <-- S3 Bucket --> "Resource":"arn:aws:s3:::my_corporate_bucket/*“ <-- SQS queue--> "Resource":"arn:aws:sqs:us-west-2:account-number-without-hyphens:queue1" <-- IAM user --> "Resource":"arn:aws:iam::account-number-without-hyphens:user/Bob" <-- Multiple DynamoDB tables --> "Resource":["arn:aws:dynamodb:us-west-2:account-number-without-hyphens:table/books_table", "arn:aws:dynamodb:us-west-2:account-number-without-hyphens:table/magazines_table"] <-- All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:account-number-without-hyphens:instance/*"
  • 15. Resource-Based Policies vs. IAM Policies • IAM policies live with – IAM Users – IAM Groups – IAM Roles { Principal required here "Statement": { "Sid":"Queue1_SendMessage", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1" } • Some services allow storing policy with resources – S3 (bucket policy) – SNS (topic policy) – SQS (queue policy) }
  • 16. Conditions • • • • • Conditions are optional Condition element can contain multiple Condition Element conditions Condition 1: Condition keys can contains multiple Key1: Value1A OR Value1BOR Value 1C values AND If a single condition includes multiple Key2: Value2A OR Value2B values for one key, the condition is evaluated using logical OR AND multiple conditions (or multiple keys in Condition 2: a single condition) the conditions are evaluated using logical AND Key3: Value3A
  • 17. Condition Example AND "Condition" : { "DateGreaterThan" : {"aws:CurrentTime" : "2013-08-16T12:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2013-08-16T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]} } OR Allows a user to access a resource under the following conditions: • The time is after 12:00 p.m. on 8/16/2013 • The time is before 3:00 p.m. on 8/16/2013 • The request comes from an IP address in the 192.0.2.0 /24 or 203.0.113.0 /24 range
  • 19. Policy Variables • Example use cases – Allows users to self-manage their own credentials – Easily set up user access to “home folder” in S3 – Manage EC2 resources using tags • Benefits – Reduces the need for user specific policies – Simplifies overall management • Variables based on request context – Existing keys (aws:SourceIP, DateTime, etc.) – New keys (aws:username, aws:userid, aws:principaltype, others) – Provider-specific keys (graph.facebook.com:id, www.amazon.com:user_id)
  • 20. The Anatomy of a Policy with Variables New Version is required { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:userid}/*"]} } }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:userid}", "arn:aws:s3:::myBucket/home/${aws:userid}/*"] } ] } Grants a user a home directory in S3 that can be accessed programmatically Variable in conditions Variable in resource ARNs
  • 21. Creating an S3 Home Directory Demo
  • 22. Giving a User a Home Directory From S3 Console { "Version": "2012-10-17", "Statement": [ {"Sid": "AllowGroupToSeeBucketListInTheManagementConsole", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"], "Effect": "Allow", "Resource": ["arn:aws:s3:::*"]}, {"Sid": "AllowRootLevelListingOfThisBucketAndHomePrefix", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}}, {"Sid": "AllowListBucketofASpecificUserPrefix", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], "Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}}, {"Sid":"AllowUserFullAccesstoJustSpecificUserPrefix", "Action":["s3:*"], "Effect":"Allow", "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"]} ] } Necessary to access the S3 console Allows listing all objects in a folder + its subfolders Allows modifying objects in the folder + subfolders
  • 23. Allowing an IAM User to Self-manage Secrets Demo
  • 24. Grant a User Access to the IAM Console { "Version": "2012-10-17", "Statement": [{ "Sid": "ViewListOfAllUsers", "Action": ["iam:ListUsers"], "Effect": "Allow", "Resource": ["arn:aws:iam::123456789012:user/*"] }, { "Sid": "AllowUserToSeeListOfOwnStuff", "Action": ["iam:GetUser","iam:GetLoginProfile", "iam:ListGroupsForUser","iam:ListAccessKeys"], "Effect": "Allow", "Resource": ["arn:aws:iam::123456789012:user/${aws:username}"] } ] } • Underneath the covers the IAM console calls these APIs • Keep in mind the user will be able to view limited details about all users • The IAM user will not be able to modify the other IAM users settings • Alternatively, use the CLI
