Secure Amazon EC2 Environment with AWS IAM & Resource-Based Permissions (CPN205) | AWS re:Invent 2013

  • 675 views
Uploaded on

Customers with multiple AWS administrators need a way to control who can do what in their Amazon EC2 environment to ensure both security and availability. This session demonstrates how to secure your …

Customers with multiple AWS administrators need a way to control who can do what in their Amazon EC2 environment to ensure both security and availability. This session demonstrates how to secure your Amazon EC2 environment using IAM roles and resource-based permissions.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
675
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
40
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing Your Amazon EC2 Environment with IAM Roles and Resource-Based Permissions Derek Lyon, Principal Product Manager (AWS) November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Friday, November 15, 13
  • 2. Agenda • Orientation • Roles for EC2 Instances • EC2 Resource-level Permissions • Coming Soon: Permissions for RunInstances • Iterating and Debugging • Additional Resources Friday, November 15, 13
  • 3. Friday, November 15, 13
  • 4. Orientation Friday, November 15, 13
  • 5. Orientation Friday, November 15, 13
  • 6. Orientation • We’ll focus on authorization and credential issues in order to address “Who can do what?” type problems Friday, November 15, 13
  • 7. Orientation • We’ll focus on authorization and credential issues in order to address “Who can do what?” type problems • We’ll often speak at the API level, though the approaches apply in the console and tools as well Friday, November 15, 13
  • 8. Orientation • We’ll focus on authorization and credential issues in order to address “Who can do what?” type problems • We’ll often speak at the API level, though the approaches apply in the console and tools as well • We’ll assume you that have created Users and Instances before, and likely a lot more than just that Friday, November 15, 13
  • 9. Orientation • We’ll focus on authorization and credential issues in order to address “Who can do what?” type problems • We’ll often speak at the API level, though the approaches apply in the console and tools as well • We’ll assume you that have created Users and Instances before, and likely a lot more than just that • We’ll take an Amazon EC2-centric view Friday, November 15, 13
  • 10. Friday, November 15, 13
  • 11. Roles for EC2 Instances Friday, November 15, 13
  • 12. What is a Role? Friday, November 15, 13
  • 13. What is a Role? • Roles describe a set of capabilities Friday, November 15, 13
  • 14. What is a Role? • Roles describe a set of capabilities • Roles can be assumed by Users Friday, November 15, 13
  • 15. What is a Role? • Roles describe a set of capabilities • Roles can be assumed by Users • Roles can also be passed to Instances Friday, November 15, 13
  • 16. What is a Role? • Roles describe a set of capabilities • Roles can be assumed by Users • Roles can also be passed to Instances • A User can only assume one Role at a time Friday, November 15, 13
  • 17. What is a Role? • Roles describe a set of capabilities • Roles can be assumed by Users • Roles can also be passed to Instances • A User can only assume one Role at a time • Role permissions are established by policies Friday, November 15, 13
  • 18. What is a Role? • Roles describe a set of capabilities • Roles can be assumed by Users • Roles can also be passed to Instances • A User can only assume one Role at a time • Role permissions are established by policies • Role credentials have pre-set expiration times Friday, November 15, 13
  • 19. What is a Role? • Roles describe a set of capabilities • Roles can be assumed by Users • Roles can also be passed to Instances • A User can only assume one Role at a time • Role permissions are established by policies • Role credentials have pre-set expiration times • They are a great way to manage permissions Friday, November 15, 13
  • 20. A Simple Example Friday, November 15, 13
  • 21. A Simple Example • I define a “web-admin” Role Friday, November 15, 13
  • 22. A Simple Example • I define a “web-admin” Role • I give the “web-admin” Role permission to run and terminate web servers (and possibly more…) Friday, November 15, 13
  • 23. A Simple Example • I define a “web-admin” Role • I give the “web-admin” Role permission to run and terminate web servers (and possibly more…) • I grant several Users permission to assume the “web-admin” Role Friday, November 15, 13
