IAM Best Practices
Upcoming SlideShare
Loading in...5
×
 

IAM Best Practices

on

  • 5,334 views

AWS Identity and Access Management (IAM) enables you to manage who can do what in your AWS environment. In this session you will learn how to leverage IAM to control access to your AWS environment. We ...

AWS Identity and Access Management (IAM) enables you to manage who can do what in your AWS environment. In this session you will learn how to leverage IAM to control access to your AWS environment. We will cover best practices on how to create access policies, manage security credentials (i.e., access keys, password, Multi Factor Authentication devices, etc.), how to set up least privilege, minimizing the use of your root account, and more.

Statistics

Views

Total Views
5,334
Views on SlideShare
3,203
Embed Views
2,131

Actions

Likes
9
Downloads
190
Comments
0

6 Embeds 2,131

http://d.hatena.ne.jp 1942
http://www.scoop.it 157
https://twitter.com 26
http://webcache.googleusercontent.com 3
https://www.google.co.jp 2
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IAM Best Practices IAM Best Practices Presentation Transcript

  • Max RamsayTop 10 IAM best practicesPrincipal Security Solutions Architect
  • What we will be covering today• Quick overview of IAM• Top 10 IAM best practices to secure your AWS environment• Demos galore 
  • AWS Identity and Access Management (IAM)enables you to control who can do what in your AWS account• Users, Groups, Roles, Permissions• Control…- Centralized- Fine-grained - APIs, resources and AWS Management Console• Security…- Secure by default- Multiple users, individual security credentials and permissions
  • Top 10 IAM best practices1. Users2. Groups3. Permissions4. Passwords5. MFA6. Roles7. Sharing8. Rotation9. Conditions10. Root
  • 1. UsersCreate individual users
  • 1. Create individual usersBenefits• Unique credentials• Individual credential rotation• Individual permissionsHow to steps• Identify which IAM users you wantto create • Use the IAM Console, CLI or API to:- Create user- Assign credentials- Assign permissions
  • 1. Create individual users
  • 2. GroupsManage permissions with groups
  • 2. Manage permissions with groupsBenefits• Easier to assign the samepermissions to multiple users• Simpler to re-assign permissionsbased on change in responsibilities• Only one change to updatepermissions for multiple usersHow to steps• Map permissions to a specificbusiness function• Assign users to that function• Manage groups in the Groupsection of the IAM Console
  • 2. Manage permissions with groups
  • 3. PermissionsGrant least privilege
  • 3. Grant least privilegeBenefits• More granular control• Less chance of people makingmistakes• Easier to relax than to tighten upHow to steps• Identify what permissions arerequired• Password/Access keys?• Avoid assigning *:* policy• Use policy templates
  • 3. Grant least privilege
  • 4. PasswordsConfigure a strong password policy
  • 4. Enforce a strong password policyBenefits• Ensures your users and your dataare protectedHow to steps• What is your company’s passwordpolicy?• You can configure- Minimum password length- Require any combination of:• One uppercase letter• One lowercase letter• One number• One non-alphanumeric character
  • 4. Configure a strong password policy
  • 5. MFAEnable MFA for privileged users
  • 5. Enable Multi-Factor Authentication for privilegedusersBenefits• Supplements username andpassword to require a one-time codeduring authenticationHow to steps• Choose type of MFA- Virtual MFA- Hardware• Use IAM Console to assign MFAdevice
  • Multi-Factor Authentication devices
  • 5. Enable MFA for privileged users
  • 6. RolesUse IAM roles for EC2 instances
  • 6. Use IAM roles for EC2 instancesBenefits• Easy to manage access keys onEC2 instances• Automatic key rotation• Assign least privilege to theapplication• AWS SDKs fully integratedHow to steps• Create a role• Launch instances with the role• If not using SDKs, sign all requeststo AWS services with the roles’temporary credentials
  • 6. Use IAM roles for EC2 instances
  • 7. SharingUse IAM roles to share access