  • 25. Allow IAM User to “Self-manage” from Console { "Version": "2012-10-17", "Statement": [ { "Action": ["iam:*AccessKey*","iam:*SigningCertificate*"], "Effect": "Allow", "Resource": ["arn:aws:iam::123456789012:user/${aws:username}"] } ] } Edit these actions if you want to modify user permissions
  • 26. Allowing an IAM user to self-manage vMFA Demo
  • 27. Allow User to Manage Own Virtual MFA from IAM Console { "Version": "2012-10-17", "Statement": [ { "Action": ["iam:CreateVirtualMFADevice","iam:DeleteVirtualMFADevice"], "Effect": "Allow", "Resource": "arn:aws:iam::123456789012:mfa/${aws:username}" }, { "Action": ["iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ResyncMFADevice"], "Effect": "Allow", "Resource": "arn:aws:iam::123456789012:user/${aws:username}" }, { "Action": ["iam:ListVirtualMFADevices"], "Effect": "Allow", "Resource": "arn:aws:iam::123456789012:mfa/*" } ] }
  • 28. Amazon EC2 Resource Permissions
  • 29. What Changes with EC2 Permissions • Previously policies applied to all EC2 resources • Permissions can now be set per-resource • Ex: assign which users can stop, start, or terminate a particular instance
  • 30. EC2 Policies Before Resource Permissions { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource":"*" } ] }
  • 31. EC2 Policies After Resource Permissions { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource":"*", "Condition": { "StringEquals": {"ec2:ResourceTag/department": "dev"} } } ] }
  • 32. EC2 Policies After Resource Permissions { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/department": "dev"} } } ] }
  • 33. EC2 Policies After Resource Permissions { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-abc12345" } ] }
  • 34. Supported Resource Types Supports many different resource types, including: • Customer gateway • DHCP options set • Image • Instance • Instance profile • • • • Internet gateway Key pair Network ACL Network interface • Placement group • • • • • • Route table Security group Snapshot Subnet Volume VPC
  • 35. APIs Currently Supported Type of Resource Actions EC2 Instances StartInstances, StopInstances, RebootInstances, TerminateInstances, RunInstance1 Customer gateway DeleteCustomerGateway DHCP Options Sets DeleteDhcpOptions Internet Gateways DeleteInternetGateway Network ACLs DeleteNetworkAcl, DeleteNetworkAclEntry Route Tables DeleteRoute, DeleteRouteTable Security Groups AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, DeleteSecurityGroup, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress Volumes AttachVolume, DeleteVolume, DetachVolume 1Coming Soon Accurate as of 11/13/2013
  • 36. Categorize Your Resources • Use tags as a resource attribute – – – – Allows user-defined models “Prod”/”Dev” “Cost Center X” “Department Y”
  • 37. Using Amazon EC2 resource-level permissions Demo
  • 38. Locking Down Access to EC2 Instances { "Version": "2012-10-17", "Statement": [ { "Sid": "THISALLOWSEC2READACCESS", "Effect": "Allow", "Action": ["ec2:Describe*","elasticloadbalancing:Describe*", "cloudwatch:ListMetrics","cloudwatch:GetMetricStatistics", "cloudwatch:Describe*","autoscaling:Describe*"], "Resource": "*" }, { "Sid": "THISLIMITSACCESSTOOWNINSTANCES", "Effect": "Allow", "Action": ["ec2:RebootInstances","ec2:StartInstances", "ec2:StopInstances","ec2:TerminateInstances"], "Resource":"arn:aws:ec2:us-east-1:123456789012:instance/*", "Condition": {"StringEquals": {"ec2:ResourceTag/Owner": "${aws:username}"}} } ] } New Version is required here because we’re using variables Allows seeing everything from the EC2 console. Allowed only if this tag condition is true Use variables for the owner tag
  • 40. Enables Sub-table and Per-action Access Control GetItem BatchGetItem Query GetItem BatchGetItem Query PutItem UpdateItem BatchWriteItem Horizontal or vertical access control Read-only or read-write access