  • 24. A Simple Example • I define a “web-admin” Role • I give the “web-admin” Role permission to run and terminate web servers (and possibly more…) • I grant several Users permission to assume the “web-admin” Role • Those Users can assume the “web-admin” role and then run and terminate web servers Friday, November 15, 13
  • 25. What About Programmatic Users? Friday, November 15, 13
  • 26. What About Programmatic Users? • Now, suppose I want an application to be able to take actions — how can it do that? Friday, November 15, 13
  • 27. What About Programmatic Users? • Now, suppose I want an application to be able to take actions — how can it do that? • One common anti-pattern is to create a “User” and save the User’s credentials somewhere the application can access them (for example, in a file) Friday, November 15, 13
  • 28. What About Programmatic Users? • Now, suppose I want an application to be able to take actions — how can it do that? • One common anti-pattern is to create a “User” and save the User’s credentials somewhere the application can access them (for example, in a file) • Don’t do this!! Friday, November 15, 13
  • 29. What About Programmatic Users? Friday, November 15, 13
  • 30. What About Programmatic Users? • Instead, use an Instance Profile to deliver Role credentials to your applications Friday, November 15, 13
  • 31. What About Programmatic Users? • Instead, use an Instance Profile to deliver Role credentials to your applications • Role credentials are passed to the instance via the Instance Profile automatically Friday, November 15, 13
  • 32. What About Programmatic Users? • Instead, use an Instance Profile to deliver Role credentials to your applications • Role credentials are passed to the instance via the Instance Profile automatically • Credentials are automatically rotated Friday, November 15, 13
  • 33. What About Programmatic Users? • Instead, use an Instance Profile to deliver Role credentials to your applications • Role credentials are passed to the instance via the Instance Profile automatically • Credentials are automatically rotated • No credentials in source repositories Friday, November 15, 13
  • 34. What About Programmatic Users? • Instead, use an Instance Profile to deliver Role credentials to your applications • Role credentials are passed to the instance via the Instance Profile automatically • Credentials are automatically rotated • No credentials in source repositories • Visibility into which Instances have which Roles Friday, November 15, 13
  • 35. Use Cases Friday, November 15, 13
  • 36. Use Cases • My web server needs access to an Amazon S3 bucket, an Amazon SQS queue, and an Amazon SNS topic Friday, November 15, 13
  • 37. Use Cases • My web server needs access to an Amazon S3 bucket, an Amazon SQS queue, and an Amazon SNS topic • I need a cron job to be able to periodically take snapshots of Amazon EBS volumes on my database servers Friday, November 15, 13
  • 38. Use Cases • My web server needs access to an Amazon S3 bucket, an Amazon SQS queue, and an Amazon SNS topic • I need a cron job to be able to periodically take snapshots of Amazon EBS volumes on my database servers • My management server needs to be able to run, describe, and terminate instances Friday, November 15, 13
  • 39. Use Cases • My web server needs access to an Amazon S3 bucket, an Amazon SQS queue, and an Amazon SNS topic • I need a cron job to be able to periodically take snapshots of Amazon EBS volumes on my database servers • My management server needs to be able to run, describe, and terminate instances • My application needs to be able to describe the Instance it is running on in order to bootstrap itself Friday, November 15, 13
  • 40. Roles for Amazon EC2 in 3 Steps Friday, November 15, 13
  • 41. Roles for Amazon EC2 in 3 Steps > Step 1: Create the Role Friday, November 15, 13
  • 42. Friday, November 15, 13
  • 43. Friday, November 15, 13
  • 44. Roles for Amazon EC2 in 3 Steps Friday, November 15, 13
  • 45. Roles for Amazon EC2 in 3 Steps Step 1: Create the Role > Step 2: Deploy the Role to an Instance Friday, November 15, 13
  • 46. Friday, November 15, 13
  • 47. Friday, November 15, 13
  • 48. Roles for Amazon EC2 in 3 Steps Friday, November 15, 13
  • 49. Roles for Amazon EC2 in 3 Steps Step 1: Create the Role Step 2: Deploy the Role to an Instance > Step 3: Use the Role on the Instance Friday, November 15, 13
  • 50. Friday, November 15, 13
  • 51. Friday, November 15, 13