  • 7. Use IAM roles to share accessBenefits• No need to share security credentials• Easy to break sharing relationship• Use cases- Cross-account access- Intra-account delegation- FederationHow to steps• Create a role- Specify who you trust- Describe what the role can do• Share the name of the role
  • prod@example.comAcct ID: 111122223333ddb-role{ "Statement": [{"Action": ["dynamodb:GetItem","dynamodb:BatchGetItem","dynamodb:Query","dynamodb:Scan","dynamodb:DescribeTable","dynamodb:ListTables"],"Effect": "Allow","Resource": "*"}]}dev@example.comAcct ID: 123456789012Authenticate withJeff access keysGet temporarysecurity credentialsfor ddb-roleCall AWS APIsusing temporarysecurity credentialsof ddb-role{ "Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Resource":"arn:aws:iam::111122223333:role/ddb-role"}]}{ "Statement": [{"Effect":"Allow","Principal":{"AWS":"123456789012"},"Action":"sts:AssumeRole"}]}Cross Account Access – How does it workddb-role trusts IAM users from the AWS accountdev@example.com (123456789012)Permissions assigned to Jeff granting him permissionto assume ddb-role in account BIAM user: JeffPermissions assignedto ddb-roleSTS
  • 7. Use IAM roles to share access
  • 8. RotationRotate security credentials regularly
  • 8. Rotate security credentials regularlyBenefits• Normal best practiceHow to steps• Grant IAM user permission torotate credentials• Password change in IAM console• IAM roles for EC2 automaticallyrotates credentials
  • Enabling credential rotation for IAM users(enable password rotation sample policy)Password{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:ChangePassword","Resource":"arn:aws:iam::123456789012:user/max”"arn:aws:iam::123456789012:user/${aws:username}”}]}
  • Enabling credential rotation for IAM users(enable access key rotation sample policy)Access Keys{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["iam:*AccessKey*","iam:*SigningCertificate*"],"Resource":"arn:aws:iam::123456789012:user/max”"arn:aws:iam::123456789012:user/${aws:username}”}]}Steps to rotate access keys
  • 8. Rotate security credentials regularly
  • 9. ConditionsRestrict privileged access further with conditions
  • 9. Restrict privileged access further with conditionsBenefits• Additional granularity when definingpermissions• Can be enabled for any AWS serviceAPI• Minimizes accidentally performingprivileged actionsHow to steps• Use conditions where applicable• Two types of conditions- AWS common- Service specific
  • Restrict privileged access further with conditions{ "Statement":[{"Effect":"Deny","Action":["ec2:TerminateInstances"],"Resource":["*"],"Condition":{"Null":{"aws:MultiFactorAuthAge":"true"}}}]}Enables a user to terminate EC2 instances only if the user hasauthenticated with their MFA device.MFA{"Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource”:"arn:aws:iam::123456789012:user/*","Condition":{"Bool":{“aws:SecureTransport":"true"},}}]}Enables a user to manage access keys for all IAM users only if the useris coming over SSL.“SSL”{"Statement":[{"Effect":"Allow","Action":["ec2:TerminateInstances“],"Resource":["*“],"Condition":{"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}}}]}Enables a user to terminate EC2 instances only if the user is accessing EC2 from the192.168.176.0/24 address range.SourceIP
  • 9. Restrict privileged access further with conditions
  • 10. RootReduce/remove use of root
  • 10. Reduce/remove use of rootBenefits• Reduce potential for misuse ofcredentialsHow to steps• Security Credentials Page- Delete access keys- Activate a MFA device• Ensure you have set a “strong”password
  • 10. Reduce/remove use of root
  • Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions10. Root – Reduce/remove use of root
  • Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions0. Root – Reduce/remove use of root
  • Related Content• Learn more from the IAM detail page– http://aws.amazon.com/iam• AWS forum where the IAM team hangs out– https://forums.aws.amazon.com/forum.jspa?forumID=76• Documentation– http://aws.amazon.com/documentation/iam/• Twitter- Follow the IAM team @AWSIdentity
  • Thank You!!!awsmax@amazon.com