  • 41. DynamoDB Fine-Grained Access Control • Grant or deny access to individual items by hiding tables or index information – Horizontally by matching primary key values – Vertically by controlling which attributes are visible • Use policy conditions to define level of access – dynamodb:LeadingKeys – access items where the hash key value matches a unique identifier (ex: aws:userid policy variable) – dynamodb:Attributes – allows access to only a subset of attributes – StringEqualsIfExists clause – ensures the app must always provide a list of attributes to act opon • You must include all primary and index key attributes if you use dynamodb:Attributes
  • 43. Example: Restricting Access to a Table { "Version": "2012-10-17", New "Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem","dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem"], "Resource": ["arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${www.amazon.com:user_id}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime"] }, "StringEqualsIfExists": {"dynamodb:Select": "SPECIFIC_ATTRIBUTES"} } } ] } Version is required Hash key value must match the user’s ID. Results will be horizontally filtered. Only return these attributes. Results will be vertically filtered. App must specify attributes. Cannot request all. Note that Scan is not included, because Scan would provide access to all of the leading keys
  • 44. Let’s Finish Up with Enforcement
  • 45. Policy Enforcement • Remember policies can come from multiple places – IAM users, roles, and groups – AWS resources (S3, SQS, & SNS) – Passed through federated users • Well-defined evaluation logic – – – – A request can be allowed or denied “Deny” trumps “Allow” If not allowed, request is denied by default Permissions are union of all policies
  • 46. Determining if a Request is Allowed or Denied 1 Decision starts at Deny 2 3 Evaluate all Applicable policies • AWS retrieves all policies associated with the user and resource • Only policies that match the action & conditions are evaluated Is there an explicit deny? Yes 4 No Is there an Allow? No Yes Final decision =“deny” (explicit deny) Final decision =“allow” • If a policy statement has a deny, it trumps all other policies • Access is granted if there is an explicit allow and no deny 5 Final decision =“deny” (default deny) • By default, a implicit (default) deny is returned
  • 47. Testing Policies Using the Policy Simulator Demo https://policysim.aws.amazon.com
  • 48. Summary • IAM provides access control for your AWS account • Use the policy language to allow or deny granular access to AWS resources – Users are denied access by default – Denys trump allow • All policies (user, group, resource-based) are evaluated for authorization • Use policy variables - they make life better! – Simplifies policy management – Reduces the need for individual user policies • We're continuously enabling more granular control – EC2 / RDS Resource-level permissions – DynamoDB fine-grained access control
  • 49. Additional Resources • • • • • IAM detail page: http://aws.amazon.com/iam AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76 Documentation: http://aws.amazon.com/documentation/iam/ AWS Security Blog: http://blogs.aws.amazon.com/security Twitter: @AWSIdentity
  • 50. All IAM-Related Sessions at re:Invent ID Title Time, Room CPN205 Securing Your Amazon EC2 Environment with AWS IAM Roles and Resource-Based Permissions Wed 11/13 11am, Delfino 4003 SEC201 Access Control for the Cloud: AWS Identity and Access Management (IAM) Wed 11/13 1.30pm, Marcello 4406 SEC301 TOP 10 IAM Best Practices Wed 11/13 3pm, Marcello 4503 SEC302 Mastering Access Control Policies Wed 11/13 4.15pm, Venetian A SEC303 Delegating Access to Your AWS Environment Thu 11/14 11am, Venetian A Come talk security with AWS Thu 11/14 4pm, Toscana 3605
  • 51. Please give us your feedback on this presentation SEC302 As a thank you, we will select prize winners daily for completed surveys!