  • 52. More on Instance Profiles • Credentials are available via the instance metadata or available automatically through many AWS tools • Processes on the instance can use the credentials to make API calls • Easy way to avoid doing dumb things like checking in hard-coded credentials to source repositories Friday, November 15, 13
  • 53. Additional Considerations • Any process or user on the instance with access to the instance metadata can access the credentials • Instances with Roles need to enforce their own access controls if users will have SSH access, etc. • Role policies can be changed at any time, but Roles need to be added to instances at initial run time Friday, November 15, 13
  • 54. Other Uses for Roles • Beyond their usage in Instance Profiles, Roles can also help solve other identity and access problems • Other AWS services can use Roles to take actions in your account subject to the Role’s policy • Roles for cross-account access enable you to provide external parties access to your account • You can let Users with Web Identities assume Roles to take actions in your account, too Friday, November 15, 13
  • 55. Friday, November 15, 13
  • 56. Amazon EC2 Resource-level Permissions Friday, November 15, 13
  • 57. Fine-Grained Authorization Friday, November 15, 13
  • 58. Fine-Grained Authorization • Roles help me manage identities, but how do I control what those identities can do? Friday, November 15, 13
  • 59. Fine-Grained Authorization • Roles help me manage identities, but how do I control what those identities can do? • Also, that “read-only” policy wasn’t very exciting — how can I use these tools to do something more interesting? Friday, November 15, 13
  • 60. Resource-level Permissions Friday, November 15, 13
  • 61. Resource-level Permissions • Available for many AWS services, but we will focus on Amazon EC2 resource-level permissions Friday, November 15, 13
  • 62. Resource-level Permissions • Available for many AWS services, but we will focus on Amazon EC2 resource-level permissions • Enables fine-grained controls over individual resources using an IAM policy Friday, November 15, 13
  • 63. Resource-level Permissions • Available for many AWS services, but we will focus on Amazon EC2 resource-level permissions • Enables fine-grained controls over individual resources using an IAM policy • Enables controls over multiple resources based on attributes of the resources using an IAM policy Friday, November 15, 13
  • 64. Resource-level Permissions • Available for many AWS services, but we will focus on Amazon EC2 resource-level permissions • Enables fine-grained controls over individual resources using an IAM policy • Enables controls over multiple resources based on attributes of the resources using an IAM policy • Supports tag-based authorization models Friday, November 15, 13
  • 65. Resource-level Permissions • Available for many AWS services, but we will focus on Amazon EC2 resource-level permissions • Enables fine-grained controls over individual resources using an IAM policy • Enables controls over multiple resources based on attributes of the resources using an IAM policy • Supports tag-based authorization models • Supports any IAM principal, including Roles Friday, November 15, 13
  • 66. Sample Use Cases Friday, November 15, 13
  • 67. Sample Use Cases • A User can start/stop/terminate certain instances Friday, November 15, 13
  • 68. Sample Use Cases • A User can start/stop/terminate certain instances • A User can attach certain volumes to an instance Friday, November 15, 13
  • 69. Sample Use Cases • A User can start/stop/terminate certain instances • A User can attach certain volumes to an instance • Only Admins can modify certain Security Groups Friday, November 15, 13
  • 70. Sample Use Cases • A User can start/stop/terminate certain instances • A User can attach certain volumes to an instance • Only Admins can modify certain Security Groups • Segregate “prod” and “dev” resources and set different permissions for each set of resources Friday, November 15, 13
  • 71. Sample Use Cases • A User can start/stop/terminate certain instances • A User can attach certain volumes to an instance • Only Admins can modify certain Security Groups • Segregate “prod” and “dev” resources and set different permissions for each set of resources • Make actions on sensitive resources conditional on additional security steps, such as MFA Friday, November 15, 13
  • 72. How does this work? Friday, November 15, 13
  • 73. How does this work? • Resource-level permissions enable you to construct fine-grained IAM policies Friday, November 15, 13
  • 74. How does this work? • Resource-level permissions enable you to construct fine-grained IAM policies • Attach these policies to an IAM principal, i.e. “Bob”, and the principal will be restricted by the policy Friday, November 15, 13
  • 75. How does this work? • Resource-level permissions enable you to construct fine-grained IAM policies • Attach these policies to an IAM principal, i.e. “Bob”, and the principal will be restricted by the policy • Policies are enforced at the API level, regardless of whether Bob uses the console, tools, etc Friday, November 15, 13
  • 76. How does this work? • Resource-level permissions enable you to construct fine-grained IAM policies • Attach these policies to an IAM principal, i.e. “Bob”, and the principal will be restricted by the policy • Policies are enforced at the API level, regardless of whether Bob uses the console, tools, etc • Policies are evaluated at runtime and will either allow or deny the principal to perform a particular action Friday, November 15, 13
  • 77. In Practice - Example 1 Friday, November 15, 13
  • 78. In Practice - Example 1 • Suppose “Bob” should be able to stop one instance, but not another — how do I enable this? Friday, November 15, 13
  • 79. In Practice — Example 1 Friday, November 15, 13
  • 80. In Practice — Example 1 • First, an administrator adds a resource-level policy to “Bob” enabling him to stop only one particular instance Friday, November 15, 13
  • 81. Friday, November 15, 13
  • 82. Friday, November 15, 13
  • 83. In Practice — Example 1 Friday, November 15, 13
  • 84. In Practice — Example 1 • Once the policy has been applied, Bob tries to stop the instance and succeeds Friday, November 15, 13
  • 85. In Practice — Example 1 • Once the policy has been applied, Bob tries to stop the instance and succeeds • If he tries to stop another instance, he gets an authorization error Friday, November 15, 13
  • 86. Friday, November 15, 13
  • 87. Friday, November 15, 13
  • 88. In Practice — Example 2 Friday, November 15, 13
  • 89. In Practice — Example 2 • Now, suppose I have a lot of instances and I don’t want to write a policy for each one Friday, November 15, 13
  • 90. In Practice — Example 2 • Now, suppose I have a lot of instances and I don’t want to write a policy for each one • Allow Bob the ability to stop instances with the tag “stack=dev” Friday, November 15, 13
  • 91. In Practice — Example 2 • Now, suppose I have a lot of instances and I don’t want to write a policy for each one • Allow Bob the ability to stop instances with the tag “stack=dev” • Deny Bob the ability to stop instances with the tag “stack=prod” Friday, November 15, 13
  • 92. Friday, November 15, 13
  • 93. Friday, November 15, 13
  • 94. In Practice — Example 2 Friday, November 15, 13
  • 95. In Practice — Example 2 • Once the policy has been applied, Bob tries to stop the instance with the tag “stack=dev” and succeeds Friday, November 15, 13
  • 96. In Practice — Example 2 • Once the policy has been applied, Bob tries to stop the instance with the tag “stack=dev” and succeeds • If he tries to stop an instance with the tag “stack=prod” then he gets an authorization error Friday, November 15, 13
  • 97. Friday, November 15, 13
  • 98. Friday, November 15, 13
  • 99. How do these policies work? Friday, November 15, 13
  • 100. How do these policies work? • IAM Policies follow a “PARC” model: –Principal –Action –Resource –Conditions Friday, November 15, 13
  • 101. How do these policies work? Friday, November 15, 13
  • 102. How do these policies work? • Principal: –The User, Group, or Role the policy is attached to –For example, “Bob” Friday, November 15, 13
  • 103. How do these policies work? Friday, November 15, 13
  • 104. How do these policies work? • Action: –The Action to be performed –Typically maps to an API Action –For example, “ec2:StopInstances” Friday, November 15, 13
  • 105. How do these policies work? Friday, November 15, 13
  • 106. How do these policies work? • Resource: –The Resource involved in the Action –For example, Instance i-7216622f Friday, November 15, 13
  • 107. How do these policies work? Friday, November 15, 13
  • 108. How do these policies work? • Conditions: –Optional additional parameters –For example, check for “ec2:ResourceTag/stack” : “dev” Friday, November 15, 13
  • 109. How do these policies work? { } "Statement":[{ "Effect":"effect", "Action":"action", "Resource":"arn" "Condition":{ "condition":{ "key":"value" } } } ] Friday, November 15, 13
  • 110. How do these policies work? Friday, November 15, 13
  • 111. How do these policies work? • Policy definition and management is provided by IAM • Actions, Resources, and many Conditions are provided by services, such as Amazon EC2 • Documented by IAM and Amazon EC2 Friday, November 15, 13
  • 112. In Practice - Example 3 Friday, November 15, 13
  • 113. In Practice - Example 3 • What about complex actions that involve multiple resources? • Allow Bob to attach Volumes with the tag “stack=dev” to Instances with the tag “stack=dev” Friday, November 15, 13
  • 114. In Practice — Example 3 Friday, November 15, 13
  • 115. In Practice — Example 3 • First, consult the documentation to determine which resources and conditions are supported Friday, November 15, 13
  • 116. Friday, November 15, 13
  • 117. Friday, November 15, 13
  • 118. In Practice — Example 3 Friday, November 15, 13
  • 119. In Practice — Example 3 • Allows Bob to perform AttachVolume • The policy will apply to both Volumes and Instances • Both the Volume and Instances must have the tag “stack=dev” on them Friday, November 15, 13
  • 120. Friday, November 15, 13
  • 121. Friday, November 15, 13
  • 122. In Practice — Example 3 Friday, November 15, 13
  • 123. In Practice — Example 3 • Bob can attach a Volume with the tag “stack=dev” to an instance with the tag “stack=dev” • Bob cannot attach a Volume with the tag “stack=prod” to an instance with the tag “stack=dev” Friday, November 15, 13
  • 124. Friday, November 15, 13
  • 125. Friday, November 15, 13
  • 126. Best Practices • Develop an organization scheme for your resources that makes sense for your use case • Tags are usually the best to organize resources • Rely on IAM’s default-deny model and focus on writing minimally-permissive “Allow” policies • Test policies to ensure the behavior is as-expected Friday, November 15, 13
  • 127. Additional Considerations • If you are using tags as a basis for permissions, the tagging operations will now impact permissions and most users should not have access to them • Not all Amazon EC2 operations currently support resource-level permissions, so consult the documentation liberally • The same tags can be used for both permissions and tag-based billing Friday, November 15, 13
  • 128. Friday, November 15, 13
  • 129. Coming Soon: Permissions for RunInstances Friday, November 15, 13
  • 130. RunInstances Permissions • Control the AMIs and Snapshots “Bob” can use • Limit which Instance Types he can create • Limit the type and size of Volumes he can create • Limit which Subnets he can launch into • Limit which Security Groups he can launch into • Limit which Network Interface he can use • And more… Friday, November 15, 13
  • 131. Friday, November 15, 13
  • 132. Iterating and Debugging Friday, November 15, 13
  • 133. Dry-Run API Calls • Determines whether or not the API call would have been authorized or not without actually processing it • Useful for verifying permissions for API calls like TerminateInstances, where the result of the API call is potentially impactful • Processed using the current state of the resource, just like regular API calls Friday, November 15, 13
  • 134. Friday, November 15, 13
  • 135. Friday, November 15, 13
  • 136. Encoded Error Messages • Included in authorization denied errors – EC2 API version 2013-06-15 and later • Can be decoded using the AWS STS API DecodeAuthorizationMessage • Includes information on the API call attempted and the policy applied • AWS STS API can be locked down using IAM to provide an administrator/user separation of duties if desired Friday, November 15, 13
  • 137. Friday, November 15, 13
  • 138. Friday, November 15, 13
  • 139. Putting it together • Create a test user with no permissions • Apply a policy to the test user • Make and API call as the test user with the Dry Run flag enabled • Verify the behavior is as-expected • If not, inspect the Encoded Authorization Message • Adjust the policy as-needed and iterate Friday, November 15, 13
  • 140. Friday, November 15, 13
  • 141. Additional Resources Friday, November 15, 13
  • 142. Additional Resources Friday, November 15, 13
  • 143. Additional Resources • Amazon EC2 User Guide – “IAM Policies for EC2” – “IAM Roles” • Amazon EC2 API Reference – “Permissions” • Using IAM – “Permissions and Policies” – “Roles” • AWS Security Blog Friday, November 15, 13
  • 144. Please give us your feedback on this presentation CPN205 As a thank you, we will select prize winners daily for completed surveys! Friday, November 15, 13 Thank You